Repository | antonputra / tutorials |
Description | DevOps Tutorials |
Stars | 1629 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:39:34,859 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/eks/aws//modules/karpenter:19.10.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:39:34,859 [MainThread ] [WARNI] Failed to download module github.com/aws-ia/terraform-aws-eks-blueprints?ref=v4.25.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:39:34,859 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/vpc/aws:3.19.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:39:34,860 [MainThread ] [WARNI] Failed to download module github.com/aws-ia/terraform-aws-eks-blueprints//modules/kubernetes-addons?ref=v4.25.0:2.4.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:39:34,860 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/vpc/aws:4.0.2 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:39:34,860 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/eks/aws:19.15.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:39:34,860 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/vpc/aws:4.0.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:39:34,860 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/eks/aws:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:39:34,863 [MainThread ] [WARNI] Failed to download module [email protected]:antonputra/terraform-aws-prometheus.git//?ref=v0.0.1:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:39:34,864 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/vpc/aws:5.0.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:39:34,864 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.3.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:39:34,865 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.3.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:39:34,865 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/iam/aws//modules/iam-user:5.3.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:39:34,865 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/iam/aws//modules/iam-group-with-policies:5.3.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:39:34,866 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks:5.3.1 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:39:34,866 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/vpc/aws:3.14.3 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:39:34,866 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/eks/aws:18.29.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:39:34,866 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/eks/aws:19.15.3 (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 2617, Failed checks: 1131, Skipped checks: 0, Parsing errors: 1
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.nginx
File: /lessons/014/main.tf:13-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
13 | resource "aws_security_group" "nginx" {
14 | name = "nginx_access"
15 | vpc_id = local.vpc_id
16 |
17 | ingress {
18 | from_port = 22
19 | to_port = 22
20 | protocol = "tcp"
21 | cidr_blocks = ["0.0.0.0/0"]
22 | }
23 |
24 | ingress {
25 | from_port = 80
26 | to_port = 80
27 | protocol = "tcp"
28 | cidr_blocks = ["0.0.0.0/0"]
29 | }
30 |
31 | egress {
32 | from_port = 0
33 | to_port = 0
34 | protocol = "-1"
35 | cidr_blocks = ["0.0.0.0/0"]
36 | }
37 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.nginx
File: /lessons/014/main.tf:13-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
13 | resource "aws_security_group" "nginx" {
14 | name = "nginx_access"
15 | vpc_id = local.vpc_id
16 |
17 | ingress {
18 | from_port = 22
19 | to_port = 22
20 | protocol = "tcp"
21 | cidr_blocks = ["0.0.0.0/0"]
22 | }
23 |
24 | ingress {
25 | from_port = 80
26 | to_port = 80
27 | protocol = "tcp"
28 | cidr_blocks = ["0.0.0.0/0"]
29 | }
30 |
31 | egress {
32 | from_port = 0
33 | to_port = 0
34 | protocol = "-1"
35 | cidr_blocks = ["0.0.0.0/0"]
36 | }
37 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.nginx
File: /lessons/014/main.tf:13-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
13 | resource "aws_security_group" "nginx" {
14 | name = "nginx_access"
15 | vpc_id = local.vpc_id
16 |
17 | ingress {
18 | from_port = 22
19 | to_port = 22
20 | protocol = "tcp"
21 | cidr_blocks = ["0.0.0.0/0"]
22 | }
23 |
24 | ingress {
25 | from_port = 80
26 | to_port = 80
27 | protocol = "tcp"
28 | cidr_blocks = ["0.0.0.0/0"]
29 | }
30 |
31 | egress {
32 | from_port = 0
33 | to_port = 0
34 | protocol = "-1"
35 | cidr_blocks = ["0.0.0.0/0"]
36 | }
37 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.nginx
File: /lessons/014/main.tf:39-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
39 | resource "aws_instance" "nginx" {
40 | ami = "ami-0dba2cb6798deb6d8"
41 | subnet_id = "subnet-060a1ae52cf0a73d6"
42 | instance_type = "t2.micro"
43 | associate_public_ip_address = true
44 | security_groups = [aws_security_group.nginx.id]
45 | key_name = local.key_name
46 |
47 | provisioner "remote-exec" {
48 | inline = ["echo 'Wait until SSH is ready'"]
49 |
50 | connection {
51 | type = "ssh"
52 | user = local.ssh_user
53 | private_key = file(local.private_key_path)
54 | host = aws_instance.nginx.public_ip
55 | }
56 | }
57 | provisioner "local-exec" {
58 | command = "ansible-playbook -i ${aws_instance.nginx.public_ip}, --private-key ${local.private_key_path} nginx.yaml"
59 | }
60 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.nginx
File: /lessons/014/main.tf:39-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
39 | resource "aws_instance" "nginx" {
40 | ami = "ami-0dba2cb6798deb6d8"
41 | subnet_id = "subnet-060a1ae52cf0a73d6"
42 | instance_type = "t2.micro"
43 | associate_public_ip_address = true
44 | security_groups = [aws_security_group.nginx.id]
45 | key_name = local.key_name
46 |
47 | provisioner "remote-exec" {
48 | inline = ["echo 'Wait until SSH is ready'"]
49 |
50 | connection {
51 | type = "ssh"
52 | user = local.ssh_user
53 | private_key = file(local.private_key_path)
54 | host = aws_instance.nginx.public_ip
55 | }
56 | }
57 | provisioner "local-exec" {
58 | command = "ansible-playbook -i ${aws_instance.nginx.public_ip}, --private-key ${local.private_key_path} nginx.yaml"
59 | }
60 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.nginx
File: /lessons/014/main.tf:39-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
39 | resource "aws_instance" "nginx" {
40 | ami = "ami-0dba2cb6798deb6d8"
41 | subnet_id = "subnet-060a1ae52cf0a73d6"
42 | instance_type = "t2.micro"
43 | associate_public_ip_address = true
44 | security_groups = [aws_security_group.nginx.id]
45 | key_name = local.key_name
46 |
47 | provisioner "remote-exec" {
48 | inline = ["echo 'Wait until SSH is ready'"]
49 |
50 | connection {
51 | type = "ssh"
52 | user = local.ssh_user
53 | private_key = file(local.private_key_path)
54 | host = aws_instance.nginx.public_ip
55 | }
56 | }
57 | provisioner "local-exec" {
58 | command = "ansible-playbook -i ${aws_instance.nginx.public_ip}, --private-key ${local.private_key_path} nginx.yaml"
59 | }
60 | }
Check: CKV_AWS_88: "EC2 instance should not have public IP."
FAILED for resource: aws_instance.nginx
File: /lessons/014/main.tf:39-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-12.html
39 | resource "aws_instance" "nginx" {
40 | ami = "ami-0dba2cb6798deb6d8"
41 | subnet_id = "subnet-060a1ae52cf0a73d6"
42 | instance_type = "t2.micro"
43 | associate_public_ip_address = true
44 | security_groups = [aws_security_group.nginx.id]
45 | key_name = local.key_name
46 |
47 | provisioner "remote-exec" {
48 | inline = ["echo 'Wait until SSH is ready'"]
49 |
50 | connection {
51 | type = "ssh"
52 | user = local.ssh_user
53 | private_key = file(local.private_key_path)
54 | host = aws_instance.nginx.public_ip
55 | }
56 | }
57 | provisioner "local-exec" {
58 | command = "ansible-playbook -i ${aws_instance.nginx.public_ip}, --private-key ${local.private_key_path} nginx.yaml"
59 | }
60 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.nginx
File: /lessons/014/main.tf:39-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
39 | resource "aws_instance" "nginx" {
40 | ami = "ami-0dba2cb6798deb6d8"
41 | subnet_id = "subnet-060a1ae52cf0a73d6"
42 | instance_type = "t2.micro"
43 | associate_public_ip_address = true
44 | security_groups = [aws_security_group.nginx.id]
45 | key_name = local.key_name
46 |
47 | provisioner "remote-exec" {
48 | inline = ["echo 'Wait until SSH is ready'"]
49 |
50 | connection {
51 | type = "ssh"
52 | user = local.ssh_user
53 | private_key = file(local.private_key_path)
54 | host = aws_instance.nginx.public_ip
55 | }
56 | }
57 | provisioner "local-exec" {
58 | command = "ansible-playbook -i ${aws_instance.nginx.public_ip}, --private-key ${local.private_key_path} nginx.yaml"
59 | }
60 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.nginx
File: /lessons/020/main.tf:118-145
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
118 | resource "aws_security_group" "nginx" {
119 | name = "nginx"
120 | description = "Access for Nginx"
121 | vpc_id = aws_vpc.main.id
122 |
123 | ingress {
124 | description = "Web Access"
125 | from_port = 80
126 | to_port = 80
127 | protocol = "tcp"
128 | cidr_blocks = ["0.0.0.0/0"]
129 | }
130 |
131 | ingress {
132 | description = "SSH Access"
133 | from_port = 22
134 | to_port = 22
135 | protocol = "tcp"
136 | cidr_blocks = ["0.0.0.0/0"]
137 | }
138 |
139 | egress {
140 | from_port = 0
141 | to_port = 0
142 | protocol = "-1"
143 | cidr_blocks = ["0.0.0.0/0"]
144 | }
145 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.nginx
File: /lessons/020/main.tf:118-145
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
118 | resource "aws_security_group" "nginx" {
119 | name = "nginx"
120 | description = "Access for Nginx"
121 | vpc_id = aws_vpc.main.id
122 |
123 | ingress {
124 | description = "Web Access"
125 | from_port = 80
126 | to_port = 80
127 | protocol = "tcp"
128 | cidr_blocks = ["0.0.0.0/0"]
129 | }
130 |
131 | ingress {
132 | description = "SSH Access"
133 | from_port = 22
134 | to_port = 22
135 | protocol = "tcp"
136 | cidr_blocks = ["0.0.0.0/0"]
137 | }
138 |
139 | egress {
140 | from_port = 0
141 | to_port = 0
142 | protocol = "-1"
143 | cidr_blocks = ["0.0.0.0/0"]
144 | }
145 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.nginx
File: /lessons/020/main.tf:118-145
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
118 | resource "aws_security_group" "nginx" {
119 | name = "nginx"
120 | description = "Access for Nginx"
121 | vpc_id = aws_vpc.main.id
122 |
123 | ingress {
124 | description = "Web Access"
125 | from_port = 80
126 | to_port = 80
127 | protocol = "tcp"
128 | cidr_blocks = ["0.0.0.0/0"]
129 | }
130 |
131 | ingress {
132 | description = "SSH Access"
133 | from_port = 22
134 | to_port = 22
135 | protocol = "tcp"
136 | cidr_blocks = ["0.0.0.0/0"]
137 | }
138 |
139 | egress {
140 | from_port = 0
141 | to_port = 0
142 | protocol = "-1"
143 | cidr_blocks = ["0.0.0.0/0"]
144 | }
145 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.nginx
File: /lessons/020/main.tf:149-158
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
149 | resource "aws_instance" "nginx" {
150 | ami = "ami-0dba2cb6798deb6d8"
151 | instance_type = "t2.micro"
152 | vpc_security_group_ids = [aws_security_group.nginx.id]
153 | key_name = "devops"
154 |
155 | tags = {
156 | Name = "Nginx"
157 | }
158 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.nginx
File: /lessons/020/main.tf:149-158
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
149 | resource "aws_instance" "nginx" {
150 | ami = "ami-0dba2cb6798deb6d8"
151 | instance_type = "t2.micro"
152 | vpc_security_group_ids = [aws_security_group.nginx.id]
153 | key_name = "devops"
154 |
155 | tags = {
156 | Name = "Nginx"
157 | }
158 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.nginx
File: /lessons/020/main.tf:149-158
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
149 | resource "aws_instance" "nginx" {
150 | ami = "ami-0dba2cb6798deb6d8"
151 | instance_type = "t2.micro"
152 | vpc_security_group_ids = [aws_security_group.nginx.id]
153 | key_name = "devops"
154 |
155 | tags = {
156 | Name = "Nginx"
157 | }
158 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.nginx
File: /lessons/020/main.tf:149-158
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
149 | resource "aws_instance" "nginx" {
150 | ami = "ami-0dba2cb6798deb6d8"
151 | instance_type = "t2.micro"
152 | vpc_security_group_ids = [aws_security_group.nginx.id]
153 | key_name = "devops"
154 |
155 | tags = {
156 | Name = "Nginx"
157 | }
158 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks
File: /lessons/038/terraform/eks.tf:42-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
42 | resource "aws_eks_cluster" "eks" {
43 | # Name of the cluster.
44 | name = "eks"
45 |
46 | # The Amazon Resource Name (ARN) of the IAM role that provides permissions for
47 | # the Kubernetes control plane to make calls to AWS API operations on your behalf
48 | role_arn = aws_iam_role.eks_cluster.arn
49 |
50 | # Desired Kubernetes master version
51 | version = "1.18"
52 |
53 | vpc_config {
54 | # Indicates whether or not the Amazon EKS private API server endpoint is enabled
55 | endpoint_private_access = false
56 |
57 | # Indicates whether or not the Amazon EKS public API server endpoint is enabled
58 | endpoint_public_access = true
59 |
60 | # Must be in at least two different availability zones
61 | subnet_ids = [
62 | aws_subnet.public_1.id,
63 | aws_subnet.public_2.id,
64 | aws_subnet.private_1.id,
65 | aws_subnet.private_2.id
66 | ]
67 | }
68 |
69 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
70 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
71 | depends_on = [
72 | aws_iam_role_policy_attachment.amazon_eks_cluster_policy
73 | ]
74 | }
Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
FAILED for resource: aws_eks_cluster.eks
File: /lessons/038/terraform/eks.tf:42-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
42 | resource "aws_eks_cluster" "eks" {
43 | # Name of the cluster.
44 | name = "eks"
45 |
46 | # The Amazon Resource Name (ARN) of the IAM role that provides permissions for
47 | # the Kubernetes control plane to make calls to AWS API operations on your behalf
48 | role_arn = aws_iam_role.eks_cluster.arn
49 |
50 | # Desired Kubernetes master version
51 | version = "1.18"
52 |
53 | vpc_config {
54 | # Indicates whether or not the Amazon EKS private API server endpoint is enabled
55 | endpoint_private_access = false
56 |
57 | # Indicates whether or not the Amazon EKS public API server endpoint is enabled
58 | endpoint_public_access = true
59 |
60 | # Must be in at least two different availability zones
61 | subnet_ids = [
62 | aws_subnet.public_1.id,
63 | aws_subnet.public_2.id,
64 | aws_subnet.private_1.id,
65 | aws_subnet.private_2.id
66 | ]
67 | }
68 |
69 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
70 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
71 | depends_on = [
72 | aws_iam_role_policy_attachment.amazon_eks_cluster_policy
73 | ]
74 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks
File: /lessons/038/terraform/eks.tf:42-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
42 | resource "aws_eks_cluster" "eks" {
43 | # Name of the cluster.
44 | name = "eks"
45 |
46 | # The Amazon Resource Name (ARN) of the IAM role that provides permissions for
47 | # the Kubernetes control plane to make calls to AWS API operations on your behalf
48 | role_arn = aws_iam_role.eks_cluster.arn
49 |
50 | # Desired Kubernetes master version
51 | version = "1.18"
52 |
53 | vpc_config {
54 | # Indicates whether or not the Amazon EKS private API server endpoint is enabled
55 | endpoint_private_access = false
56 |
57 | # Indicates whether or not the Amazon EKS public API server endpoint is enabled
58 | endpoint_public_access = true
59 |
60 | # Must be in at least two different availability zones
61 | subnet_ids = [
62 | aws_subnet.public_1.id,
63 | aws_subnet.public_2.id,
64 | aws_subnet.private_1.id,
65 | aws_subnet.private_2.id
66 | ]
67 | }
68 |
69 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
70 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
71 | depends_on = [
72 | aws_iam_role_policy_attachment.amazon_eks_cluster_policy
73 | ]
74 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.eks
File: /lessons/038/terraform/eks.tf:42-74
42 | resource "aws_eks_cluster" "eks" {
43 | # Name of the cluster.
44 | name = "eks"
45 |
46 | # The Amazon Resource Name (ARN) of the IAM role that provides permissions for
47 | # the Kubernetes control plane to make calls to AWS API operations on your behalf
48 | role_arn = aws_iam_role.eks_cluster.arn
49 |
50 | # Desired Kubernetes master version
51 | version = "1.18"
52 |
53 | vpc_config {
54 | # Indicates whether or not the Amazon EKS private API server endpoint is enabled
55 | endpoint_private_access = false
56 |
57 | # Indicates whether or not the Amazon EKS public API server endpoint is enabled
58 | endpoint_public_access = true
59 |
60 | # Must be in at least two different availability zones
61 | subnet_ids = [
62 | aws_subnet.public_1.id,
63 | aws_subnet.public_2.id,
64 | aws_subnet.private_1.id,
65 | aws_subnet.private_2.id
66 | ]
67 | }
68 |
69 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
70 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
71 | depends_on = [
72 | aws_iam_role_policy_attachment.amazon_eks_cluster_policy
73 | ]
74 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks
File: /lessons/038/terraform/eks.tf:42-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
42 | resource "aws_eks_cluster" "eks" {
43 | # Name of the cluster.
44 | name = "eks"
45 |
46 | # The Amazon Resource Name (ARN) of the IAM role that provides permissions for
47 | # the Kubernetes control plane to make calls to AWS API operations on your behalf
48 | role_arn = aws_iam_role.eks_cluster.arn
49 |
50 | # Desired Kubernetes master version
51 | version = "1.18"
52 |
53 | vpc_config {
54 | # Indicates whether or not the Amazon EKS private API server endpoint is enabled
55 | endpoint_private_access = false
56 |
57 | # Indicates whether or not the Amazon EKS public API server endpoint is enabled
58 | endpoint_public_access = true
59 |
60 | # Must be in at least two different availability zones
61 | subnet_ids = [
62 | aws_subnet.public_1.id,
63 | aws_subnet.public_2.id,
64 | aws_subnet.private_1.id,
65 | aws_subnet.private_2.id
66 | ]
67 | }
68 |
69 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
70 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
71 | depends_on = [
72 | aws_iam_role_policy_attachment.amazon_eks_cluster_policy
73 | ]
74 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public_1
File: /lessons/038/terraform/subnets.tf:4-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
4 | resource "aws_subnet" "public_1" {
5 | # The VPC ID.
6 | vpc_id = aws_vpc.main.id
7 |
8 | # The CIDR block for the subnet.
9 | cidr_block = "192.168.0.0/18"
10 |
11 | # The AZ for the subnet.
12 | availability_zone = "us-east-1a"
13 |
14 | # Required for EKS. Instances launched into the subnet should be assigned a public IP address.
15 | map_public_ip_on_launch = true
16 |
17 | # A map of tags to assign to the resource.
18 | tags = {
19 | Name = "public-us-east-1a"
20 | "kubernetes.io/cluster/eks" = "shared"
21 | "kubernetes.io/role/elb" = 1
22 | }
23 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public_2
File: /lessons/038/terraform/subnets.tf:25-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
25 | resource "aws_subnet" "public_2" {
26 | # The VPC ID
27 | vpc_id = aws_vpc.main.id
28 |
29 | # The CIDR block for the subnet.
30 | cidr_block = "192.168.64.0/18"
31 |
32 | # The AZ for the subnet.
33 | availability_zone = "us-east-1b"
34 |
35 | # Required for EKS. Instances launched into the subnet should be assigned a public IP address.
36 | map_public_ip_on_launch = true
37 |
38 | # A map of tags to assign to the resource.
39 | tags = {
40 | Name = "public-us-east-1b"
41 | "kubernetes.io/cluster/eks" = "shared"
42 | "kubernetes.io/role/elb" = 1
43 | }
44 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.server
File: /lessons/040/main.tf:4-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
4 | resource "aws_instance" "server" {
5 | # The AMI to use for the instance.
6 | ami = var.ami
7 |
8 | # The type of instance to start.
9 | instance_type = "t2.micro"
10 |
11 | lifecycle {
12 | create_before_destroy = true
13 | ignore_changes = [tags]
14 | }
15 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.server
File: /lessons/040/main.tf:4-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
4 | resource "aws_instance" "server" {
5 | # The AMI to use for the instance.
6 | ami = var.ami
7 |
8 | # The type of instance to start.
9 | instance_type = "t2.micro"
10 |
11 | lifecycle {
12 | create_before_destroy = true
13 | ignore_changes = [tags]
14 | }
15 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.server
File: /lessons/040/main.tf:4-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
4 | resource "aws_instance" "server" {
5 | # The AMI to use for the instance.
6 | ami = var.ami
7 |
8 | # The type of instance to start.
9 | instance_type = "t2.micro"
10 |
11 | lifecycle {
12 | create_before_destroy = true
13 | ignore_changes = [tags]
14 | }
15 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.server
File: /lessons/040/main.tf:4-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
4 | resource "aws_instance" "server" {
5 | # The AMI to use for the instance.
6 | ami = var.ami
7 |
8 | # The type of instance to start.
9 | instance_type = "t2.micro"
10 |
11 | lifecycle {
12 | create_before_destroy = true
13 | ignore_changes = [tags]
14 | }
15 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.ubuntu
File: /lessons/053/infra-2/main.tf:20-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
20 | resource "aws_instance" "ubuntu" {
21 | ami = "ami-013f17f36f8b1fefb"
22 | instance_type = "t3.micro"
23 | subnet_id = "subnet-07fc2d0816e1f6100"
24 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.ubuntu
File: /lessons/053/infra-2/main.tf:20-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
20 | resource "aws_instance" "ubuntu" {
21 | ami = "ami-013f17f36f8b1fefb"
22 | instance_type = "t3.micro"
23 | subnet_id = "subnet-07fc2d0816e1f6100"
24 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.ubuntu
File: /lessons/053/infra-2/main.tf:20-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
20 | resource "aws_instance" "ubuntu" {
21 | ami = "ami-013f17f36f8b1fefb"
22 | instance_type = "t3.micro"
23 | subnet_id = "subnet-07fc2d0816e1f6100"
24 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.ubuntu
File: /lessons/053/infra-2/main.tf:20-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
20 | resource "aws_instance" "ubuntu" {
21 | ami = "ami-013f17f36f8b1fefb"
22 | instance_type = "t3.micro"
23 | subnet_id = "subnet-07fc2d0816e1f6100"
24 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.blue[0]
File: /lessons/063/blue.tf:3-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
3 | resource "aws_instance" "blue" {
4 | count = var.enable_blue_env ? var.blue_instance_count : 0
5 |
6 | ami = local.ubuntu_ami
7 | instance_type = "t2.micro"
8 | subnet_id = local.private_a_subnet_id
9 | vpc_security_group_ids = [aws_security_group.web.id]
10 |
11 | user_data = templatefile("./init-script.sh", {
12 | file_content = "blue version 1.2 - ${count.index}"
13 | })
14 |
15 | tags = {
16 | Name = "blue version 1.2 - ${count.index}"
17 | }
18 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.blue[0]
File: /lessons/063/blue.tf:3-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
3 | resource "aws_instance" "blue" {
4 | count = var.enable_blue_env ? var.blue_instance_count : 0
5 |
6 | ami = local.ubuntu_ami
7 | instance_type = "t2.micro"
8 | subnet_id = local.private_a_subnet_id
9 | vpc_security_group_ids = [aws_security_group.web.id]
10 |
11 | user_data = templatefile("./init-script.sh", {
12 | file_content = "blue version 1.2 - ${count.index}"
13 | })
14 |
15 | tags = {
16 | Name = "blue version 1.2 - ${count.index}"
17 | }
18 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.blue[0]
File: /lessons/063/blue.tf:3-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
3 | resource "aws_instance" "blue" {
4 | count = var.enable_blue_env ? var.blue_instance_count : 0
5 |
6 | ami = local.ubuntu_ami
7 | instance_type = "t2.micro"
8 | subnet_id = local.private_a_subnet_id
9 | vpc_security_group_ids = [aws_security_group.web.id]
10 |
11 | user_data = templatefile("./init-script.sh", {
12 | file_content = "blue version 1.2 - ${count.index}"
13 | })
14 |
15 | tags = {
16 | Name = "blue version 1.2 - ${count.index}"
17 | }
18 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.blue[0]
File: /lessons/063/blue.tf:3-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
3 | resource "aws_instance" "blue" {
4 | count = var.enable_blue_env ? var.blue_instance_count : 0
5 |
6 | ami = local.ubuntu_ami
7 | instance_type = "t2.micro"
8 | subnet_id = local.private_a_subnet_id
9 | vpc_security_group_ids = [aws_security_group.web.id]
10 |
11 | user_data = templatefile("./init-script.sh", {
12 | file_content = "blue version 1.2 - ${count.index}"
13 | })
14 |
15 | tags = {
16 | Name = "blue version 1.2 - ${count.index}"
17 | }
18 | }
Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
FAILED for resource: aws_lb_target_group.blue
File: /lessons/063/blue.tf:22-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks.html
22 | resource "aws_lb_target_group" "blue" {
23 | name = "blue-tg-blue-lb"
24 | port = 80
25 | protocol = "HTTP"
26 | vpc_id = local.vpc_id
27 |
28 | health_check {
29 | port = 80
30 | protocol = "HTTP"
31 | timeout = 5
32 | interval = 10
33 | }
34 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.blue[1]
File: /lessons/063/blue.tf:3-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
3 | resource "aws_instance" "blue" {
4 | count = var.enable_blue_env ? var.blue_instance_count : 0
5 |
6 | ami = local.ubuntu_ami
7 | instance_type = "t2.micro"
8 | subnet_id = local.private_a_subnet_id
9 | vpc_security_group_ids = [aws_security_group.web.id]
10 |
11 | user_data = templatefile("./init-script.sh", {
12 | file_content = "blue version 1.2 - ${count.index}"
13 | })
14 |
15 | tags = {
16 | Name = "blue version 1.2 - ${count.index}"
17 | }
18 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.blue[1]
File: /lessons/063/blue.tf:3-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
3 | resource "aws_instance" "blue" {
4 | count = var.enable_blue_env ? var.blue_instance_count : 0
5 |
6 | ami = local.ubuntu_ami
7 | instance_type = "t2.micro"
8 | subnet_id = local.private_a_subnet_id
9 | vpc_security_group_ids = [aws_security_group.web.id]
10 |
11 | user_data = templatefile("./init-script.sh", {
12 | file_content = "blue version 1.2 - ${count.index}"
13 | })
14 |
15 | tags = {
16 | Name = "blue version 1.2 - ${count.index}"
17 | }
18 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.blue[1]
File: /lessons/063/blue.tf:3-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
3 | resource "aws_instance" "blue" {
4 | count = var.enable_blue_env ? var.blue_instance_count : 0
5 |
6 | ami = local.ubuntu_ami
7 | instance_type = "t2.micro"
8 | subnet_id = local.private_a_subnet_id
9 | vpc_security_group_ids = [aws_security_group.web.id]
10 |
11 | user_data = templatefile("./init-script.sh", {
12 | file_content = "blue version 1.2 - ${count.index}"
13 | })
14 |
15 | tags = {
16 | Name = "blue version 1.2 - ${count.index}"
17 | }
18 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.blue[1]
File: /lessons/063/blue.tf:3-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
3 | resource "aws_instance" "blue" {
4 | count = var.enable_blue_env ? var.blue_instance_count : 0
5 |
6 | ami = local.ubuntu_ami
7 | instance_type = "t2.micro"
8 | subnet_id = local.private_a_subnet_id
9 | vpc_security_group_ids = [aws_security_group.web.id]
10 |
11 | user_data = templatefile("./init-script.sh", {
12 | file_content = "blue version 1.2 - ${count.index}"
13 | })
14 |
15 | tags = {
16 | Name = "blue version 1.2 - ${count.index}"
17 | }
18 | }
Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
FAILED for resource: aws_lb_target_group.green
File: /lessons/063/green.tf:22-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks.html
22 | resource "aws_lb_target_group" "green" {
23 | name = "green-tg-green-lb"
24 | port = 80
25 | protocol = "HTTP"
26 | vpc_id = local.vpc_id
27 |
28 | health_check {
29 | port = 80
30 | protocol = "HTTP"
31 | timeout = 5
32 | interval = 10
33 | }
34 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.web
File: /lessons/063/main.tf:40-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
40 | resource "aws_security_group" "web" {
41 | name = "web-sg"
42 | description = "Security group for web-servers with HTTP ports open within VPC"
43 | vpc_id = local.vpc_id
44 |
45 | ingress {
46 | from_port = 80
47 | to_port = 80
48 | protocol = "tcp"
49 | cidr_blocks = ["0.0.0.0/0"]
50 | }
51 |
52 | egress {
53 | from_port = 0
54 | to_port = 0
55 | protocol = "-1"
56 | cidr_blocks = ["0.0.0.0/0"]
57 | ipv6_cidr_blocks = ["::/0"]
58 | }
59 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.web
File: /lessons/063/main.tf:40-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
40 | resource "aws_security_group" "web" {
41 | name = "web-sg"
42 | description = "Security group for web-servers with HTTP ports open within VPC"
43 | vpc_id = local.vpc_id
44 |
45 | ingress {
46 | from_port = 80
47 | to_port = 80
48 | protocol = "tcp"
49 | cidr_blocks = ["0.0.0.0/0"]
50 | }
51 |
52 | egress {
53 | from_port = 0
54 | to_port = 0
55 | protocol = "-1"
56 | cidr_blocks = ["0.0.0.0/0"]
57 | ipv6_cidr_blocks = ["::/0"]
58 | }
59 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.app
File: /lessons/063/main.tf:64-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html
64 | resource "aws_lb" "app" {
65 | name = "app-lb"
66 | internal = false
67 | load_balancer_type = "application"
68 | subnets = [
69 | local.public_a_subnet_id,
70 | local.public_b_subnet_id
71 | ]
72 | security_groups = [aws_security_group.web.id]
73 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: aws_lb.app
File: /lessons/063/main.tf:64-73
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
64 | resource "aws_lb" "app" {
65 | name = "app-lb"
66 | internal = false
67 | load_balancer_type = "application"
68 | subnets = [
69 | local.public_a_subnet_id,
70 | local.public_b_subnet_id
71 | ]
72 | security_groups = [aws_security_group.web.id]
73 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.app
File: /lessons/063/main.tf:64-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
64 | resource "aws_lb" "app" {
65 | name = "app-lb"
66 | internal = false
67 | load_balancer_type = "application"
68 | subnets = [
69 | local.public_a_subnet_id,
70 | local.public_b_subnet_id
71 | ]
72 | security_groups = [aws_security_group.web.id]
73 | }
Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
FAILED for resource: aws_lb_listener.app
File: /lessons/063/main.tf:77-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
77 | resource "aws_lb_listener" "app" {
78 | load_balancer_arn = aws_lb.app.arn
79 | port = "80"
80 | protocol = "HTTP"
81 |
82 | default_action {
83 | type = "forward"
84 | # target_group_arn = aws_lb_target_group.blue.arn
85 | forward {
86 | target_group {
87 | arn = aws_lb_target_group.blue.arn
88 | weight = lookup(local.traffic_dist_map[var.traffic_distribution], "blue", 100)
89 | }
90 |
91 | target_group {
92 | arn = aws_lb_target_group.green.arn
93 | weight = lookup(local.traffic_dist_map[var.traffic_distribution], "green", 0)
94 | }
95 |
96 | stickiness {
97 | enabled = false
98 | duration = 1
99 | }
100 | }
101 | }
102 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: google_compute_subnetwork.private
File: /lessons/069/terraform/3-vpc.tf:11-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
11 | resource "google_compute_subnetwork" "private" {
12 | name = "private"
13 | project = google_compute_shared_vpc_host_project.host.project
14 | ip_cidr_range = "10.5.0.0/20"
15 | region = local.region
16 | network = google_compute_network.main.self_link
17 | private_ip_google_access = true
18 |
19 | # secondary_ip_range {
20 | # range_name = "pod-ip-range"
21 | # ip_cidr_range = "10.0.0.0/14"
22 | # }
23 |
24 | # secondary_ip_range {
25 | # range_name = "services-ip-range"
26 | # ip_cidr_range = "10.4.0.0/19"
27 | # }
28 |
29 | dynamic "secondary_ip_range" {
30 | for_each = local.secondary_ip_ranges
31 |
32 | content {
33 | range_name = secondary_ip_range.key
34 | ip_cidr_range = secondary_ip_range.value
35 | }
36 | }
37 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: google_compute_subnetwork.private
File: /lessons/069/terraform/3-vpc.tf:11-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
11 | resource "google_compute_subnetwork" "private" {
12 | name = "private"
13 | project = google_compute_shared_vpc_host_project.host.project
14 | ip_cidr_range = "10.5.0.0/20"
15 | region = local.region
16 | network = google_compute_network.main.self_link
17 | private_ip_google_access = true
18 |
19 | # secondary_ip_range {
20 | # range_name = "pod-ip-range"
21 | # ip_cidr_range = "10.0.0.0/14"
22 | # }
23 |
24 | # secondary_ip_range {
25 | # range_name = "services-ip-range"
26 | # ip_cidr_range = "10.4.0.0/19"
27 | # }
28 |
29 | dynamic "secondary_ip_range" {
30 | for_each = local.secondary_ip_ranges
31 |
32 | content {
33 | range_name = secondary_ip_range.key
34 | ip_cidr_range = secondary_ip_range.value
35 | }
36 | }
37 | }
Check: CKV_GCP_66: "Ensure use of Binary Authorization"
FAILED for resource: google_container_cluster.gke
File: /lessons/069/terraform/7-kubernetes.tf:9-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-use-of-binary-authorization.html
9 | resource "google_container_cluster" "gke" {
10 | name = "gke"
11 | location = local.region
12 | project = local.service_project_id
13 |
14 | networking_mode = "VPC_NATIVE"
15 | network = google_compute_network.main.self_link
16 | subnetwork = google_compute_subnetwork.private.self_link
17 |
18 | remove_default_node_pool = true
19 | initial_node_count = 1
20 |
21 | release_channel {
22 | channel = "REGULAR"
23 | }
24 |
25 | ip_allocation_policy {
26 | cluster_secondary_range_name = "pod-ip-range"
27 | services_secondary_range_name = "services-ip-range"
28 | }
29 |
30 | network_policy {
31 | provider = "PROVIDER_UNSPECIFIED"
32 | enabled = true
33 | }
34 |
35 | private_cluster_config {
36 | enable_private_endpoint = false
37 | enable_private_nodes = true
38 | master_ipv4_cidr_block = "172.16.0.0/28"
39 | }
40 |
41 | workload_identity_config {
42 | identity_namespace = "${google_project.k8s-staging.project_id}.svc.id.goog"
43 | }
44 |
45 | }
Check: CKV_GCP_24: "Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters"
FAILED for resource: google_container_cluster.gke
File: /lessons/069/terraform/7-kubernetes.tf:9-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-9.html
9 | resource "google_container_cluster" "gke" {
10 | name = "gke"
11 | location = local.region
12 | project = local.service_project_id
13 |
14 | networking_mode = "VPC_NATIVE"
15 | network = google_compute_network.main.self_link
16 | subnetwork = google_compute_subnetwork.private.self_link
17 |
18 | remove_default_node_pool = true
19 | initial_node_count = 1
20 |
21 | release_channel {
22 | channel = "REGULAR"
23 | }
24 |
25 | ip_allocation_policy {
26 | cluster_secondary_range_name = "pod-ip-range"
27 | services_secondary_range_name = "services-ip-range"
28 | }
29 |
30 | network_policy {
31 | provider = "PROVIDER_UNSPECIFIED"
32 | enabled = true
33 | }
34 |
35 | private_cluster_config {
36 | enable_private_endpoint = false
37 | enable_private_nodes = true
38 | master_ipv4_cidr_block = "172.16.0.0/28"
39 | }
40 |
41 | workload_identity_config {
42 | identity_namespace = "${google_project.k8s-staging.project_id}.svc.id.goog"
43 | }
44 |
45 | }
Check: CKV_GCP_65: "Manage Kubernetes RBAC users with Google Groups for GKE"
FAILED for resource: google_container_cluster.gke
File: /lessons/069/terraform/7-kubernetes.tf:9-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/manage-kubernetes-rbac-users-with-google-groups-for-gke.html
9 | resource "google_container_cluster" "gke" {
10 | name = "gke"
11 | location = local.region
12 | project = local.service_project_id
13 |
14 | networking_mode = "VPC_NATIVE"
15 | network = google_compute_network.main.self_link
16 | subnetwork = google_compute_subnetwork.private.self_link
17 |
18 | remove_default_node_pool = true
19 | initial_node_count = 1
20 |
21 | release_channel {
22 | channel = "REGULAR"
23 | }
24 |
25 | ip_allocation_policy {
26 | cluster_secondary_range_name = "pod-ip-range"
27 | services_secondary_range_name = "services-ip-range"
28 | }
29 |
30 | network_policy {
31 | provider = "PROVIDER_UNSPECIFIED"
32 | enabled = true
33 | }
34 |
35 | private_cluster_config {
36 | enable_private_endpoint = false
37 | enable_private_nodes = true
38 | master_ipv4_cidr_block = "172.16.0.0/28"
39 | }
40 |
41 | workload_identity_config {
42 | identity_namespace = "${google_project.k8s-staging.project_id}.svc.id.goog"
43 | }
44 |
45 | }
Check: CKV_GCP_20: "Ensure master authorized networks is set to enabled in GKE clusters"
FAILED for resource: google_container_cluster.gke
File: /lessons/069/terraform/7-kubernetes.tf:9-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-12.html
9 | resource "google_container_cluster" "gke" {
10 | name = "gke"
11 | location = local.region
12 | project = local.service_project_id
13 |
14 | networking_mode = "VPC_NATIVE"
15 | network = google_compute_network.main.self_link
16 | subnetwork = google_compute_subnetwork.private.self_link
17 |
18 | remove_default_node_pool = true
19 | initial_node_count = 1
20 |
21 | release_channel {
22 | channel = "REGULAR"
23 | }
24 |
25 | ip_allocation_policy {
26 | cluster_secondary_range_name = "pod-ip-range"
27 | services_secondary_range_name = "services-ip-range"
28 | }
29 |
30 | network_policy {
31 | provider = "PROVIDER_UNSPECIFIED"
32 | enabled = true
33 | }
34 |
35 | private_cluster_config {
36 | enable_private_endpoint = false
37 | enable_private_nodes = true
38 | master_ipv4_cidr_block = "172.16.0.0/28"
39 | }
40 |
41 | workload_identity_config {
42 | identity_namespace = "${google_project.k8s-staging.project_id}.svc.id.goog"
43 | }
44 |
45 | }
Check: CKV_GCP_21: "Ensure Kubernetes Clusters are configured with Labels"
FAILED for resource: google_container_cluster.gke
File: /lessons/069/terraform/7-kubernetes.tf:9-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-13.html
9 | resource "google_container_cluster" "gke" {
10 | name = "gke"
11 | location = local.region
12 | project = local.service_project_id
13 |
14 | networking_mode = "VPC_NATIVE"
15 | network = google_compute_network.main.self_link
16 | subnetwork = google_compute_subnetwork.private.self_link
17 |
18 | remove_default_node_pool = true
19 | initial_node_count = 1
20 |
21 | release_channel {
22 | channel = "REGULAR"
23 | }
24 |
25 | ip_allocation_policy {
26 | cluster_secondary_range_name = "pod-ip-range"
27 | services_secondary_range_name = "services-ip-range"
28 | }
29 |
30 | network_policy {
31 | provider = "PROVIDER_UNSPECIFIED"
32 | enabled = true
33 | }
34 |
35 | private_cluster_config {
36 | enable_private_endpoint = false
37 | enable_private_nodes = true
38 | master_ipv4_cidr_block = "172.16.0.0/28"
39 | }
40 |
41 | workload_identity_config {
42 | identity_namespace = "${google_project.k8s-staging.project_id}.svc.id.goog"
43 | }
44 |
45 | }
Check: CKV_GCP_69: "Ensure the GKE Metadata Server is Enabled"
FAILED for resource: google_container_cluster.gke
File: /lessons/069/terraform/7-kubernetes.tf:9-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-the-gke-metadata-server-is-enabled.html
9 | resource "google_container_cluster" "gke" {
10 | name = "gke"
11 | location = local.region
12 | project = local.service_project_id
13 |
14 | networking_mode = "VPC_NATIVE"
15 | network = google_compute_network.main.self_link
16 | subnetwork = google_compute_subnetwork.private.self_link
17 |
18 | remove_default_node_pool = true
19 | initial_node_count = 1
20 |
21 | release_channel {
22 | channel = "REGULAR"
23 | }
24 |
25 | ip_allocation_policy {
26 | cluster_secondary_range_name = "pod-ip-range"
27 | services_secondary_range_name = "services-ip-range"
28 | }
29 |
30 | network_policy {
31 | provider = "PROVIDER_UNSPECIFIED"
32 | enabled = true
33 | }
34 |
35 | private_cluster_config {
36 | enable_private_endpoint = false
37 | enable_private_nodes = true
38 | master_ipv4_cidr_block = "172.16.0.0/28"
39 | }
40 |
41 | workload_identity_config {
42 | identity_namespace = "${google_project.k8s-staging.project_id}.svc.id.goog"
43 | }
44 |
45 | }
Check: CKV_GCP_13: "Ensure client certificate authentication to Kubernetes Engine Clusters is disabled"
FAILED for resource: google_container_cluster.gke
File: /lessons/069/terraform/7-kubernetes.tf:9-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-8.html
9 | resource "google_container_cluster" "gke" {
10 | name = "gke"
11 | location = local.region
12 | project = local.service_project_id
13 |
14 | networking_mode = "VPC_NATIVE"
15 | network = google_compute_network.main.self_link
16 | subnetwork = google_compute_subnetwork.private.self_link
17 |
18 | remove_default_node_pool = true
19 | initial_node_count = 1
20 |
21 | release_channel {
22 | channel = "REGULAR"
23 | }
24 |
25 | ip_allocation_policy {
26 | cluster_secondary_range_name = "pod-ip-range"
27 | services_secondary_range_name = "services-ip-range"
28 | }
29 |
30 | network_policy {
31 | provider = "PROVIDER_UNSPECIFIED"
32 | enabled = true
33 | }
34 |
35 | private_cluster_config {
36 | enable_private_endpoint = false
37 | enable_private_nodes = true
38 | master_ipv4_cidr_block = "172.16.0.0/28"
39 | }
40 |
41 | workload_identity_config {
42 | identity_namespace = "${google_project.k8s-staging.project_id}.svc.id.goog"
43 | }
44 |
45 | }
Check: CKV_GCP_61: "Enable VPC Flow Logs and Intranode Visibility"
FAILED for resource: google_container_cluster.gke
File: /lessons/069/terraform/7-kubernetes.tf:9-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/enable-vpc-flow-logs-and-intranode-visibility.html
9 | resource "google_container_cluster" "gke" {
10 | name = "gke"
11 | location = local.region
12 | project = local.service_project_id
13 |
14 | networking_mode = "VPC_NATIVE"
15 | network = google_compute_network.main.self_link
16 | subnetwork = google_compute_subnetwork.private.self_link
17 |
18 | remove_default_node_pool = true
19 | initial_node_count = 1
20 |
21 | release_channel {
22 | channel = "REGULAR"
23 | }
24 |
25 | ip_allocation_policy {
26 | cluster_secondary_range_name = "pod-ip-range"
27 | services_secondary_range_name = "services-ip-range"
28 | }
29 |
30 | network_policy {
31 | provider = "PROVIDER_UNSPECIFIED"
32 | enabled = true
33 | }
34 |
35 | private_cluster_config {
36 | enable_private_endpoint = false
37 | enable_private_nodes = true
38 | master_ipv4_cidr_block = "172.16.0.0/28"
39 | }
40 |
41 | workload_identity_config {
42 | identity_namespace = "${google_project.k8s-staging.project_id}.svc.id.goog"
43 | }
44 |
45 | }
Check: CKV_GCP_68: "Ensure Secure Boot for Shielded GKE Nodes is Enabled"
FAILED for resource: google_container_node_pool.general
File: /lessons/069/terraform/7-kubernetes.tf:47-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-secure-boot-for-shielded-gke-nodes-is-enabled.html
47 | resource "google_container_node_pool" "general" {
48 | name = "general"
49 | location = local.region
50 | cluster = google_container_cluster.gke.name
51 | project = local.service_project_id
52 | node_count = 1
53 |
54 | management {
55 | auto_repair = true
56 | auto_upgrade = true
57 | }
58 |
59 | node_config {
60 | labels = {
61 | role = "general"
62 | }
63 | machine_type = "e2-medium"
64 |
65 | service_account = google_service_account.k8s-staging.email
66 | oauth_scopes = [
67 | "https://www.googleapis.com/auth/cloud-platform"
68 | ]
69 | }
70 | }
Check: CKV_GCP_69: "Ensure the GKE Metadata Server is Enabled"
FAILED for resource: google_container_node_pool.general
File: /lessons/069/terraform/7-kubernetes.tf:47-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-the-gke-metadata-server-is-enabled.html
47 | resource "google_container_node_pool" "general" {
48 | name = "general"
49 | location = local.region
50 | cluster = google_container_cluster.gke.name
51 | project = local.service_project_id
52 | node_count = 1
53 |
54 | management {
55 | auto_repair = true
56 | auto_upgrade = true
57 | }
58 |
59 | node_config {
60 | labels = {
61 | role = "general"
62 | }
63 | machine_type = "e2-medium"
64 |
65 | service_account = google_service_account.k8s-staging.email
66 | oauth_scopes = [
67 | "https://www.googleapis.com/auth/cloud-platform"
68 | ]
69 | }
70 | }
Check: CKV_GCP_22: "Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image"
FAILED for resource: google_container_node_pool.general
File: /lessons/069/terraform/7-kubernetes.tf:47-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-14.html
47 | resource "google_container_node_pool" "general" {
48 | name = "general"
49 | location = local.region
50 | cluster = google_container_cluster.gke.name
51 | project = local.service_project_id
52 | node_count = 1
53 |
54 | management {
55 | auto_repair = true
56 | auto_upgrade = true
57 | }
58 |
59 | node_config {
60 | labels = {
61 | role = "general"
62 | }
63 | machine_type = "e2-medium"
64 |
65 | service_account = google_service_account.k8s-staging.email
66 | oauth_scopes = [
67 | "https://www.googleapis.com/auth/cloud-platform"
68 | ]
69 | }
70 | }
Check: CKV_GCP_106: "Ensure Google compute firewall ingress does not allow unrestricted http port 80 access"
FAILED for resource: google_compute_firewall.lb
File: /lessons/069/terraform/8-firewall.tf:1-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-google-compute-firewall-ingress-does-not-allow-unrestricted-http-port-80-access.html
1 | resource "google_compute_firewall" "lb" {
2 | name = "k8s-fw-abdca8a7bd83f4a84a8fb7a869242967"
3 | network = google_compute_network.main.name
4 | project = local.host_project_id
5 | description = "{\"kubernetes.io/service-name\":\"default/nginx\", \"kubernetes.io/service-ip\":\"35.235.121.183\"}"
6 |
7 | allow {
8 | protocol = "tcp"
9 | ports = ["80"]
10 | }
11 |
12 | source_ranges = ["0.0.0.0/0"]
13 | target_tags = ["gke-gke-08c5d5fb-node"]
14 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/089/terraform/6-eks.tf:31-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
31 | resource "aws_eks_cluster" "demo" {
32 | name = "demo"
33 | role_arn = aws_iam_role.demo.arn
34 |
35 | vpc_config {
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
45 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
46 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
47 | }
Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/089/terraform/6-eks.tf:31-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
31 | resource "aws_eks_cluster" "demo" {
32 | name = "demo"
33 | role_arn = aws_iam_role.demo.arn
34 |
35 | vpc_config {
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
45 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
46 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
47 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/089/terraform/6-eks.tf:31-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
31 | resource "aws_eks_cluster" "demo" {
32 | name = "demo"
33 | role_arn = aws_iam_role.demo.arn
34 |
35 | vpc_config {
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
45 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
46 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
47 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/089/terraform/6-eks.tf:31-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
31 | resource "aws_eks_cluster" "demo" {
32 | name = "demo"
33 | role_arn = aws_iam_role.demo.arn
34 |
35 | vpc_config {
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
45 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
46 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
47 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/090/terraform/6-eks.tf:31-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
31 | resource "aws_eks_cluster" "demo" {
32 | name = "demo"
33 | role_arn = aws_iam_role.demo.arn
34 |
35 | vpc_config {
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
45 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
46 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
47 | }
Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/090/terraform/6-eks.tf:31-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
31 | resource "aws_eks_cluster" "demo" {
32 | name = "demo"
33 | role_arn = aws_iam_role.demo.arn
34 |
35 | vpc_config {
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
45 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
46 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
47 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/090/terraform/6-eks.tf:31-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
31 | resource "aws_eks_cluster" "demo" {
32 | name = "demo"
33 | role_arn = aws_iam_role.demo.arn
34 |
35 | vpc_config {
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
45 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
46 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
47 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/090/terraform/6-eks.tf:31-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
31 | resource "aws_eks_cluster" "demo" {
32 | name = "demo"
33 | role_arn = aws_iam_role.demo.arn
34 |
35 | vpc_config {
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
45 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
46 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
47 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1a
File: /lessons/091/terraform/3-subnets.tf:27-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
27 | resource "aws_subnet" "public-us-east-1a" {
28 | vpc_id = aws_vpc.main.id
29 | cidr_block = "10.0.64.0/19"
30 | availability_zone = "us-east-1a"
31 | map_public_ip_on_launch = true
32 |
33 | tags = {
34 | "Name" = "public-us-east-1a"
35 | "kubernetes.io/role/elb" = "1"
36 | "kubernetes.io/cluster/demo" = "owned"
37 | }
38 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1b
File: /lessons/091/terraform/3-subnets.tf:40-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
40 | resource "aws_subnet" "public-us-east-1b" {
41 | vpc_id = aws_vpc.main.id
42 | cidr_block = "10.0.96.0/19"
43 | availability_zone = "us-east-1b"
44 | map_public_ip_on_launch = true
45 |
46 | tags = {
47 | "Name" = "public-us-east-1b"
48 | "kubernetes.io/role/elb" = "1"
49 | "kubernetes.io/cluster/demo" = "owned"
50 | }
51 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/091/terraform/6-eks.tf:31-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
31 | resource "aws_eks_cluster" "demo" {
32 | name = "demo"
33 | role_arn = aws_iam_role.demo.arn
34 |
35 | vpc_config {
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
45 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
46 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
47 | }
Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/091/terraform/6-eks.tf:31-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
31 | resource "aws_eks_cluster" "demo" {
32 | name = "demo"
33 | role_arn = aws_iam_role.demo.arn
34 |
35 | vpc_config {
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
45 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
46 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
47 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/091/terraform/6-eks.tf:31-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
31 | resource "aws_eks_cluster" "demo" {
32 | name = "demo"
33 | role_arn = aws_iam_role.demo.arn
34 |
35 | vpc_config {
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
45 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
46 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
47 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/091/terraform/6-eks.tf:31-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
31 | resource "aws_eks_cluster" "demo" {
32 | name = "demo"
33 | role_arn = aws_iam_role.demo.arn
34 |
35 | vpc_config {
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
45 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
46 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
47 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1a
File: /lessons/099/terraform/3-subnets.tf:27-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
27 | resource "aws_subnet" "public-us-east-1a" {
28 | vpc_id = aws_vpc.main.id
29 | cidr_block = "10.0.64.0/19"
30 | availability_zone = "us-east-1a"
31 | map_public_ip_on_launch = true
32 |
33 | tags = {
34 | "Name" = "public-us-east-1a"
35 | "kubernetes.io/role/elb" = "1"
36 | "kubernetes.io/cluster/demo" = "owned"
37 | }
38 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1b
File: /lessons/099/terraform/3-subnets.tf:40-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
40 | resource "aws_subnet" "public-us-east-1b" {
41 | vpc_id = aws_vpc.main.id
42 | cidr_block = "10.0.96.0/19"
43 | availability_zone = "us-east-1b"
44 | map_public_ip_on_launch = true
45 |
46 | tags = {
47 | "Name" = "public-us-east-1b"
48 | "kubernetes.io/role/elb" = "1"
49 | "kubernetes.io/cluster/demo" = "owned"
50 | }
51 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/099/terraform/6-eks.tf:31-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
31 | resource "aws_eks_cluster" "demo" {
32 | name = "demo"
33 | role_arn = aws_iam_role.demo.arn
34 |
35 | vpc_config {
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
45 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
46 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
47 | }
Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/099/terraform/6-eks.tf:31-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
31 | resource "aws_eks_cluster" "demo" {
32 | name = "demo"
33 | role_arn = aws_iam_role.demo.arn
34 |
35 | vpc_config {
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
45 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
46 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
47 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/099/terraform/6-eks.tf:31-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
31 | resource "aws_eks_cluster" "demo" {
32 | name = "demo"
33 | role_arn = aws_iam_role.demo.arn
34 |
35 | vpc_config {
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
45 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
46 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
47 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/099/terraform/6-eks.tf:31-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
31 | resource "aws_eks_cluster" "demo" {
32 | name = "demo"
33 | role_arn = aws_iam_role.demo.arn
34 |
35 | vpc_config {
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
45 | # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
46 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
47 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_launch_template.eks-with-disks
File: /lessons/099/terraform/7-nodes.tf:70-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
70 | resource "aws_launch_template" "eks-with-disks" {
71 | name = "eks-with-disks"
72 |
73 | key_name = "local-provisioner"
74 |
75 | block_device_mappings {
76 | device_name = "/dev/xvdb"
77 |
78 | ebs {
79 | volume_size = 50
80 | volume_type = "gp2"
81 | }
82 | }
83 | }
Check: CKV_GCP_106: "Ensure Google compute firewall ingress does not allow unrestricted http port 80 access"
FAILED for resource: google_compute_firewall.web
File: /lessons/101/2-example.tf:29-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-google-compute-firewall-ingress-does-not-allow-unrestricted-http-port-80-access.html
29 | resource "google_compute_firewall" "web" {
30 | name = "web-access"
31 | network = local.network
32 |
33 | allow {
34 | protocol = "tcp"
35 | ports = ["80"]
36 | }
37 |
38 | source_ranges = ["0.0.0.0/0"]
39 | target_service_accounts = [google_service_account.nginx.email]
40 | }
Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled"
FAILED for resource: google_compute_instance.nginx["nginx-000-staging"]
File: /lessons/101/2-example.tf:42-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html
42 | resource "google_compute_instance" "nginx" {
43 | for_each = local.web_servers
44 |
45 | name = each.key
46 | machine_type = each.value.machine_type
47 | zone = each.value.zone
48 |
49 | boot_disk {
50 | initialize_params {
51 | image = local.image
52 | }
53 | }
54 |
55 | network_interface {
56 | network = local.network
57 | access_config {}
58 | }
59 |
60 | service_account {
61 | email = google_service_account.nginx.email
62 | scopes = ["cloud-platform"]
63 | }
64 |
65 | provisioner "remote-exec" {
66 | inline = ["echo 'Wait until SSH is ready'"]
67 |
68 | connection {
69 | type = "ssh"
70 | user = local.ssh_user
71 | private_key = file(local.private_key_path)
72 | host = self.network_interface.0.access_config.0.nat_ip
73 | }
74 | }
75 |
76 | provisioner "local-exec" {
77 | command = "ansible-playbook -i ${self.network_interface.0.access_config.0.nat_ip}, --private-key ${local.private_key_path} nginx.yaml"
78 | }
79 | }
Check: CKV_GCP_40: "Ensure that Compute instances do not have public IP addresses"
FAILED for resource: google_compute_instance.nginx["nginx-000-staging"]
File: /lessons/101/2-example.tf:42-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-public-policies/bc-gcp-public-2.html
42 | resource "google_compute_instance" "nginx" {
43 | for_each = local.web_servers
44 |
45 | name = each.key
46 | machine_type = each.value.machine_type
47 | zone = each.value.zone
48 |
49 | boot_disk {
50 | initialize_params {
51 | image = local.image
52 | }
53 | }
54 |
55 | network_interface {
56 | network = local.network
57 | access_config {}
58 | }
59 |
60 | service_account {
61 | email = google_service_account.nginx.email
62 | scopes = ["cloud-platform"]
63 | }
64 |
65 | provisioner "remote-exec" {
66 | inline = ["echo 'Wait until SSH is ready'"]
67 |
68 | connection {
69 | type = "ssh"
70 | user = local.ssh_user
71 | private_key = file(local.private_key_path)
72 | host = self.network_interface.0.access_config.0.nat_ip
73 | }
74 | }
75 |
76 | provisioner "local-exec" {
77 | command = "ansible-playbook -i ${self.network_interface.0.access_config.0.nat_ip}, --private-key ${local.private_key_path} nginx.yaml"
78 | }
79 | }
Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
FAILED for resource: google_compute_instance.nginx["nginx-000-staging"]
File: /lessons/101/2-example.tf:42-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
42 | resource "google_compute_instance" "nginx" {
43 | for_each = local.web_servers
44 |
45 | name = each.key
46 | machine_type = each.value.machine_type
47 | zone = each.value.zone
48 |
49 | boot_disk {
50 | initialize_params {
51 | image = local.image
52 | }
53 | }
54 |
55 | network_interface {
56 | network = local.network
57 | access_config {}
58 | }
59 |
60 | service_account {
61 | email = google_service_account.nginx.email
62 | scopes = ["cloud-platform"]
63 | }
64 |
65 | provisioner "remote-exec" {
66 | inline = ["echo 'Wait until SSH is ready'"]
67 |
68 | connection {
69 | type = "ssh"
70 | user = local.ssh_user
71 | private_key = file(local.private_key_path)
72 | host = self.network_interface.0.access_config.0.nat_ip
73 | }
74 | }
75 |
76 | provisioner "local-exec" {
77 | command = "ansible-playbook -i ${self.network_interface.0.access_config.0.nat_ip}, --private-key ${local.private_key_path} nginx.yaml"
78 | }
79 | }
Check: CKV_GCP_38: "Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: google_compute_instance.nginx["nginx-000-staging"]
File: /lessons/101/2-example.tf:42-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/encrypt-boot-disks-for-instances-with-cseks.html
42 | resource "google_compute_instance" "nginx" {
43 | for_each = local.web_servers
44 |
45 | name = each.key
46 | machine_type = each.value.machine_type
47 | zone = each.value.zone
48 |
49 | boot_disk {
50 | initialize_params {
51 | image = local.image
52 | }
53 | }
54 |
55 | network_interface {
56 | network = local.network
57 | access_config {}
58 | }
59 |
60 | service_account {
61 | email = google_service_account.nginx.email
62 | scopes = ["cloud-platform"]
63 | }
64 |
65 | provisioner "remote-exec" {
66 | inline = ["echo 'Wait until SSH is ready'"]
67 |
68 | connection {
69 | type = "ssh"
70 | user = local.ssh_user
71 | private_key = file(local.private_key_path)
72 | host = self.network_interface.0.access_config.0.nat_ip
73 | }
74 | }
75 |
76 | provisioner "local-exec" {
77 | command = "ansible-playbook -i ${self.network_interface.0.access_config.0.nat_ip}, --private-key ${local.private_key_path} nginx.yaml"
78 | }
79 | }
Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled"
FAILED for resource: google_compute_instance.nginx["nginx-001-staging"]
File: /lessons/101/2-example.tf:42-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html
42 | resource "google_compute_instance" "nginx" {
43 | for_each = local.web_servers
44 |
45 | name = each.key
46 | machine_type = each.value.machine_type
47 | zone = each.value.zone
48 |
49 | boot_disk {
50 | initialize_params {
51 | image = local.image
52 | }
53 | }
54 |
55 | network_interface {
56 | network = local.network
57 | access_config {}
58 | }
59 |
60 | service_account {
61 | email = google_service_account.nginx.email
62 | scopes = ["cloud-platform"]
63 | }
64 |
65 | provisioner "remote-exec" {
66 | inline = ["echo 'Wait until SSH is ready'"]
67 |
68 | connection {
69 | type = "ssh"
70 | user = local.ssh_user
71 | private_key = file(local.private_key_path)
72 | host = self.network_interface.0.access_config.0.nat_ip
73 | }
74 | }
75 |
76 | provisioner "local-exec" {
77 | command = "ansible-playbook -i ${self.network_interface.0.access_config.0.nat_ip}, --private-key ${local.private_key_path} nginx.yaml"
78 | }
79 | }
Check: CKV_GCP_40: "Ensure that Compute instances do not have public IP addresses"
FAILED for resource: google_compute_instance.nginx["nginx-001-staging"]
File: /lessons/101/2-example.tf:42-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-public-policies/bc-gcp-public-2.html
42 | resource "google_compute_instance" "nginx" {
43 | for_each = local.web_servers
44 |
45 | name = each.key
46 | machine_type = each.value.machine_type
47 | zone = each.value.zone
48 |
49 | boot_disk {
50 | initialize_params {
51 | image = local.image
52 | }
53 | }
54 |
55 | network_interface {
56 | network = local.network
57 | access_config {}
58 | }
59 |
60 | service_account {
61 | email = google_service_account.nginx.email
62 | scopes = ["cloud-platform"]
63 | }
64 |
65 | provisioner "remote-exec" {
66 | inline = ["echo 'Wait until SSH is ready'"]
67 |
68 | connection {
69 | type = "ssh"
70 | user = local.ssh_user
71 | private_key = file(local.private_key_path)
72 | host = self.network_interface.0.access_config.0.nat_ip
73 | }
74 | }
75 |
76 | provisioner "local-exec" {
77 | command = "ansible-playbook -i ${self.network_interface.0.access_config.0.nat_ip}, --private-key ${local.private_key_path} nginx.yaml"
78 | }
79 | }
Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
FAILED for resource: google_compute_instance.nginx["nginx-001-staging"]
File: /lessons/101/2-example.tf:42-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
42 | resource "google_compute_instance" "nginx" {
43 | for_each = local.web_servers
44 |
45 | name = each.key
46 | machine_type = each.value.machine_type
47 | zone = each.value.zone
48 |
49 | boot_disk {
50 | initialize_params {
51 | image = local.image
52 | }
53 | }
54 |
55 | network_interface {
56 | network = local.network
57 | access_config {}
58 | }
59 |
60 | service_account {
61 | email = google_service_account.nginx.email
62 | scopes = ["cloud-platform"]
63 | }
64 |
65 | provisioner "remote-exec" {
66 | inline = ["echo 'Wait until SSH is ready'"]
67 |
68 | connection {
69 | type = "ssh"
70 | user = local.ssh_user
71 | private_key = file(local.private_key_path)
72 | host = self.network_interface.0.access_config.0.nat_ip
73 | }
74 | }
75 |
76 | provisioner "local-exec" {
77 | command = "ansible-playbook -i ${self.network_interface.0.access_config.0.nat_ip}, --private-key ${local.private_key_path} nginx.yaml"
78 | }
79 | }
Check: CKV_GCP_38: "Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: google_compute_instance.nginx["nginx-001-staging"]
File: /lessons/101/2-example.tf:42-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/encrypt-boot-disks-for-instances-with-cseks.html
42 | resource "google_compute_instance" "nginx" {
43 | for_each = local.web_servers
44 |
45 | name = each.key
46 | machine_type = each.value.machine_type
47 | zone = each.value.zone
48 |
49 | boot_disk {
50 | initialize_params {
51 | image = local.image
52 | }
53 | }
54 |
55 | network_interface {
56 | network = local.network
57 | access_config {}
58 | }
59 |
60 | service_account {
61 | email = google_service_account.nginx.email
62 | scopes = ["cloud-platform"]
63 | }
64 |
65 | provisioner "remote-exec" {
66 | inline = ["echo 'Wait until SSH is ready'"]
67 |
68 | connection {
69 | type = "ssh"
70 | user = local.ssh_user
71 | private_key = file(local.private_key_path)
72 | host = self.network_interface.0.access_config.0.nat_ip
73 | }
74 | }
75 |
76 | provisioner "local-exec" {
77 | command = "ansible-playbook -i ${self.network_interface.0.access_config.0.nat_ip}, --private-key ${local.private_key_path} nginx.yaml"
78 | }
79 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1a
File: /lessons/102/terraform/3-subnets.tf:25-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
25 | resource "aws_subnet" "public-us-east-1a" {
26 | vpc_id = aws_vpc.main.id
27 | cidr_block = "10.0.64.0/19"
28 | availability_zone = "us-east-1a"
29 | map_public_ip_on_launch = true
30 |
31 | tags = {
32 | "Name" = "public-us-east-1a"
33 | "kubernetes.io/role/elb" = "1"
34 | "kubernetes.io/cluster/demo" = "owned"
35 | }
36 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1b
File: /lessons/102/terraform/3-subnets.tf:38-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
38 | resource "aws_subnet" "public-us-east-1b" {
39 | vpc_id = aws_vpc.main.id
40 | cidr_block = "10.0.96.0/19"
41 | availability_zone = "us-east-1b"
42 | map_public_ip_on_launch = true
43 |
44 | tags = {
45 | "Name" = "public-us-east-1b"
46 | "kubernetes.io/role/elb" = "1"
47 | "kubernetes.io/cluster/demo" = "owned"
48 | }
49 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/102/terraform/6-eks.tf:32-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
32 | resource "aws_eks_cluster" "demo" {
33 | name = var.cluster_name
34 | role_arn = aws_iam_role.demo.arn
35 |
36 | vpc_config {
37 | subnet_ids = [
38 | aws_subnet.private-us-east-1a.id,
39 | aws_subnet.private-us-east-1b.id,
40 | aws_subnet.public-us-east-1a.id,
41 | aws_subnet.public-us-east-1b.id
42 | ]
43 | }
44 |
45 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
46 | }
Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/102/terraform/6-eks.tf:32-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
32 | resource "aws_eks_cluster" "demo" {
33 | name = var.cluster_name
34 | role_arn = aws_iam_role.demo.arn
35 |
36 | vpc_config {
37 | subnet_ids = [
38 | aws_subnet.private-us-east-1a.id,
39 | aws_subnet.private-us-east-1b.id,
40 | aws_subnet.public-us-east-1a.id,
41 | aws_subnet.public-us-east-1b.id
42 | ]
43 | }
44 |
45 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
46 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/102/terraform/6-eks.tf:32-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
32 | resource "aws_eks_cluster" "demo" {
33 | name = var.cluster_name
34 | role_arn = aws_iam_role.demo.arn
35 |
36 | vpc_config {
37 | subnet_ids = [
38 | aws_subnet.private-us-east-1a.id,
39 | aws_subnet.private-us-east-1b.id,
40 | aws_subnet.public-us-east-1a.id,
41 | aws_subnet.public-us-east-1b.id
42 | ]
43 | }
44 |
45 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
46 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/102/terraform/6-eks.tf:32-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
32 | resource "aws_eks_cluster" "demo" {
33 | name = var.cluster_name
34 | role_arn = aws_iam_role.demo.arn
35 |
36 | vpc_config {
37 | subnet_ids = [
38 | aws_subnet.private-us-east-1a.id,
39 | aws_subnet.private-us-east-1b.id,
40 | aws_subnet.public-us-east-1a.id,
41 | aws_subnet.public-us-east-1b.id
42 | ]
43 | }
44 |
45 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
46 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1a
File: /lessons/104/terraform/3-subnets.tf:1-6
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
1 | resource "aws_subnet" "public-us-east-1a" {
2 | vpc_id = aws_vpc.main.id
3 | cidr_block = "10.0.64.0/19"
4 | availability_zone = "us-east-1a"
5 | map_public_ip_on_launch = true
6 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.web
File: /lessons/104/terraform/5-ec2.tf:28-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
28 | resource "aws_instance" "web" {
29 | ami = data.aws_ami.ubuntu.id
30 | instance_type = "t3.small"
31 |
32 | key_name = local.key_name
33 |
34 | network_interface {
35 | network_interface_id = aws_network_interface.monitoring.id
36 | device_index = 0
37 | }
38 |
39 | tags = {
40 | Name = "monitoring"
41 | }
42 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.web
File: /lessons/104/terraform/5-ec2.tf:28-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
28 | resource "aws_instance" "web" {
29 | ami = data.aws_ami.ubuntu.id
30 | instance_type = "t3.small"
31 |
32 | key_name = local.key_name
33 |
34 | network_interface {
35 | network_interface_id = aws_network_interface.monitoring.id
36 | device_index = 0
37 | }
38 |
39 | tags = {
40 | Name = "monitoring"
41 | }
42 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.web
File: /lessons/104/terraform/5-ec2.tf:28-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
28 | resource "aws_instance" "web" {
29 | ami = data.aws_ami.ubuntu.id
30 | instance_type = "t3.small"
31 |
32 | key_name = local.key_name
33 |
34 | network_interface {
35 | network_interface_id = aws_network_interface.monitoring.id
36 | device_index = 0
37 | }
38 |
39 | tags = {
40 | Name = "monitoring"
41 | }
42 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.web
File: /lessons/104/terraform/5-ec2.tf:28-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
28 | resource "aws_instance" "web" {
29 | ami = data.aws_ami.ubuntu.id
30 | instance_type = "t3.small"
31 |
32 | key_name = local.key_name
33 |
34 | network_interface {
35 | network_interface_id = aws_network_interface.monitoring.id
36 | device_index = 0
37 | }
38 |
39 | tags = {
40 | Name = "monitoring"
41 | }
42 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.monitoring
File: /lessons/104/terraform/6-sg.tf:1-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.monitoring
File: /lessons/104/terraform/6-sg.tf:1-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1a
File: /lessons/105/aws-terraform/3-subnets.tf:25-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
25 | resource "aws_subnet" "public-us-east-1a" {
26 | vpc_id = aws_vpc.main.id
27 | cidr_block = "10.0.64.0/19"
28 | availability_zone = "us-east-1a"
29 | map_public_ip_on_launch = true
30 |
31 | tags = {
32 | "Name" = "public-us-east-1a"
33 | "kubernetes.io/role/elb" = "1"
34 | "kubernetes.io/cluster/demo" = "owned"
35 | }
36 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1b
File: /lessons/105/aws-terraform/3-subnets.tf:38-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
38 | resource "aws_subnet" "public-us-east-1b" {
39 | vpc_id = aws_vpc.main.id
40 | cidr_block = "10.0.96.0/19"
41 | availability_zone = "us-east-1b"
42 | map_public_ip_on_launch = true
43 |
44 | tags = {
45 | "Name" = "public-us-east-1b"
46 | "kubernetes.io/role/elb" = "1"
47 | "kubernetes.io/cluster/demo" = "owned"
48 | }
49 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/105/aws-terraform/6-eks.tf:25-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
25 | resource "aws_eks_cluster" "demo" {
26 | name = "demo"
27 | role_arn = aws_iam_role.demo.arn
28 |
29 | vpc_config {
30 | subnet_ids = [
31 | aws_subnet.private-us-east-1a.id,
32 | aws_subnet.private-us-east-1b.id,
33 | aws_subnet.public-us-east-1a.id,
34 | aws_subnet.public-us-east-1b.id
35 | ]
36 | }
37 |
38 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
39 | }
Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/105/aws-terraform/6-eks.tf:25-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
25 | resource "aws_eks_cluster" "demo" {
26 | name = "demo"
27 | role_arn = aws_iam_role.demo.arn
28 |
29 | vpc_config {
30 | subnet_ids = [
31 | aws_subnet.private-us-east-1a.id,
32 | aws_subnet.private-us-east-1b.id,
33 | aws_subnet.public-us-east-1a.id,
34 | aws_subnet.public-us-east-1b.id
35 | ]
36 | }
37 |
38 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
39 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/105/aws-terraform/6-eks.tf:25-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
25 | resource "aws_eks_cluster" "demo" {
26 | name = "demo"
27 | role_arn = aws_iam_role.demo.arn
28 |
29 | vpc_config {
30 | subnet_ids = [
31 | aws_subnet.private-us-east-1a.id,
32 | aws_subnet.private-us-east-1b.id,
33 | aws_subnet.public-us-east-1a.id,
34 | aws_subnet.public-us-east-1b.id
35 | ]
36 | }
37 |
38 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
39 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/105/aws-terraform/6-eks.tf:25-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
25 | resource "aws_eks_cluster" "demo" {
26 | name = "demo"
27 | role_arn = aws_iam_role.demo.arn
28 |
29 | vpc_config {
30 | subnet_ids = [
31 | aws_subnet.private-us-east-1a.id,
32 | aws_subnet.private-us-east-1b.id,
33 | aws_subnet.public-us-east-1a.id,
34 | aws_subnet.public-us-east-1b.id
35 | ]
36 | }
37 |
38 | depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
39 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: google_compute_subnetwork.private
File: /lessons/108/terraform/3-subnets.tf:2-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
2 | resource "google_compute_subnetwork" "private" {
3 | name = "private"
4 | ip_cidr_range = "10.0.0.0/18"
5 | region = "us-central1"
6 | network = google_compute_network.main.id
7 | private_ip_google_access = true
8 |
9 | secondary_ip_range {
10 | range_name = "k8s-pod-range"
11 | ip_cidr_range = "10.48.0.0/14"
12 | }
13 | secondary_ip_range {
14 | range_name = "k8s-service-range"
15 | ip_cidr_range = "10.52.0.0/20"
16 | }
17 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: google_compute_subnetwork.private
File: /lessons/108/terraform/3-subnets.tf:2-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
2 | resource "google_compute_subnetwork" "private" {
3 | name = "private"
4 | ip_cidr_range = "10.0.0.0/18"
5 | region = "us-central1"
6 | network = google_compute_network.main.id
7 | private_ip_google_access = true
8 |
9 | secondary_ip_range {
10 | range_name = "k8s-pod-range"
11 | ip_cidr_range = "10.48.0.0/14"
12 | }
13 | secondary_ip_range {
14 | range_name = "k8s-service-range"
15 | ip_cidr_range = "10.52.0.0/20"
16 | }
17 | }
Check: CKV_GCP_2: "Ensure Google compute firewall ingress does not allow unrestricted ssh access"
FAILED for resource: google_compute_firewall.allow-ssh
File: /lessons/108/terraform/6-firewalls.tf:2-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-1.html
2 | resource "google_compute_firewall" "allow-ssh" {
3 | name = "allow-ssh"
4 | network = google_compute_network.main.name
5 |
6 | allow {
7 | protocol = "tcp"
8 | ports = ["22"]
9 | }
10 |
11 | source_ranges = ["0.0.0.0/0"]
12 | }
Check: CKV_GCP_66: "Ensure use of Binary Authorization"
FAILED for resource: google_container_cluster.primary
File: /lessons/108/terraform/7-kubernetes.tf:2-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-use-of-binary-authorization.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_24: "Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters"
FAILED for resource: google_container_cluster.primary
File: /lessons/108/terraform/7-kubernetes.tf:2-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_65: "Manage Kubernetes RBAC users with Google Groups for GKE"
FAILED for resource: google_container_cluster.primary
File: /lessons/108/terraform/7-kubernetes.tf:2-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/manage-kubernetes-rbac-users-with-google-groups-for-gke.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_20: "Ensure master authorized networks is set to enabled in GKE clusters"
FAILED for resource: google_container_cluster.primary
File: /lessons/108/terraform/7-kubernetes.tf:2-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_12: "Ensure Network Policy is enabled on Kubernetes Engine Clusters"
FAILED for resource: google_container_cluster.primary
File: /lessons/108/terraform/7-kubernetes.tf:2-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_21: "Ensure Kubernetes Clusters are configured with Labels"
FAILED for resource: google_container_cluster.primary
File: /lessons/108/terraform/7-kubernetes.tf:2-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-13.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_69: "Ensure the GKE Metadata Server is Enabled"
FAILED for resource: google_container_cluster.primary
File: /lessons/108/terraform/7-kubernetes.tf:2-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-the-gke-metadata-server-is-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_13: "Ensure client certificate authentication to Kubernetes Engine Clusters is disabled"
FAILED for resource: google_container_cluster.primary
File: /lessons/108/terraform/7-kubernetes.tf:2-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_61: "Enable VPC Flow Logs and Intranode Visibility"
FAILED for resource: google_container_cluster.primary
File: /lessons/108/terraform/7-kubernetes.tf:2-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/enable-vpc-flow-logs-and-intranode-visibility.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_68: "Ensure Secure Boot for Shielded GKE Nodes is Enabled"
FAILED for resource: google_container_node_pool.general
File: /lessons/108/terraform/8-node-pools.tf:7-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-secure-boot-for-shielded-gke-nodes-is-enabled.html
7 | resource "google_container_node_pool" "general" {
8 | name = "general"
9 | cluster = google_container_cluster.primary.id
10 | node_count = 1
11 |
12 | management {
13 | auto_repair = true
14 | auto_upgrade = true
15 | }
16 |
17 | node_config {
18 | preemptible = false
19 | machine_type = "e2-small"
20 |
21 | labels = {
22 | role = "general"
23 | }
24 |
25 | service_account = google_service_account.kubernetes.email
26 | oauth_scopes = [
27 | "https://www.googleapis.com/auth/cloud-platform"
28 | ]
29 | }
30 | }
Check: CKV_GCP_69: "Ensure the GKE Metadata Server is Enabled"
FAILED for resource: google_container_node_pool.general
File: /lessons/108/terraform/8-node-pools.tf:7-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-the-gke-metadata-server-is-enabled.html
7 | resource "google_container_node_pool" "general" {
8 | name = "general"
9 | cluster = google_container_cluster.primary.id
10 | node_count = 1
11 |
12 | management {
13 | auto_repair = true
14 | auto_upgrade = true
15 | }
16 |
17 | node_config {
18 | preemptible = false
19 | machine_type = "e2-small"
20 |
21 | labels = {
22 | role = "general"
23 | }
24 |
25 | service_account = google_service_account.kubernetes.email
26 | oauth_scopes = [
27 | "https://www.googleapis.com/auth/cloud-platform"
28 | ]
29 | }
30 | }
Check: CKV_GCP_22: "Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image"
FAILED for resource: google_container_node_pool.general
File: /lessons/108/terraform/8-node-pools.tf:7-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-14.html
7 | resource "google_container_node_pool" "general" {
8 | name = "general"
9 | cluster = google_container_cluster.primary.id
10 | node_count = 1
11 |
12 | management {
13 | auto_repair = true
14 | auto_upgrade = true
15 | }
16 |
17 | node_config {
18 | preemptible = false
19 | machine_type = "e2-small"
20 |
21 | labels = {
22 | role = "general"
23 | }
24 |
25 | service_account = google_service_account.kubernetes.email
26 | oauth_scopes = [
27 | "https://www.googleapis.com/auth/cloud-platform"
28 | ]
29 | }
30 | }
Check: CKV_GCP_68: "Ensure Secure Boot for Shielded GKE Nodes is Enabled"
FAILED for resource: google_container_node_pool.spot
File: /lessons/108/terraform/8-node-pools.tf:32-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-secure-boot-for-shielded-gke-nodes-is-enabled.html
32 | resource "google_container_node_pool" "spot" {
33 | name = "spot"
34 | cluster = google_container_cluster.primary.id
35 |
36 | management {
37 | auto_repair = true
38 | auto_upgrade = true
39 | }
40 |
41 | autoscaling {
42 | min_node_count = 0
43 | max_node_count = 10
44 | }
45 |
46 | node_config {
47 | preemptible = true
48 | machine_type = "e2-small"
49 |
50 | labels = {
51 | team = "devops"
52 | }
53 |
54 | taint {
55 | key = "instance_type"
56 | value = "spot"
57 | effect = "NO_SCHEDULE"
58 | }
59 |
60 | service_account = google_service_account.kubernetes.email
61 | oauth_scopes = [
62 | "https://www.googleapis.com/auth/cloud-platform"
63 | ]
64 | }
65 | }
Check: CKV_GCP_69: "Ensure the GKE Metadata Server is Enabled"
FAILED for resource: google_container_node_pool.spot
File: /lessons/108/terraform/8-node-pools.tf:32-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/ensure-the-gke-metadata-server-is-enabled.html
32 | resource "google_container_node_pool" "spot" {
33 | name = "spot"
34 | cluster = google_container_cluster.primary.id
35 |
36 | management {
37 | auto_repair = true
38 | auto_upgrade = true
39 | }
40 |
41 | autoscaling {
42 | min_node_count = 0
43 | max_node_count = 10
44 | }
45 |
46 | node_config {
47 | preemptible = true
48 | machine_type = "e2-small"
49 |
50 | labels = {
51 | team = "devops"
52 | }
53 |
54 | taint {
55 | key = "instance_type"
56 | value = "spot"
57 | effect = "NO_SCHEDULE"
58 | }
59 |
60 | service_account = google_service_account.kubernetes.email
61 | oauth_scopes = [
62 | "https://www.googleapis.com/auth/cloud-platform"
63 | ]
64 | }
65 | }
Check: CKV_GCP_22: "Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image"
FAILED for resource: google_container_node_pool.spot
File: /lessons/108/terraform/8-node-pools.tf:32-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-kubernetes-policies/bc-gcp-kubernetes-14.html
32 | resource "google_container_node_pool" "spot" {
33 | name = "spot"
34 | cluster = google_container_cluster.primary.id
35 |
36 | management {
37 | auto_repair = true
38 | auto_upgrade = true
39 | }
40 |
41 | autoscaling {
42 | min_node_count = 0
43 | max_node_count = 10
44 | }
45 |
46 | node_config {
47 | preemptible = true
48 | machine_type = "e2-small"
49 |
50 | labels = {
51 | team = "devops"
52 | }
53 |
54 | taint {
55 | key = "instance_type"
56 | value = "spot"
57 | effect = "NO_SCHEDULE"
58 | }
59 |
60 | service_account = google_service_account.kubernetes.email
61 | oauth_scopes = [
62 | "https://www.googleapis.com/auth/cloud-platform"
63 | ]
64 | }
65 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1a
File: /lessons/112/terraform/3-subnets.tf:25-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
25 | resource "aws_subnet" "public-us-east-1a" {
26 | vpc_id = aws_vpc.main.id
27 | cidr_block = "10.0.64.0/19"
28 | availability_zone = "us-east-1a"
29 | map_public_ip_on_launch = true
30 |
31 | tags = {
32 | "Name" = "public-us-east-1a"
33 | "kubernetes.io/role/elb" = "1"
34 | "kubernetes.io/cluster/${var.cluster_name}" = "owned"
35 | }
36 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1b
File: /lessons/112/terraform/3-subnets.tf:38-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
38 | resource "aws_subnet" "public-us-east-1b" {
39 | vpc_id = aws_vpc.main.id
40 | cidr_block = "10.0.96.0/19"
41 | availability_zone = "us-east-1b"
42 | map_public_ip_on_launch = true
43 |
44 | tags = {
45 | "Name" = "public-us-east-1b"
46 | "kubernetes.io/role/elb" = "1"
47 | "kubernetes.io/cluster/${var.cluster_name}" = "owned"
48 | }
49 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.cluster
File: /lessons/112/terraform/6-eks.tf:25-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
25 | resource "aws_eks_cluster" "cluster" {
26 | name = var.cluster_name
27 | version = var.cluster_version
28 | role_arn = aws_iam_role.eks-cluster.arn
29 |
30 | vpc_config {
31 | subnet_ids = [
32 | aws_subnet.private-us-east-1a.id,
33 | aws_subnet.private-us-east-1b.id,
34 | aws_subnet.public-us-east-1a.id,
35 | aws_subnet.public-us-east-1b.id
36 | ]
37 | }
38 |
39 | depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
40 | }
Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
FAILED for resource: aws_eks_cluster.cluster
File: /lessons/112/terraform/6-eks.tf:25-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
25 | resource "aws_eks_cluster" "cluster" {
26 | name = var.cluster_name
27 | version = var.cluster_version
28 | role_arn = aws_iam_role.eks-cluster.arn
29 |
30 | vpc_config {
31 | subnet_ids = [
32 | aws_subnet.private-us-east-1a.id,
33 | aws_subnet.private-us-east-1b.id,
34 | aws_subnet.public-us-east-1a.id,
35 | aws_subnet.public-us-east-1b.id
36 | ]
37 | }
38 |
39 | depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
40 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.cluster
File: /lessons/112/terraform/6-eks.tf:25-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
25 | resource "aws_eks_cluster" "cluster" {
26 | name = var.cluster_name
27 | version = var.cluster_version
28 | role_arn = aws_iam_role.eks-cluster.arn
29 |
30 | vpc_config {
31 | subnet_ids = [
32 | aws_subnet.private-us-east-1a.id,
33 | aws_subnet.private-us-east-1b.id,
34 | aws_subnet.public-us-east-1a.id,
35 | aws_subnet.public-us-east-1b.id
36 | ]
37 | }
38 |
39 | depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
40 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.cluster
File: /lessons/112/terraform/6-eks.tf:25-40
25 | resource "aws_eks_cluster" "cluster" {
26 | name = var.cluster_name
27 | version = var.cluster_version
28 | role_arn = aws_iam_role.eks-cluster.arn
29 |
30 | vpc_config {
31 | subnet_ids = [
32 | aws_subnet.private-us-east-1a.id,
33 | aws_subnet.private-us-east-1b.id,
34 | aws_subnet.public-us-east-1a.id,
35 | aws_subnet.public-us-east-1b.id
36 | ]
37 | }
38 |
39 | depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
40 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.cluster
File: /lessons/112/terraform/6-eks.tf:25-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
25 | resource "aws_eks_cluster" "cluster" {
26 | name = var.cluster_name
27 | version = var.cluster_version
28 | role_arn = aws_iam_role.eks-cluster.arn
29 |
30 | vpc_config {
31 | subnet_ids = [
32 | aws_subnet.private-us-east-1a.id,
33 | aws_subnet.private-us-east-1b.id,
34 | aws_subnet.public-us-east-1a.id,
35 | aws_subnet.public-us-east-1b.id
36 | ]
37 | }
38 |
39 | depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
40 | }
Check: CKV_AWS_184: "Ensure resource is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: aws_efs_file_system.eks
File: /lessons/113/terraform/13-efs.tf:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-104.html
1 | resource "aws_efs_file_system" "eks" {
2 | creation_token = "eks"
3 |
4 | performance_mode = "generalPurpose"
5 | throughput_mode = "bursting"
6 | encrypted = true
7 |
8 | # lifecycle_policy {
9 | # transition_to_ia = "AFTER_30_DAYS"
10 | # }
11 |
12 | tags = {
13 | Name = "eks"
14 | }
15 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1a
File: /lessons/113/terraform/3-subnets.tf:25-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
25 | resource "aws_subnet" "public-us-east-1a" {
26 | vpc_id = aws_vpc.main.id
27 | cidr_block = "10.0.64.0/19"
28 | availability_zone = "us-east-1a"
29 | map_public_ip_on_launch = true
30 |
31 | tags = {
32 | "Name" = "public-us-east-1a"
33 | "kubernetes.io/role/elb" = "1"
34 | "kubernetes.io/cluster/${var.cluster_name}" = "owned"
35 | }
36 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1b
File: /lessons/113/terraform/3-subnets.tf:38-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
38 | resource "aws_subnet" "public-us-east-1b" {
39 | vpc_id = aws_vpc.main.id
40 | cidr_block = "10.0.96.0/19"
41 | availability_zone = "us-east-1b"
42 | map_public_ip_on_launch = true
43 |
44 | tags = {
45 | "Name" = "public-us-east-1b"
46 | "kubernetes.io/role/elb" = "1"
47 | "kubernetes.io/cluster/${var.cluster_name}" = "owned"
48 | }
49 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.cluster
File: /lessons/113/terraform/6-eks.tf:25-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
25 | resource "aws_eks_cluster" "cluster" {
26 | name = var.cluster_name
27 | version = var.cluster_version
28 | role_arn = aws_iam_role.eks-cluster.arn
29 |
30 | vpc_config {
31 |
32 | endpoint_private_access = false
33 | endpoint_public_access = true
34 | public_access_cidrs = ["0.0.0.0/0"]
35 |
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
45 | }
Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
FAILED for resource: aws_eks_cluster.cluster
File: /lessons/113/terraform/6-eks.tf:25-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
25 | resource "aws_eks_cluster" "cluster" {
26 | name = var.cluster_name
27 | version = var.cluster_version
28 | role_arn = aws_iam_role.eks-cluster.arn
29 |
30 | vpc_config {
31 |
32 | endpoint_private_access = false
33 | endpoint_public_access = true
34 | public_access_cidrs = ["0.0.0.0/0"]
35 |
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
45 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.cluster
File: /lessons/113/terraform/6-eks.tf:25-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
25 | resource "aws_eks_cluster" "cluster" {
26 | name = var.cluster_name
27 | version = var.cluster_version
28 | role_arn = aws_iam_role.eks-cluster.arn
29 |
30 | vpc_config {
31 |
32 | endpoint_private_access = false
33 | endpoint_public_access = true
34 | public_access_cidrs = ["0.0.0.0/0"]
35 |
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
45 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.cluster
File: /lessons/113/terraform/6-eks.tf:25-45
25 | resource "aws_eks_cluster" "cluster" {
26 | name = var.cluster_name
27 | version = var.cluster_version
28 | role_arn = aws_iam_role.eks-cluster.arn
29 |
30 | vpc_config {
31 |
32 | endpoint_private_access = false
33 | endpoint_public_access = true
34 | public_access_cidrs = ["0.0.0.0/0"]
35 |
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
45 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.cluster
File: /lessons/113/terraform/6-eks.tf:25-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
25 | resource "aws_eks_cluster" "cluster" {
26 | name = var.cluster_name
27 | version = var.cluster_version
28 | role_arn = aws_iam_role.eks-cluster.arn
29 |
30 | vpc_config {
31 |
32 | endpoint_private_access = false
33 | endpoint_public_access = true
34 | public_access_cidrs = ["0.0.0.0/0"]
35 |
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
45 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1a
File: /lessons/114/terraform/3-subnets.tf:25-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
25 | resource "aws_subnet" "public-us-east-1a" {
26 | vpc_id = aws_vpc.main.id
27 | cidr_block = "10.0.64.0/19"
28 | availability_zone = "us-east-1a"
29 | map_public_ip_on_launch = true
30 |
31 | tags = {
32 | "Name" = "public-us-east-1a"
33 | "kubernetes.io/role/elb" = "1"
34 | "kubernetes.io/cluster/${var.cluster_name}" = "owned"
35 | }
36 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1b
File: /lessons/114/terraform/3-subnets.tf:38-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
38 | resource "aws_subnet" "public-us-east-1b" {
39 | vpc_id = aws_vpc.main.id
40 | cidr_block = "10.0.96.0/19"
41 | availability_zone = "us-east-1b"
42 | map_public_ip_on_launch = true
43 |
44 | tags = {
45 | "Name" = "public-us-east-1b"
46 | "kubernetes.io/role/elb" = "1"
47 | "kubernetes.io/cluster/${var.cluster_name}" = "owned"
48 | }
49 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.cluster
File: /lessons/114/terraform/6-eks.tf:25-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
25 | resource "aws_eks_cluster" "cluster" {
26 | name = var.cluster_name
27 | version = "1.22"
28 | role_arn = aws_iam_role.eks-cluster.arn
29 |
30 | vpc_config {
31 |
32 | endpoint_private_access = false
33 | endpoint_public_access = true
34 | public_access_cidrs = ["0.0.0.0/0"]
35 |
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
45 | }
Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
FAILED for resource: aws_eks_cluster.cluster
File: /lessons/114/terraform/6-eks.tf:25-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
25 | resource "aws_eks_cluster" "cluster" {
26 | name = var.cluster_name
27 | version = "1.22"
28 | role_arn = aws_iam_role.eks-cluster.arn
29 |
30 | vpc_config {
31 |
32 | endpoint_private_access = false
33 | endpoint_public_access = true
34 | public_access_cidrs = ["0.0.0.0/0"]
35 |
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
45 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.cluster
File: /lessons/114/terraform/6-eks.tf:25-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
25 | resource "aws_eks_cluster" "cluster" {
26 | name = var.cluster_name
27 | version = "1.22"
28 | role_arn = aws_iam_role.eks-cluster.arn
29 |
30 | vpc_config {
31 |
32 | endpoint_private_access = false
33 | endpoint_public_access = true
34 | public_access_cidrs = ["0.0.0.0/0"]
35 |
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
45 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.cluster
File: /lessons/114/terraform/6-eks.tf:25-45
25 | resource "aws_eks_cluster" "cluster" {
26 | name = var.cluster_name
27 | version = "1.22"
28 | role_arn = aws_iam_role.eks-cluster.arn
29 |
30 | vpc_config {
31 |
32 | endpoint_private_access = false
33 | endpoint_public_access = true
34 | public_access_cidrs = ["0.0.0.0/0"]
35 |
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
45 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.cluster
File: /lessons/114/terraform/6-eks.tf:25-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
25 | resource "aws_eks_cluster" "cluster" {
26 | name = var.cluster_name
27 | version = "1.22"
28 | role_arn = aws_iam_role.eks-cluster.arn
29 |
30 | vpc_config {
31 |
32 | endpoint_private_access = false
33 | endpoint_public_access = true
34 | public_access_cidrs = ["0.0.0.0/0"]
35 |
36 | subnet_ids = [
37 | aws_subnet.private-us-east-1a.id,
38 | aws_subnet.private-us-east-1b.id,
39 | aws_subnet.public-us-east-1a.id,
40 | aws_subnet.public-us-east-1b.id
41 | ]
42 | }
43 |
44 | depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
45 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.hello
File: /lessons/115/terraform/2-hello-lambda.tf:25-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
25 | resource "aws_lambda_function" "hello" {
26 | function_name = "hello"
27 |
28 | s3_bucket = aws_s3_bucket.lambda_bucket.id
29 | s3_key = aws_s3_object.lambda_hello.key
30 |
31 | runtime = "nodejs16.x"
32 | handler = "function.handler"
33 |
34 | source_code_hash = data.archive_file.lambda_hello.output_base64sha256
35 |
36 | role = aws_iam_role.hello_lambda_exec.arn
37 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.hello
File: /lessons/115/terraform/2-hello-lambda.tf:25-37
25 | resource "aws_lambda_function" "hello" {
26 | function_name = "hello"
27 |
28 | s3_bucket = aws_s3_bucket.lambda_bucket.id
29 | s3_key = aws_s3_object.lambda_hello.key
30 |
31 | runtime = "nodejs16.x"
32 | handler = "function.handler"
33 |
34 | source_code_hash = data.archive_file.lambda_hello.output_base64sha256
35 |
36 | role = aws_iam_role.hello_lambda_exec.arn
37 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.hello
File: /lessons/115/terraform/2-hello-lambda.tf:25-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
25 | resource "aws_lambda_function" "hello" {
26 | function_name = "hello"
27 |
28 | s3_bucket = aws_s3_bucket.lambda_bucket.id
29 | s3_key = aws_s3_object.lambda_hello.key
30 |
31 | runtime = "nodejs16.x"
32 | handler = "function.handler"
33 |
34 | source_code_hash = data.archive_file.lambda_hello.output_base64sha256
35 |
36 | role = aws_iam_role.hello_lambda_exec.arn
37 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.hello
File: /lessons/115/terraform/2-hello-lambda.tf:25-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
25 | resource "aws_lambda_function" "hello" {
26 | function_name = "hello"
27 |
28 | s3_bucket = aws_s3_bucket.lambda_bucket.id
29 | s3_key = aws_s3_object.lambda_hello.key
30 |
31 | runtime = "nodejs16.x"
32 | handler = "function.handler"
33 |
34 | source_code_hash = data.archive_file.lambda_hello.output_base64sha256
35 |
36 | role = aws_iam_role.hello_lambda_exec.arn
37 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.hello
File: /lessons/115/terraform/2-hello-lambda.tf:25-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
25 | resource "aws_lambda_function" "hello" {
26 | function_name = "hello"
27 |
28 | s3_bucket = aws_s3_bucket.lambda_bucket.id
29 | s3_key = aws_s3_object.lambda_hello.key
30 |
31 | runtime = "nodejs16.x"
32 | handler = "function.handler"
33 |
34 | source_code_hash = data.archive_file.lambda_hello.output_base64sha256
35 |
36 | role = aws_iam_role.hello_lambda_exec.arn
37 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.hello
File: /lessons/115/terraform/2-hello-lambda.tf:39-43
39 | resource "aws_cloudwatch_log_group" "hello" {
40 | name = "/aws/lambda/${aws_lambda_function.hello.function_name}"
41 |
42 | retention_in_days = 14
43 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.hello
File: /lessons/115/terraform/2-hello-lambda.tf:39-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
39 | resource "aws_cloudwatch_log_group" "hello" {
40 | name = "/aws/lambda/${aws_lambda_function.hello.function_name}"
41 |
42 | retention_in_days = 14
43 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.main_api_gw
File: /lessons/115/terraform/3-api-gateway.tf:31-35
31 | resource "aws_cloudwatch_log_group" "main_api_gw" {
32 | name = "/aws/api-gw/${aws_apigatewayv2_api.main.name}"
33 |
34 | retention_in_days = 14
35 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.main_api_gw
File: /lessons/115/terraform/3-api-gateway.tf:31-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
31 | resource "aws_cloudwatch_log_group" "main_api_gw" {
32 | name = "/aws/api-gw/${aws_apigatewayv2_api.main.name}"
33 |
34 | retention_in_days = 14
35 | }
Check: CKV_AWS_309: "Ensure API GatewayV2 routes specify an authorization type"
FAILED for resource: aws_apigatewayv2_route.get_hello
File: /lessons/115/terraform/4-hello-api-gateway.tf:9-14
9 | resource "aws_apigatewayv2_route" "get_hello" {
10 | api_id = aws_apigatewayv2_api.main.id
11 |
12 | route_key = "GET /hello"
13 | target = "integrations/${aws_apigatewayv2_integration.lambda_hello.id}"
14 | }
Check: CKV_AWS_309: "Ensure API GatewayV2 routes specify an authorization type"
FAILED for resource: aws_apigatewayv2_route.post_hello
File: /lessons/115/terraform/4-hello-api-gateway.tf:16-21
16 | resource "aws_apigatewayv2_route" "post_hello" {
17 | api_id = aws_apigatewayv2_api.main.id
18 |
19 | route_key = "POST /hello"
20 | target = "integrations/${aws_apigatewayv2_integration.lambda_hello.id}"
21 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.s3
File: /lessons/115/terraform/6-s3-lambda.tf:47-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
47 | resource "aws_lambda_function" "s3" {
48 | function_name = "s3"
49 |
50 | s3_bucket = aws_s3_bucket.lambda_bucket.id
51 | s3_key = aws_s3_object.lambda_s3.key
52 |
53 | runtime = "nodejs16.x"
54 | handler = "function.handler"
55 |
56 | source_code_hash = data.archive_file.lambda_s3.output_base64sha256
57 |
58 | role = aws_iam_role.s3_lambda_exec.arn
59 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.s3
File: /lessons/115/terraform/6-s3-lambda.tf:47-59
47 | resource "aws_lambda_function" "s3" {
48 | function_name = "s3"
49 |
50 | s3_bucket = aws_s3_bucket.lambda_bucket.id
51 | s3_key = aws_s3_object.lambda_s3.key
52 |
53 | runtime = "nodejs16.x"
54 | handler = "function.handler"
55 |
56 | source_code_hash = data.archive_file.lambda_s3.output_base64sha256
57 |
58 | role = aws_iam_role.s3_lambda_exec.arn
59 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.s3
File: /lessons/115/terraform/6-s3-lambda.tf:47-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
47 | resource "aws_lambda_function" "s3" {
48 | function_name = "s3"
49 |
50 | s3_bucket = aws_s3_bucket.lambda_bucket.id
51 | s3_key = aws_s3_object.lambda_s3.key
52 |
53 | runtime = "nodejs16.x"
54 | handler = "function.handler"
55 |
56 | source_code_hash = data.archive_file.lambda_s3.output_base64sha256
57 |
58 | role = aws_iam_role.s3_lambda_exec.arn
59 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.s3
File: /lessons/115/terraform/6-s3-lambda.tf:47-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
47 | resource "aws_lambda_function" "s3" {
48 | function_name = "s3"
49 |
50 | s3_bucket = aws_s3_bucket.lambda_bucket.id
51 | s3_key = aws_s3_object.lambda_s3.key
52 |
53 | runtime = "nodejs16.x"
54 | handler = "function.handler"
55 |
56 | source_code_hash = data.archive_file.lambda_s3.output_base64sha256
57 |
58 | role = aws_iam_role.s3_lambda_exec.arn
59 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.s3
File: /lessons/115/terraform/6-s3-lambda.tf:47-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
47 | resource "aws_lambda_function" "s3" {
48 | function_name = "s3"
49 |
50 | s3_bucket = aws_s3_bucket.lambda_bucket.id
51 | s3_key = aws_s3_object.lambda_s3.key
52 |
53 | runtime = "nodejs16.x"
54 | handler = "function.handler"
55 |
56 | source_code_hash = data.archive_file.lambda_s3.output_base64sha256
57 |
58 | role = aws_iam_role.s3_lambda_exec.arn
59 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.s3
File: /lessons/115/terraform/6-s3-lambda.tf:61-65
61 | resource "aws_cloudwatch_log_group" "s3" {
62 | name = "/aws/lambda/${aws_lambda_function.s3.function_name}"
63 |
64 | retention_in_days = 14
65 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.s3
File: /lessons/115/terraform/6-s3-lambda.tf:61-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
61 | resource "aws_cloudwatch_log_group" "s3" {
62 | name = "/aws/lambda/${aws_lambda_function.s3.function_name}"
63 |
64 | retention_in_days = 14
65 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1a
File: /lessons/116/terraform/3-subnets.tf:25-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
25 | resource "aws_subnet" "public-us-east-1a" {
26 | vpc_id = aws_vpc.main.id
27 | cidr_block = "10.0.64.0/19"
28 | availability_zone = "us-east-1a"
29 | map_public_ip_on_launch = true
30 |
31 | tags = {
32 | "Name" = "public-us-east-1a"
33 | "kubernetes.io/role/elb" = "1"
34 | "kubernetes.io/cluster/${var.cluster_name}" = "owned"
35 | }
36 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1b
File: /lessons/116/terraform/3-subnets.tf:38-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
38 | resource "aws_subnet" "public-us-east-1b" {
39 | vpc_id = aws_vpc.main.id
40 | cidr_block = "10.0.96.0/19"
41 | availability_zone = "us-east-1b"
42 | map_public_ip_on_launch = true
43 |
44 | tags = {
45 | "Name" = "public-us-east-1b"
46 | "kubernetes.io/role/elb" = "1"
47 | "kubernetes.io/cluster/${var.cluster_name}" = "owned"
48 | }
49 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.cluster
File: /lessons/116/terraform/6-eks.tf:25-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
25 | resource "aws_eks_cluster" "cluster" {
26 | name = var.cluster_name
27 | version = var.cluster_version
28 | role_arn = aws_iam_role.eks-cluster.arn
29 |
30 | vpc_config {
31 | subnet_ids = [
32 | aws_subnet.private-us-east-1a.id,
33 | aws_subnet.private-us-east-1b.id,
34 | aws_subnet.public-us-east-1a.id,
35 | aws_subnet.public-us-east-1b.id
36 | ]
37 | }
38 |
39 | depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
40 | }
Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
FAILED for resource: aws_eks_cluster.cluster
File: /lessons/116/terraform/6-eks.tf:25-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
25 | resource "aws_eks_cluster" "cluster" {
26 | name = var.cluster_name
27 | version = var.cluster_version
28 | role_arn = aws_iam_role.eks-cluster.arn
29 |
30 | vpc_config {
31 | subnet_ids = [
32 | aws_subnet.private-us-east-1a.id,
33 | aws_subnet.private-us-east-1b.id,
34 | aws_subnet.public-us-east-1a.id,
35 | aws_subnet.public-us-east-1b.id
36 | ]
37 | }
38 |
39 | depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
40 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.cluster
File: /lessons/116/terraform/6-eks.tf:25-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
25 | resource "aws_eks_cluster" "cluster" {
26 | name = var.cluster_name
27 | version = var.cluster_version
28 | role_arn = aws_iam_role.eks-cluster.arn
29 |
30 | vpc_config {
31 | subnet_ids = [
32 | aws_subnet.private-us-east-1a.id,
33 | aws_subnet.private-us-east-1b.id,
34 | aws_subnet.public-us-east-1a.id,
35 | aws_subnet.public-us-east-1b.id
36 | ]
37 | }
38 |
39 | depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
40 | }
Check: CKV_AWS_339: "Ensure EKS clusters run on a supported Kubernetes version"
FAILED for resource: aws_eks_cluster.cluster
File: /lessons/116/terraform/6-eks.tf:25-40
25 | resource "aws_eks_cluster" "cluster" {
26 | name = var.cluster_name
27 | version = var.cluster_version
28 | role_arn = aws_iam_role.eks-cluster.arn
29 |
30 | vpc_config {
31 | subnet_ids = [
32 | aws_subnet.private-us-east-1a.id,
33 | aws_subnet.private-us-east-1b.id,
34 | aws_subnet.public-us-east-1a.id,
35 | aws_subnet.public-us-east-1b.id
36 | ]
37 | }
38 |
39 | depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
40 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.cluster
File: /lessons/116/terraform/6-eks.tf:25-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
25 | resource "aws_eks_cluster" "cluster" {
26 | name = var.cluster_name
27 | version = var.cluster_version
28 | role_arn = aws_iam_role.eks-cluster.arn
29 |
30 | vpc_config {
31 | subnet_ids = [
32 | aws_subnet.private-us-east-1a.id,
33 | aws_subnet.private-us-east-1b.id,
34 | aws_subnet.public-us-east-1a.id,
35 | aws_subnet.public-us-east-1b.id
36 | ]
37 | }
38 |
39 | depends_on = [aws_iam_role_policy_attachment.amazon-eks-cluster-policy]
40 | }
Check: CKV_AWS_76: "Ensure API Gateway has Access Logging enabled"
FAILED for resource: aws_apigatewayv2_stage.dev
File: /lessons/116/terraform/8-api-gateway.tf:6-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-17.html
6 | resource "aws_apigatewayv2_stage" "dev" {
7 | api_id = aws_apigatewayv2_api.main.id
8 |
9 | name = "dev"
10 | auto_deploy = true
11 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.vpc_link
File: /lessons/116/terraform/9-integration.tf:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
1 | resource "aws_security_group" "vpc_link" {
2 | name = "vpc-link"
3 | vpc_id = aws_vpc.main.id
4 |
5 | egress {
6 | from_port = 0
7 | to_port = 0
8 | protocol = "-1"
9 | cidr_blocks = ["0.0.0.0/0"]
10 | }
11 | }
Check: CKV_AWS_309: "Ensure API GatewayV2 routes specify an authorization type"
FAILED for resource: aws_apigatewayv2_route.get_echo
File: /lessons/116/terraform/9-integration.tf:32-37
32 | resource "aws_apigatewayv2_route" "get_echo" {
33 | api_id = aws_apigatewayv2_api.main.id
34 |
35 | route_key = "GET /echo"
36 | target = "integrations/${aws_apigatewayv2_integration.eks.id}"
37 | }
Check: CKV_AWS_76: "Ensure API Gateway has Access Logging enabled"
FAILED for resource: aws_apigatewayv2_stage.staging
File: /lessons/117/terraform/1-api-gateway.tf:6-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-17.html
6 | resource "aws_apigatewayv2_stage" "staging" {
7 | name = "staging"
8 | api_id = aws_apigatewayv2_api.main.id
9 | auto_deploy = true
10 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.hello
File: /lessons/117/terraform/3-hello-lambda.tf:25-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
25 | resource "aws_lambda_function" "hello" {
26 | function_name = "hello"
27 |
28 | s3_bucket = aws_s3_bucket.lambda_bucket.id
29 | s3_key = aws_s3_object.lambda_hello.key
30 |
31 | runtime = "nodejs16.x"
32 | handler = "function.handler"
33 |
34 | source_code_hash = data.archive_file.lambda_hello.output_base64sha256
35 |
36 | role = aws_iam_role.hello_lambda_exec.arn
37 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.hello
File: /lessons/117/terraform/3-hello-lambda.tf:25-37
25 | resource "aws_lambda_function" "hello" {
26 | function_name = "hello"
27 |
28 | s3_bucket = aws_s3_bucket.lambda_bucket.id
29 | s3_key = aws_s3_object.lambda_hello.key
30 |
31 | runtime = "nodejs16.x"
32 | handler = "function.handler"
33 |
34 | source_code_hash = data.archive_file.lambda_hello.output_base64sha256
35 |
36 | role = aws_iam_role.hello_lambda_exec.arn
37 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.hello
File: /lessons/117/terraform/3-hello-lambda.tf:25-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
25 | resource "aws_lambda_function" "hello" {
26 | function_name = "hello"
27 |
28 | s3_bucket = aws_s3_bucket.lambda_bucket.id
29 | s3_key = aws_s3_object.lambda_hello.key
30 |
31 | runtime = "nodejs16.x"
32 | handler = "function.handler"
33 |
34 | source_code_hash = data.archive_file.lambda_hello.output_base64sha256
35 |
36 | role = aws_iam_role.hello_lambda_exec.arn
37 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.hello
File: /lessons/117/terraform/3-hello-lambda.tf:25-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
25 | resource "aws_lambda_function" "hello" {
26 | function_name = "hello"
27 |
28 | s3_bucket = aws_s3_bucket.lambda_bucket.id
29 | s3_key = aws_s3_object.lambda_hello.key
30 |
31 | runtime = "nodejs16.x"
32 | handler = "function.handler"
33 |
34 | source_code_hash = data.archive_file.lambda_hello.output_base64sha256
35 |
36 | role = aws_iam_role.hello_lambda_exec.arn
37 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.hello
File: /lessons/117/terraform/3-hello-lambda.tf:25-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
25 | resource "aws_lambda_function" "hello" {
26 | function_name = "hello"
27 |
28 | s3_bucket = aws_s3_bucket.lambda_bucket.id
29 | s3_key = aws_s3_object.lambda_hello.key
30 |
31 | runtime = "nodejs16.x"
32 | handler = "function.handler"
33 |
34 | source_code_hash = data.archive_file.lambda_hello.output_base64sha256
35 |
36 | role = aws_iam_role.hello_lambda_exec.arn
37 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.hello
File: /lessons/117/terraform/3-hello-lambda.tf:39-43
39 | resource "aws_cloudwatch_log_group" "hello" {
40 | name = "/aws/lambda/${aws_lambda_function.hello.function_name}"
41 |
42 | retention_in_days = 14
43 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.hello
File: /lessons/117/terraform/3-hello-lambda.tf:39-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
39 | resource "aws_cloudwatch_log_group" "hello" {
40 | name = "/aws/lambda/${aws_lambda_function.hello.function_name}"
41 |
42 | retention_in_days = 14
43 | }
Check: CKV_AWS_309: "Ensure API GatewayV2 routes specify an authorization type"
FAILED for resource: aws_apigatewayv2_route.get_hello
File: /lessons/117/terraform/4-hello-api-gateway.tf:9-14
9 | resource "aws_apigatewayv2_route" "get_hello" {
10 | api_id = aws_apigatewayv2_api.main.id
11 |
12 | route_key = "GET /hello"
13 | target = "integrations/${aws_apigatewayv2_integration.lambda_hello.id}"
14 | }
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
FAILED for resource: aws_acm_certificate.api
File: /lessons/117/terraform/5-certificate.tf:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy.html
1 | resource "aws_acm_certificate" "api" {
2 | domain_name = "api.antonputra.com"
3 | validation_method = "DNS"
4 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.my-app-example-2
File: /lessons/118/terraform/10-ec2-example-2.tf:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
1 | resource "aws_instance" "my-app-example-2" {
2 | ami = "ami-0d5482f3cb962780f"
3 | instance_type = "t3.micro"
4 | key_name = "devops"
5 | subnet_id = aws_subnet.private-us-east-1a.id
6 |
7 | vpc_security_group_ids = [aws_security_group.my-app-example-2.id]
8 |
9 | tags = {
10 | Name = "my-app-example-2"
11 | }
12 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.my-app-example-2
File: /lessons/118/terraform/10-ec2-example-2.tf:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
1 | resource "aws_instance" "my-app-example-2" {
2 | ami = "ami-0d5482f3cb962780f"
3 | instance_type = "t3.micro"
4 | key_name = "devops"
5 | subnet_id = aws_subnet.private-us-east-1a.id
6 |
7 | vpc_security_group_ids = [aws_security_group.my-app-example-2.id]
8 |
9 | tags = {
10 | Name = "my-app-example-2"
11 | }
12 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.my-app-example-2
File: /lessons/118/terraform/10-ec2-example-2.tf:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
1 | resource "aws_instance" "my-app-example-2" {
2 | ami = "ami-0d5482f3cb962780f"
3 | instance_type = "t3.micro"
4 | key_name = "devops"
5 | subnet_id = aws_subnet.private-us-east-1a.id
6 |
7 | vpc_security_group_ids = [aws_security_group.my-app-example-2.id]
8 |
9 | tags = {
10 | Name = "my-app-example-2"
11 | }
12 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.my-app-example-2
File: /lessons/118/terraform/10-ec2-example-2.tf:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
1 | resource "aws_instance" "my-app-example-2" {
2 | ami = "ami-0d5482f3cb962780f"
3 | instance_type = "t3.micro"
4 | key_name = "devops"
5 | subnet_id = aws_subnet.private-us-east-1a.id
6 |
7 | vpc_security_group_ids = [aws_security_group.my-app-example-2.id]
8 |
9 | tags = {
10 | Name = "my-app-example-2"
11 | }
12 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: aws_lb.my-app-example-2
File: /lessons/118/terraform/11-nlb-example-2.tf:20-29
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
20 | resource "aws_lb" "my-app-example-2" {
21 | name = "my-app-example-2"
22 | internal = true
23 | load_balancer_type = "network"
24 |
25 | subnets = [
26 | aws_subnet.private-us-east-1a.id,
27 | aws_subnet.private-us-east-1b.id
28 | ]
29 | }
Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
FAILED for resource: aws_lb.my-app-example-2
File: /lessons/118/terraform/11-nlb-example-2.tf:20-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled.html
20 | resource "aws_lb" "my-app-example-2" {
21 | name = "my-app-example-2"
22 | internal = true
23 | load_balancer_type = "network"
24 |
25 | subnets = [
26 | aws_subnet.private-us-east-1a.id,
27 | aws_subnet.private-us-east-1b.id
28 | ]
29 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.my-app-example-2
File: /lessons/118/terraform/11-nlb-example-2.tf:20-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
20 | resource "aws_lb" "my-app-example-2" {
21 | name = "my-app-example-2"
22 | internal = true
23 | load_balancer_type = "network"
24 |
25 | subnets = [
26 | aws_subnet.private-us-east-1a.id,
27 | aws_subnet.private-us-east-1b.id
28 | ]
29 | }
Check: CKV_AWS_76: "Ensure API Gateway has Access Logging enabled"
FAILED for resource: aws_apigatewayv2_stage.staging
File: /lessons/118/terraform/12-api-gw-example-2.tf:6-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-17.html
6 | resource "aws_apigatewayv2_stage" "staging" {
7 | api_id = aws_apigatewayv2_api.api-gw-example-2.id
8 |
9 | name = "staging"
10 | auto_deploy = true
11 | }
Check: CKV_AWS_309: "Ensure API GatewayV2 routes specify an authorization type"
FAILED for resource: aws_apigatewayv2_route.api-gw-example-2
File: /lessons/118/terraform/12-api-gw-example-2.tf:32-37
32 | resource "aws_apigatewayv2_route" "api-gw-example-2" {
33 | api_id = aws_apigatewayv2_api.api-gw-example-2.id
34 |
35 | route_key = "ANY /{proxy+}"
36 | target = "integrations/${aws_apigatewayv2_integration.api-gw-example-2.id}"
37 | }
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
FAILED for resource: aws_acm_certificate.api
File: /lessons/118/terraform/13-certificate-example-2.tf:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy.html
1 | resource "aws_acm_certificate" "api" {
2 | domain_name = "api.antonputra.com"
3 | validation_method = "DNS"
4 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.my-app-example-3
File: /lessons/118/terraform/15-sg-example-3.tf:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
1 | resource "aws_security_group" "my-app-example-3" {
2 | name = "my-app-example-3"
3 | description = "Allow API Access"
4 | vpc_id = aws_vpc.main.id
5 |
6 | ingress {
7 | description = "Allow Health Checks"
8 | from_port = 8080
9 | to_port = 8080
10 | protocol = "tcp"
11 | cidr_blocks = [aws_vpc.main.cidr_block]
12 | }
13 |
14 | egress {
15 | from_port = 0
16 | to_port = 0
17 | protocol = "-1"
18 | cidr_blocks = ["0.0.0.0/0"]
19 | }
20 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_launch_template.my-app-example-3
File: /lessons/118/terraform/16-launch-template-example-3.tf:1-6
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
1 | resource "aws_launch_template" "my-app-example-3" {
2 | name = "my-app-example-3"
3 | image_id = "ami-0d5482f3cb962780f"
4 | key_name = "devops"
5 | vpc_security_group_ids = [aws_security_group.my-app-example-3.id]
6 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: aws_lb.my-app-example-3
File: /lessons/118/terraform/17-nlb-example-3.tf:13-22
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
13 | resource "aws_lb" "my-app-example-3" {
14 | name = "my-app-example-3"
15 | internal = true
16 | load_balancer_type = "network"
17 |
18 | subnets = [
19 | aws_subnet.private-us-east-1a.id,
20 | aws_subnet.private-us-east-1b.id
21 | ]
22 | }
Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
FAILED for resource: aws_lb.my-app-example-3
File: /lessons/118/terraform/17-nlb-example-3.tf:13-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled.html
13 | resource "aws_lb" "my-app-example-3" {
14 | name = "my-app-example-3"
15 | internal = true
16 | load_balancer_type = "network"
17 |
18 | subnets = [
19 | aws_subnet.private-us-east-1a.id,
20 | aws_subnet.private-us-east-1b.id
21 | ]
22 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.my-app-example-3
File: /lessons/118/terraform/17-nlb-example-3.tf:13-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
13 | resource "aws_lb" "my-app-example-3" {
14 | name = "my-app-example-3"
15 | internal = true
16 | load_balancer_type = "network"
17 |
18 | subnets = [
19 | aws_subnet.private-us-east-1a.id,
20 | aws_subnet.private-us-east-1b.id
21 | ]
22 | }
Check: CKV_AWS_153: "Autoscaling groups should supply tags to launch configurations"
FAILED for resource: aws_autoscaling_group.my-app-example-3
File: /lessons/118/terraform/18-ag-example-3.tf:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/autoscaling-groups-should-supply-tags-to-launch-configurations.html
1 | resource "aws_autoscaling_group" "my-app-example-3" {
2 | name = "my-app-example-3"
3 | min_size = 1
4 | max_size = 3
5 |
6 | health_check_type = "EC2"
7 | vpc_zone_identifier = [aws_subnet.private-us-east-1a.id, aws_subnet.private-us-east-1b.id]
8 | target_group_arns = [aws_lb_target_group.my-app-example-3.arn]
9 |
10 | mixed_instances_policy {
11 | launch_template {
12 | launch_template_specification {
13 | launch_template_id = aws_launch_template.my-app-example-3.id
14 | }
15 | override {
16 | instance_type = "t3.micro"
17 | }
18 | }
19 | }
20 | }
Check: CKV_AWS_315: "Ensure EC2 Auto Scaling groups use EC2 launch templates"
FAILED for resource: aws_autoscaling_group.my-app-example-3
File: /lessons/118/terraform/18-ag-example-3.tf:1-20
1 | resource "aws_autoscaling_group" "my-app-example-3" {
2 | name = "my-app-example-3"
3 | min_size = 1
4 | max_size = 3
5 |
6 | health_check_type = "EC2"
7 | vpc_zone_identifier = [aws_subnet.private-us-east-1a.id, aws_subnet.private-us-east-1b.id]
8 | target_group_arns = [aws_lb_target_group.my-app-example-3.arn]
9 |
10 | mixed_instances_policy {
11 | launch_template {
12 | launch_template_specification {
13 | launch_template_id = aws_launch_template.my-app-example-3.id
14 | }
15 | override {
16 | instance_type = "t3.micro"
17 | }
18 | }
19 | }
20 | }
Check: CKV_AWS_76: "Ensure API Gateway has Access Logging enabled"
FAILED for resource: aws_apigatewayv2_stage.dev
File: /lessons/118/terraform/19-api-gw-example-3.tf:6-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-17.html
6 | resource "aws_apigatewayv2_stage" "dev" {
7 | api_id = aws_apigatewayv2_api.api-gw-example-3.id
8 |
9 | name = "dev"
10 | auto_deploy = true
11 | }
Check: CKV_AWS_309: "Ensure API GatewayV2 routes specify an authorization type"
FAILED for resource: aws_apigatewayv2_route.api-gw-example-3
File: /lessons/118/terraform/19-api-gw-example-3.tf:32-37
32 | resource "aws_apigatewayv2_route" "api-gw-example-3" {
33 | api_id = aws_apigatewayv2_api.api-gw-example-3.id
34 |
35 | route_key = "ANY /{proxy+}"
36 | target = "integrations/${aws_apigatewayv2_integration.api-gw-example-3.id}"
37 | }
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
FAILED for resource: aws_acm_certificate.api-v2
File: /lessons/118/terraform/20-certificate-example-3.tf:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy.html
1 | resource "aws_acm_certificate" "api-v2" {
2 | domain_name = "api-v2.antonputra.com"
3 | validation_method = "DNS"
4 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1a
File: /lessons/118/terraform/3-subnets.tf:21-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
21 | resource "aws_subnet" "public-us-east-1a" {
22 | vpc_id = aws_vpc.main.id
23 | cidr_block = "10.0.64.0/19"
24 | availability_zone = "us-east-1a"
25 | map_public_ip_on_launch = true
26 |
27 | tags = {
28 | "Name" = "public-us-east-1a"
29 | }
30 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1b
File: /lessons/118/terraform/3-subnets.tf:32-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
32 | resource "aws_subnet" "public-us-east-1b" {
33 | vpc_id = aws_vpc.main.id
34 | cidr_block = "10.0.96.0/19"
35 | availability_zone = "us-east-1b"
36 | map_public_ip_on_launch = true
37 |
38 | tags = {
39 | "Name" = "public-us-east-1b"
40 | }
41 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.my-app-example-1
File: /lessons/118/terraform/6-sg-example-1.tf:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
1 | resource "aws_security_group" "my-app-example-1" {
2 | name = "my-app-example-1"
3 | description = "Allow API Access"
4 | vpc_id = aws_vpc.main.id
5 |
6 | ingress {
7 | from_port = 22
8 | to_port = 22
9 | protocol = "tcp"
10 | cidr_blocks = ["0.0.0.0/0"]
11 | }
12 |
13 | ingress {
14 | from_port = 8080
15 | to_port = 8080
16 | protocol = "tcp"
17 | cidr_blocks = ["0.0.0.0/0"]
18 | }
19 |
20 | egress {
21 | from_port = 0
22 | to_port = 0
23 | protocol = "-1"
24 | cidr_blocks = ["0.0.0.0/0"]
25 | }
26 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.my-app-example-1
File: /lessons/118/terraform/6-sg-example-1.tf:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
1 | resource "aws_security_group" "my-app-example-1" {
2 | name = "my-app-example-1"
3 | description = "Allow API Access"
4 | vpc_id = aws_vpc.main.id
5 |
6 | ingress {
7 | from_port = 22
8 | to_port = 22
9 | protocol = "tcp"
10 | cidr_blocks = ["0.0.0.0/0"]
11 | }
12 |
13 | ingress {
14 | from_port = 8080
15 | to_port = 8080
16 | protocol = "tcp"
17 | cidr_blocks = ["0.0.0.0/0"]
18 | }
19 |
20 | egress {
21 | from_port = 0
22 | to_port = 0
23 | protocol = "-1"
24 | cidr_blocks = ["0.0.0.0/0"]
25 | }
26 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.my-app-example-1
File: /lessons/118/terraform/7-ec2-example-1.tf:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
1 | resource "aws_instance" "my-app-example-1" {
2 | ami = "ami-0d5482f3cb962780f"
3 | instance_type = "t3.micro"
4 | key_name = "devops"
5 | subnet_id = aws_subnet.public-us-east-1a.id
6 |
7 | associate_public_ip_address = true
8 | vpc_security_group_ids = [aws_security_group.my-app-example-1.id]
9 |
10 | tags = {
11 | Name = "my-app-example-1"
12 | }
13 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.my-app-example-1
File: /lessons/118/terraform/7-ec2-example-1.tf:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
1 | resource "aws_instance" "my-app-example-1" {
2 | ami = "ami-0d5482f3cb962780f"
3 | instance_type = "t3.micro"
4 | key_name = "devops"
5 | subnet_id = aws_subnet.public-us-east-1a.id
6 |
7 | associate_public_ip_address = true
8 | vpc_security_group_ids = [aws_security_group.my-app-example-1.id]
9 |
10 | tags = {
11 | Name = "my-app-example-1"
12 | }
13 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.my-app-example-1
File: /lessons/118/terraform/7-ec2-example-1.tf:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
1 | resource "aws_instance" "my-app-example-1" {
2 | ami = "ami-0d5482f3cb962780f"
3 | instance_type = "t3.micro"
4 | key_name = "devops"
5 | subnet_id = aws_subnet.public-us-east-1a.id
6 |
7 | associate_public_ip_address = true
8 | vpc_security_group_ids = [aws_security_group.my-app-example-1.id]
9 |
10 | tags = {
11 | Name = "my-app-example-1"
12 | }
13 | }
Check: CKV_AWS_88: "EC2 instance should not have public IP."
FAILED for resource: aws_instance.my-app-example-1
File: /lessons/118/terraform/7-ec2-example-1.tf:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-12.html
1 | resource "aws_instance" "my-app-example-1" {
2 | ami = "ami-0d5482f3cb962780f"
3 | instance_type = "t3.micro"
4 | key_name = "devops"
5 | subnet_id = aws_subnet.public-us-east-1a.id
6 |
7 | associate_public_ip_address = true
8 | vpc_security_group_ids = [aws_security_group.my-app-example-1.id]
9 |
10 | tags = {
11 | Name = "my-app-example-1"
12 | }
13 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.my-app-example-1
File: /lessons/118/terraform/7-ec2-example-1.tf:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
1 | resource "aws_instance" "my-app-example-1" {
2 | ami = "ami-0d5482f3cb962780f"
3 | instance_type = "t3.micro"
4 | key_name = "devops"
5 | subnet_id = aws_subnet.public-us-east-1a.id
6 |
7 | associate_public_ip_address = true
8 | vpc_security_group_ids = [aws_security_group.my-app-example-1.id]
9 |
10 | tags = {
11 | Name = "my-app-example-1"
12 | }
13 | }
Check: CKV_AWS_76: "Ensure API Gateway has Access Logging enabled"
FAILED for resource: aws_apigatewayv2_stage.prod
File: /lessons/118/terraform/8-api-gw-example-1.tf:6-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-17.html
6 | resource "aws_apigatewayv2_stage" "prod" {
7 | api_id = aws_apigatewayv2_api.api-gw-example-1.id
8 |
9 | name = "prod"
10 | auto_deploy = true
11 | }
Check: CKV_AWS_309: "Ensure API GatewayV2 routes specify an authorization type"
FAILED for resource: aws_apigatewayv2_route.api-gw-example-1
File: /lessons/118/terraform/8-api-gw-example-1.tf:22-27
22 | resource "aws_apigatewayv2_route" "api-gw-example-1" {
23 | api_id = aws_apigatewayv2_api.api-gw-example-1.id
24 |
25 | route_key = "ANY /{proxy+}"
26 | target = "integrations/${aws_apigatewayv2_integration.api-gw-example-1.id}"
27 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.my-app-example-2
File: /lessons/118/terraform/9-sg-example-2.tf:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
1 | resource "aws_security_group" "my-app-example-2" {
2 | name = "my-app-example-2"
3 | description = "Allow API Access"
4 | vpc_id = aws_vpc.main.id
5 |
6 | ingress {
7 | description = "Allow Health Checks"
8 | from_port = 8080
9 | to_port = 8080
10 | protocol = "tcp"
11 | cidr_blocks = [aws_vpc.main.cidr_block]
12 | }
13 |
14 | egress {
15 | from_port = 0
16 | to_port = 0
17 | protocol = "-1"
18 | cidr_blocks = ["0.0.0.0/0"]
19 | }
20 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1a
File: /lessons/119/terraform/3-subnets.tf:21-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
21 | resource "aws_subnet" "public-us-east-1a" {
22 | vpc_id = aws_vpc.main.id
23 | cidr_block = "10.0.64.0/19"
24 | availability_zone = "us-east-1a"
25 | map_public_ip_on_launch = true
26 |
27 | tags = {
28 | "Name" = "public-us-east-1a"
29 | }
30 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1b
File: /lessons/119/terraform/3-subnets.tf:32-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
32 | resource "aws_subnet" "public-us-east-1b" {
33 | vpc_id = aws_vpc.main.id
34 | cidr_block = "10.0.96.0/19"
35 | availability_zone = "us-east-1b"
36 | map_public_ip_on_launch = true
37 |
38 | tags = {
39 | "Name" = "public-us-east-1b"
40 | }
41 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: google_compute_subnetwork.private
File: /lessons/120/terraform/3-subnets.tf:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
2 | resource "google_compute_subnetwork" "private" {
3 | name = "private"
4 | region = local.region
5 | ip_cidr_range = "10.0.0.0/18"
6 | stack_type = "IPV4_ONLY"
7 | network = google_compute_network.main.id
8 | private_ip_google_access = true
9 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: google_compute_subnetwork.public
File: /lessons/120/terraform/3-subnets.tf:11-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
11 | resource "google_compute_subnetwork" "public" {
12 | name = "public"
13 | region = local.region
14 | ip_cidr_range = "10.0.64.0/18"
15 | stack_type = "IPV4_ONLY"
16 | network = google_compute_network.main.id
17 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: google_compute_subnetwork.public
File: /lessons/120/terraform/3-subnets.tf:11-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
11 | resource "google_compute_subnetwork" "public" {
12 | name = "public"
13 | region = local.region
14 | ip_cidr_range = "10.0.64.0/18"
15 | stack_type = "IPV4_ONLY"
16 | network = google_compute_network.main.id
17 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1a
File: /lessons/121/terraform/3-subnets.tf:21-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
21 | resource "aws_subnet" "public-us-east-1a" {
22 | vpc_id = aws_vpc.main.id
23 | cidr_block = "10.0.64.0/19"
24 | availability_zone = "us-east-1a"
25 | map_public_ip_on_launch = true
26 |
27 | tags = {
28 | "Name" = "public-us-east-1a"
29 | }
30 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public-us-east-1b
File: /lessons/121/terraform/3-subnets.tf:32-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
32 | resource "aws_subnet" "public-us-east-1b" {
33 | vpc_id = aws_vpc.main.id
34 | cidr_block = "10.0.96.0/19"
35 | availability_zone = "us-east-1b"
36 | map_public_ip_on_launch = true
37 |
38 | tags = {
39 | "Name" = "public-us-east-1b"
40 | }
41 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.my_server_ssh_access
File: /lessons/121/terraform/6-ec2.tf:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
1 | resource "aws_security_group" "my_server_ssh_access" {
2 | name = "my-server-ssh-access"
3 | description = "Allow My Server SSH Accesss"
4 | vpc_id = aws_vpc.main.id
5 |
6 | ingress {
7 | description = "Allow SSH from Anywhere"
8 | from_port = 22
9 | to_port = 22
10 | protocol = "tcp"
11 | cidr_blocks = ["0.0.0.0/0"]
12 | }
13 |
14 | egress {
15 | from_port = 0
16 | to_port = 0
17 | protocol = "-1"
18 | cidr_blocks = ["0.0.0.0/0"]
19 | }
20 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.my_server_ssh_access
File: /lessons/121/terraform/6-ec2.tf:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
1 | resource "aws_security_group" "my_server_ssh_access" {
2 | name = "my-server-ssh-access"
3 | description = "Allow My Server SSH Accesss"
4 | vpc_id = aws_vpc.main.id
5 |
6 | ingress {
7 | description = "Allow SSH from Anywhere"
8 | from_port = 22
9 | to_port = 22
10 | protocol = "tcp"
11 | cidr_blocks = ["0.0.0.0/0"]
12 | }
13 |
14 | egress {
15 | from_port = 0
16 | to_port = 0
17 | protocol = "-1"
18 | cidr_blocks = ["0.0.0.0/0"]
19 | }
20 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.my_server
File: /lessons/121/terraform/6-ec2.tf:38-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
38 | resource "aws_instance" "my_server" {
39 | ami = data.aws_ami.ubuntu.id
40 | instance_type = "t3.micro"
41 |
42 | key_name = "old-key"
43 | subnet_id = aws_subnet.public-us-east-1a.id
44 | vpc_security_group_ids = [aws_security_group.my_server_ssh_access.id]
45 |
46 | associate_public_ip_address = true
47 |
48 | tags = {
49 | Name = "My Server"
50 | }
51 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.my_server
File: /lessons/121/terraform/6-ec2.tf:38-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
38 | resource "aws_instance" "my_server" {
39 | ami = data.aws_ami.ubuntu.id
40 | instance_type = "t3.micro"
41 |
42 | key_name = "old-key"
43 | subnet_id = aws_subnet.public-us-east-1a.id
44 | vpc_security_group_ids = [aws_security_group.my_server_ssh_access.id]
45 |
46 | associate_public_ip_address = true
47 |
48 | tags = {
49 | Name = "My Server"
50 | }
51 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.my_server
File: /lessons/121/terraform/6-ec2.tf:38-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
38 | resource "aws_instance" "my_server" {
39 | ami = data.aws_ami.ubuntu.id
40 | instance_type = "t3.micro"
41 |
42 | key_name = "old-key"
43 | subnet_id = aws_subnet.public-us-east-1a.id
44 | vpc_security_group_ids = [aws_security_group.my_server_ssh_access.id]
45 |
46 | associate_public_ip_address = true
47 |
48 | tags = {
49 | Name = "My Server"
50 | }
51 | }
Check: CKV_AWS_88: "EC2 instance should not have public IP."
FAILED for resource: aws_instance.my_server
File: /lessons/121/terraform/6-ec2.tf:38-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-12.html
38 | resource "aws_instance" "my_server" {
39 | ami = data.aws_ami.ubuntu.id
40 | instance_type = "t3.micro"
41 |
42 | key_name = "old-key"
43 | subnet_id = aws_subnet.public-us-east-1a.id
44 | vpc_security_group_ids = [aws_security_group.my_server_ssh_access.id]
45 |
46 | associate_public_ip_address = true
47 |
48 | tags = {
49 | Name = "My Server"
50 | }
51 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.my_server
File: /lessons/121/terraform/6-ec2.tf:38-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
38 | resource "aws_instance" "my_server" {
39 | ami = data.aws_ami.ubuntu.id
40 | instance_type = "t3.micro"
41 |
42 | key_name = "old-key"
43 | subnet_id = aws_subnet.public-us-east-1a.id
44 | vpc_security_group_ids = [aws_security_group.my_server_ssh_access.id]
45 |
46 | associate_public_ip_address = true
47 |
48 | tags = {
49 | Name = "My Server"
50 | }
51 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public_us_east_1a
File: /lessons/122/terraform/3-subnets.tf:24-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
24 | resource "aws_subnet" "public_us_east_1a" {
25 | vpc_id = aws_vpc.main.id
26 | cidr_block = "10.0.64.0/19"
27 | availability_zone = "us-east-1a"
28 | map_public_ip_on_launch = true
29 |
30 | tags = {
31 | "Name" = "public-us-east-1a"
32 | }
33 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public_us_east_1b
File: /lessons/122/terraform/3-subnets.tf:36-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
36 | resource "aws_subnet" "public_us_east_1b" {
37 | vpc_id = aws_vpc.main.id
38 | cidr_block = "10.0.96.0/19"
39 | availability_zone = "us-east-1b"
40 | map_public_ip_on_launch = true
41 |
42 | tags = {
43 | "Name" = "public-us-east-1b"
44 | }
45 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.my_server_ssh_access
File: /lessons/122/terraform/6-ec2.tf:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
2 | resource "aws_security_group" "my_server_ssh_access" {
3 | name = "my-server-ssh-access"
4 | description = "Allow My Server SSH Accesss"
5 | vpc_id = aws_vpc.main.id
6 |
7 | ingress {
8 | description = "Allow SSH from Anywhere"
9 | from_port = 22
10 | to_port = 22
11 | protocol = "tcp"
12 | cidr_blocks = ["0.0.0.0/0"]
13 | }
14 |
15 | egress {
16 | from_port = 0
17 | to_port = 0
18 | protocol = "-1"
19 | cidr_blocks = ["0.0.0.0/0"]
20 | }
21 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.my_server_ssh_access
File: /lessons/122/terraform/6-ec2.tf:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
2 | resource "aws_security_group" "my_server_ssh_access" {
3 | name = "my-server-ssh-access"
4 | description = "Allow My Server SSH Accesss"
5 | vpc_id = aws_vpc.main.id
6 |
7 | ingress {
8 | description = "Allow SSH from Anywhere"
9 | from_port = 22
10 | to_port = 22
11 | protocol = "tcp"
12 | cidr_blocks = ["0.0.0.0/0"]
13 | }
14 |
15 | egress {
16 | from_port = 0
17 | to_port = 0
18 | protocol = "-1"
19 | cidr_blocks = ["0.0.0.0/0"]
20 | }
21 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.my_server
File: /lessons/122/terraform/6-ec2.tf:41-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
41 | resource "aws_instance" "my_server" {
42 | ami = data.aws_ami.ubuntu.id
43 | instance_type = "t3.micro"
44 |
45 | # create devops key pair manually before you run terraform
46 | key_name = "devops"
47 |
48 | subnet_id = aws_subnet.public_us_east_1a.id
49 | vpc_security_group_ids = [aws_security_group.my_server_ssh_access.id]
50 |
51 | associate_public_ip_address = true
52 |
53 | tags = {
54 | Name = "my-server"
55 | }
56 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.my_server
File: /lessons/122/terraform/6-ec2.tf:41-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
41 | resource "aws_instance" "my_server" {
42 | ami = data.aws_ami.ubuntu.id
43 | instance_type = "t3.micro"
44 |
45 | # create devops key pair manually before you run terraform
46 | key_name = "devops"
47 |
48 | subnet_id = aws_subnet.public_us_east_1a.id
49 | vpc_security_group_ids = [aws_security_group.my_server_ssh_access.id]
50 |
51 | associate_public_ip_address = true
52 |
53 | tags = {
54 | Name = "my-server"
55 | }
56 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.my_server
File: /lessons/122/terraform/6-ec2.tf:41-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
41 | resource "aws_instance" "my_server" {
42 | ami = data.aws_ami.ubuntu.id
43 | instance_type = "t3.micro"
44 |
45 | # create devops key pair manually before you run terraform
46 | key_name = "devops"
47 |
48 | subnet_id = aws_subnet.public_us_east_1a.id
49 | vpc_security_group_ids = [aws_security_group.my_server_ssh_access.id]
50 |
51 | associate_public_ip_address = true
52 |
53 | tags = {
54 | Name = "my-server"
55 | }
56 | }
Check: CKV_AWS_88: "EC2 instance should not have public IP."
FAILED for resource: aws_instance.my_server
File: /lessons/122/terraform/6-ec2.tf:41-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-12.html
41 | resource "aws_instance" "my_server" {
42 | ami = data.aws_ami.ubuntu.id
43 | instance_type = "t3.micro"
44 |
45 | # create devops key pair manually before you run terraform
46 | key_name = "devops"
47 |
48 | subnet_id = aws_subnet.public_us_east_1a.id
49 | vpc_security_group_ids = [aws_security_group.my_server_ssh_access.id]
50 |
51 | associate_public_ip_address = true
52 |
53 | tags = {
54 | Name = "my-server"
55 | }
56 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.my_server
File: /lessons/122/terraform/6-ec2.tf:41-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
41 | resource "aws_instance" "my_server" {
42 | ami = data.aws_ami.ubuntu.id
43 | instance_type = "t3.micro"
44 |
45 | # create devops key pair manually before you run terraform
46 | key_name = "devops"
47 |
48 | subnet_id = aws_subnet.public_us_east_1a.id
49 | vpc_security_group_ids = [aws_security_group.my_server_ssh_access.id]
50 |
51 | associate_public_ip_address = true
52 |
53 | tags = {
54 | Name = "my-server"
55 | }
56 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.alarms
File: /lessons/122/terraform/7-sns-topic.tf:28-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-15.html
28 | resource "aws_sns_topic" "alarms" {
29 | name = "alarms"
30 |
31 | # Important! Only for testing, set to log every single message
32 | # For production, set it to 0 or close
33 | lambda_success_feedback_sample_rate = 100
34 |
35 | lambda_failure_feedback_role_arn = aws_iam_role.sns_logs.arn
36 | lambda_success_feedback_role_arn = aws_iam_role.sns_logs.arn
37 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.send_cloudwatch_alarms_to_slack
File: /lessons/122/terraform/9-lambda.tf:46-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
46 | resource "aws_lambda_function" "send_cloudwatch_alarms_to_slack" {
47 | function_name = "send-cloudwatch-alarms-to-slack"
48 |
49 | s3_bucket = aws_s3_bucket.lambda_bucket.id
50 | s3_key = aws_s3_object.send_cloudwatch_alarms_to_slack.key
51 |
52 | runtime = "python3.9"
53 | handler = "function.lambda_handler"
54 |
55 | source_code_hash = data.archive_file.send_cloudwatch_alarms_to_slack.output_base64sha256
56 |
57 | role = aws_iam_role.send_cloudwatch_alarms_to_slack.arn
58 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.send_cloudwatch_alarms_to_slack
File: /lessons/122/terraform/9-lambda.tf:46-58
46 | resource "aws_lambda_function" "send_cloudwatch_alarms_to_slack" {
47 | function_name = "send-cloudwatch-alarms-to-slack"
48 |
49 | s3_bucket = aws_s3_bucket.lambda_bucket.id
50 | s3_key = aws_s3_object.send_cloudwatch_alarms_to_slack.key
51 |
52 | runtime = "python3.9"
53 | handler = "function.lambda_handler"
54 |
55 | source_code_hash = data.archive_file.send_cloudwatch_alarms_to_slack.output_base64sha256
56 |
57 | role = aws_iam_role.send_cloudwatch_alarms_to_slack.arn
58 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.send_cloudwatch_alarms_to_slack
File: /lessons/122/terraform/9-lambda.tf:46-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
46 | resource "aws_lambda_function" "send_cloudwatch_alarms_to_slack" {
47 | function_name = "send-cloudwatch-alarms-to-slack"
48 |
49 | s3_bucket = aws_s3_bucket.lambda_bucket.id
50 | s3_key = aws_s3_object.send_cloudwatch_alarms_to_slack.key
51 |
52 | runtime = "python3.9"
53 | handler = "function.lambda_handler"
54 |
55 | source_code_hash = data.archive_file.send_cloudwatch_alarms_to_slack.output_base64sha256
56 |
57 | role = aws_iam_role.send_cloudwatch_alarms_to_slack.arn
58 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.send_cloudwatch_alarms_to_slack
File: /lessons/122/terraform/9-lambda.tf:46-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
46 | resource "aws_lambda_function" "send_cloudwatch_alarms_to_slack" {
47 | function_name = "send-cloudwatch-alarms-to-slack"
48 |
49 | s3_bucket = aws_s3_bucket.lambda_bucket.id
50 | s3_key = aws_s3_object.send_cloudwatch_alarms_to_slack.key
51 |
52 | runtime = "python3.9"
53 | handler = "function.lambda_handler"
54 |
55 | source_code_hash = data.archive_file.send_cloudwatch_alarms_to_slack.output_base64sha256
56 |
57 | role = aws_iam_role.send_cloudwatch_alarms_to_slack.arn
58 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.send_cloudwatch_alarms_to_slack
File: /lessons/122/terraform/9-lambda.tf:46-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
46 | resource "aws_lambda_function" "send_cloudwatch_alarms_to_slack" {
47 | function_name = "send-cloudwatch-alarms-to-slack"
48 |
49 | s3_bucket = aws_s3_bucket.lambda_bucket.id
50 | s3_key = aws_s3_object.send_cloudwatch_alarms_to_slack.key
51 |
52 | runtime = "python3.9"
53 | handler = "function.lambda_handler"
54 |
55 | source_code_hash = data.archive_file.send_cloudwatch_alarms_to_slack.output_base64sha256
56 |
57 | role = aws_iam_role.send_cloudwatch_alarms_to_slack.arn
58 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.send_cloudwatch_alarms_to_slack
File: /lessons/122/terraform/9-lambda.tf:61-65
61 | resource "aws_cloudwatch_log_group" "send_cloudwatch_alarms_to_slack" {
62 | name = "/aws/lambda/${aws_lambda_function.send_cloudwatch_alarms_to_slack.function_name}"
63 |
64 | retention_in_days = 14
65 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.send_cloudwatch_alarms_to_slack
File: /lessons/122/terraform/9-lambda.tf:61-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
61 | resource "aws_cloudwatch_log_group" "send_cloudwatch_alarms_to_slack" {
62 | name = "/aws/lambda/${aws_lambda_function.send_cloudwatch_alarms_to_slack.function_name}"
63 |
64 | retention_in_days = 14
65 | }
Check: CKV_AWS_119: "Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK"
FAILED for resource: aws_dynamodb_table.meta
File: /lessons/124/terraform/3-dynamodb.tf:1-12
Guide: https://docs.bridgecrew.io/docs/ensure-that-dynamodb-tables-are-encrypted
1 | resource "aws_dynamodb_table" "meta" {
2 | name = "Meta"
3 | billing_mode = "PROVISIONED"
4 | read_capacity = 5
5 | write_capacity = 5
6 | hash_key = "LastModified"
7 |
8 | attribute {
9 | name = "LastModified"
10 | type = "S"
11 | }
12 | }
Check: CKV_AWS_28: "Ensure Dynamodb point in time recovery (backup) is enabled"
FAILED for resource: aws_dynamodb_table.meta
File: /lessons/124/terraform/3-dynamodb.tf:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-6.html
1 | resource "aws_dynamodb_table" "meta" {
2 | name = "Meta"
3 | billing_mode = "PROVISIONED"
4 | read_capacity = 5
5 | write_capacity = 5
6 | hash_key = "LastModified"
7 |
8 | attribute {
9 | name = "LastModified"
10 | type = "S"
11 | }
12 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.nodejs
File: /lessons/124/terraform/4-nodejs-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
78 | resource "aws_lambda_function" "nodejs" {
79 | function_name = "nodejs"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_nodejs.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "nodejs16.x"
91 | handler = "function.handler"
92 |
93 | source_code_hash = data.archive_file.lambda_nodejs.output_base64sha256
94 |
95 | role = aws_iam_role.nodejs_lambda_exec.arn
96 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.nodejs
File: /lessons/124/terraform/4-nodejs-lambda.tf:78-96
78 | resource "aws_lambda_function" "nodejs" {
79 | function_name = "nodejs"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_nodejs.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "nodejs16.x"
91 | handler = "function.handler"
92 |
93 | source_code_hash = data.archive_file.lambda_nodejs.output_base64sha256
94 |
95 | role = aws_iam_role.nodejs_lambda_exec.arn
96 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.nodejs
File: /lessons/124/terraform/4-nodejs-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
78 | resource "aws_lambda_function" "nodejs" {
79 | function_name = "nodejs"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_nodejs.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "nodejs16.x"
91 | handler = "function.handler"
92 |
93 | source_code_hash = data.archive_file.lambda_nodejs.output_base64sha256
94 |
95 | role = aws_iam_role.nodejs_lambda_exec.arn
96 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.nodejs
File: /lessons/124/terraform/4-nodejs-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
78 | resource "aws_lambda_function" "nodejs" {
79 | function_name = "nodejs"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_nodejs.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "nodejs16.x"
91 | handler = "function.handler"
92 |
93 | source_code_hash = data.archive_file.lambda_nodejs.output_base64sha256
94 |
95 | role = aws_iam_role.nodejs_lambda_exec.arn
96 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.nodejs
File: /lessons/124/terraform/4-nodejs-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
78 | resource "aws_lambda_function" "nodejs" {
79 | function_name = "nodejs"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_nodejs.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "nodejs16.x"
91 | handler = "function.handler"
92 |
93 | source_code_hash = data.archive_file.lambda_nodejs.output_base64sha256
94 |
95 | role = aws_iam_role.nodejs_lambda_exec.arn
96 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.nodejs
File: /lessons/124/terraform/4-nodejs-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
78 | resource "aws_lambda_function" "nodejs" {
79 | function_name = "nodejs"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_nodejs.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "nodejs16.x"
91 | handler = "function.handler"
92 |
93 | source_code_hash = data.archive_file.lambda_nodejs.output_base64sha256
94 |
95 | role = aws_iam_role.nodejs_lambda_exec.arn
96 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.nodejs
File: /lessons/124/terraform/4-nodejs-lambda.tf:98-102
98 | resource "aws_cloudwatch_log_group" "nodejs" {
99 | name = "/aws/lambda/${aws_lambda_function.nodejs.function_name}"
100 |
101 | retention_in_days = 14
102 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.nodejs
File: /lessons/124/terraform/4-nodejs-lambda.tf:98-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
98 | resource "aws_cloudwatch_log_group" "nodejs" {
99 | name = "/aws/lambda/${aws_lambda_function.nodejs.function_name}"
100 |
101 | retention_in_days = 14
102 | }
Check: CKV_AWS_258: "Ensure that Lambda function URLs AuthType is not None"
FAILED for resource: aws_lambda_function_url.lambda_nodejs
File: /lessons/124/terraform/4-nodejs-lambda.tf:120-123
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-authtype-for-your-lambda-function-urls-is-defined.html
120 | resource "aws_lambda_function_url" "lambda_nodejs" {
121 | function_name = aws_lambda_function.nodejs.function_name
122 | authorization_type = "NONE"
123 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.go
File: /lessons/124/terraform/5-go-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
78 | resource "aws_lambda_function" "go" {
79 | function_name = "go"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_go.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "go1.x"
91 | handler = "main"
92 |
93 | source_code_hash = data.archive_file.lambda_go.output_base64sha256
94 |
95 | role = aws_iam_role.go_lambda_exec.arn
96 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.go
File: /lessons/124/terraform/5-go-lambda.tf:78-96
78 | resource "aws_lambda_function" "go" {
79 | function_name = "go"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_go.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "go1.x"
91 | handler = "main"
92 |
93 | source_code_hash = data.archive_file.lambda_go.output_base64sha256
94 |
95 | role = aws_iam_role.go_lambda_exec.arn
96 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.go
File: /lessons/124/terraform/5-go-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
78 | resource "aws_lambda_function" "go" {
79 | function_name = "go"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_go.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "go1.x"
91 | handler = "main"
92 |
93 | source_code_hash = data.archive_file.lambda_go.output_base64sha256
94 |
95 | role = aws_iam_role.go_lambda_exec.arn
96 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.go
File: /lessons/124/terraform/5-go-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
78 | resource "aws_lambda_function" "go" {
79 | function_name = "go"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_go.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "go1.x"
91 | handler = "main"
92 |
93 | source_code_hash = data.archive_file.lambda_go.output_base64sha256
94 |
95 | role = aws_iam_role.go_lambda_exec.arn
96 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.go
File: /lessons/124/terraform/5-go-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
78 | resource "aws_lambda_function" "go" {
79 | function_name = "go"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_go.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "go1.x"
91 | handler = "main"
92 |
93 | source_code_hash = data.archive_file.lambda_go.output_base64sha256
94 |
95 | role = aws_iam_role.go_lambda_exec.arn
96 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.go
File: /lessons/124/terraform/5-go-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
78 | resource "aws_lambda_function" "go" {
79 | function_name = "go"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_go.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "go1.x"
91 | handler = "main"
92 |
93 | source_code_hash = data.archive_file.lambda_go.output_base64sha256
94 |
95 | role = aws_iam_role.go_lambda_exec.arn
96 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.go
File: /lessons/124/terraform/5-go-lambda.tf:98-102
98 | resource "aws_cloudwatch_log_group" "go" {
99 | name = "/aws/lambda/${aws_lambda_function.go.function_name}"
100 |
101 | retention_in_days = 14
102 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.go
File: /lessons/124/terraform/5-go-lambda.tf:98-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
98 | resource "aws_cloudwatch_log_group" "go" {
99 | name = "/aws/lambda/${aws_lambda_function.go.function_name}"
100 |
101 | retention_in_days = 14
102 | }
Check: CKV_AWS_258: "Ensure that Lambda function URLs AuthType is not None"
FAILED for resource: aws_lambda_function_url.lambda_go
File: /lessons/124/terraform/5-go-lambda.tf:120-123
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-authtype-for-your-lambda-function-urls-is-defined.html
120 | resource "aws_lambda_function_url" "lambda_go" {
121 | function_name = aws_lambda_function.go.function_name
122 | authorization_type = "NONE"
123 | }
Check: CKV_AWS_119: "Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK"
FAILED for resource: aws_dynamodb_table.meta
File: /lessons/126/terraform/3-dynamodb.tf:2-13
Guide: https://docs.bridgecrew.io/docs/ensure-that-dynamodb-tables-are-encrypted
2 | resource "aws_dynamodb_table" "meta" {
3 | name = "Meta"
4 | billing_mode = "PROVISIONED"
5 | read_capacity = 5
6 | write_capacity = 1000
7 | hash_key = "LastModified"
8 |
9 | attribute {
10 | name = "LastModified"
11 | type = "S"
12 | }
13 | }
Check: CKV_AWS_28: "Ensure Dynamodb point in time recovery (backup) is enabled"
FAILED for resource: aws_dynamodb_table.meta
File: /lessons/126/terraform/3-dynamodb.tf:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-6.html
2 | resource "aws_dynamodb_table" "meta" {
3 | name = "Meta"
4 | billing_mode = "PROVISIONED"
5 | read_capacity = 5
6 | write_capacity = 1000
7 | hash_key = "LastModified"
8 |
9 | attribute {
10 | name = "LastModified"
11 | type = "S"
12 | }
13 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.nodejs
File: /lessons/126/terraform/4-nodejs-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
78 | resource "aws_lambda_function" "nodejs" {
79 | function_name = "nodejs"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_nodejs.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "nodejs16.x"
91 | handler = "function.lambda_handler"
92 |
93 | source_code_hash = data.archive_file.lambda_nodejs.output_base64sha256
94 |
95 | role = aws_iam_role.nodejs_lambda_exec.arn
96 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.nodejs
File: /lessons/126/terraform/4-nodejs-lambda.tf:78-96
78 | resource "aws_lambda_function" "nodejs" {
79 | function_name = "nodejs"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_nodejs.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "nodejs16.x"
91 | handler = "function.lambda_handler"
92 |
93 | source_code_hash = data.archive_file.lambda_nodejs.output_base64sha256
94 |
95 | role = aws_iam_role.nodejs_lambda_exec.arn
96 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.nodejs
File: /lessons/126/terraform/4-nodejs-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
78 | resource "aws_lambda_function" "nodejs" {
79 | function_name = "nodejs"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_nodejs.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "nodejs16.x"
91 | handler = "function.lambda_handler"
92 |
93 | source_code_hash = data.archive_file.lambda_nodejs.output_base64sha256
94 |
95 | role = aws_iam_role.nodejs_lambda_exec.arn
96 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.nodejs
File: /lessons/126/terraform/4-nodejs-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
78 | resource "aws_lambda_function" "nodejs" {
79 | function_name = "nodejs"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_nodejs.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "nodejs16.x"
91 | handler = "function.lambda_handler"
92 |
93 | source_code_hash = data.archive_file.lambda_nodejs.output_base64sha256
94 |
95 | role = aws_iam_role.nodejs_lambda_exec.arn
96 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.nodejs
File: /lessons/126/terraform/4-nodejs-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
78 | resource "aws_lambda_function" "nodejs" {
79 | function_name = "nodejs"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_nodejs.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "nodejs16.x"
91 | handler = "function.lambda_handler"
92 |
93 | source_code_hash = data.archive_file.lambda_nodejs.output_base64sha256
94 |
95 | role = aws_iam_role.nodejs_lambda_exec.arn
96 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.nodejs
File: /lessons/126/terraform/4-nodejs-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
78 | resource "aws_lambda_function" "nodejs" {
79 | function_name = "nodejs"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_nodejs.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "nodejs16.x"
91 | handler = "function.lambda_handler"
92 |
93 | source_code_hash = data.archive_file.lambda_nodejs.output_base64sha256
94 |
95 | role = aws_iam_role.nodejs_lambda_exec.arn
96 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.nodejs
File: /lessons/126/terraform/4-nodejs-lambda.tf:98-102
98 | resource "aws_cloudwatch_log_group" "nodejs" {
99 | name = "/aws/lambda/${aws_lambda_function.nodejs.function_name}"
100 |
101 | retention_in_days = 14
102 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.nodejs
File: /lessons/126/terraform/4-nodejs-lambda.tf:98-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
98 | resource "aws_cloudwatch_log_group" "nodejs" {
99 | name = "/aws/lambda/${aws_lambda_function.nodejs.function_name}"
100 |
101 | retention_in_days = 14
102 | }
Check: CKV_AWS_258: "Ensure that Lambda function URLs AuthType is not None"
FAILED for resource: aws_lambda_function_url.lambda_nodejs
File: /lessons/126/terraform/4-nodejs-lambda.tf:120-123
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-authtype-for-your-lambda-function-urls-is-defined.html
120 | resource "aws_lambda_function_url" "lambda_nodejs" {
121 | function_name = aws_lambda_function.nodejs.function_name
122 | authorization_type = "NONE"
123 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.python
File: /lessons/126/terraform/4-python-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
78 | resource "aws_lambda_function" "python" {
79 | function_name = "python"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_python.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "python3.9"
91 | handler = "function.lambda_handler"
92 |
93 | source_code_hash = data.archive_file.lambda_python.output_base64sha256
94 |
95 | role = aws_iam_role.python_lambda_exec.arn
96 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.python
File: /lessons/126/terraform/4-python-lambda.tf:78-96
78 | resource "aws_lambda_function" "python" {
79 | function_name = "python"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_python.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "python3.9"
91 | handler = "function.lambda_handler"
92 |
93 | source_code_hash = data.archive_file.lambda_python.output_base64sha256
94 |
95 | role = aws_iam_role.python_lambda_exec.arn
96 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.python
File: /lessons/126/terraform/4-python-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
78 | resource "aws_lambda_function" "python" {
79 | function_name = "python"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_python.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "python3.9"
91 | handler = "function.lambda_handler"
92 |
93 | source_code_hash = data.archive_file.lambda_python.output_base64sha256
94 |
95 | role = aws_iam_role.python_lambda_exec.arn
96 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.python
File: /lessons/126/terraform/4-python-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
78 | resource "aws_lambda_function" "python" {
79 | function_name = "python"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_python.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "python3.9"
91 | handler = "function.lambda_handler"
92 |
93 | source_code_hash = data.archive_file.lambda_python.output_base64sha256
94 |
95 | role = aws_iam_role.python_lambda_exec.arn
96 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.python
File: /lessons/126/terraform/4-python-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
78 | resource "aws_lambda_function" "python" {
79 | function_name = "python"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_python.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "python3.9"
91 | handler = "function.lambda_handler"
92 |
93 | source_code_hash = data.archive_file.lambda_python.output_base64sha256
94 |
95 | role = aws_iam_role.python_lambda_exec.arn
96 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.python
File: /lessons/126/terraform/4-python-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
78 | resource "aws_lambda_function" "python" {
79 | function_name = "python"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_python.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "python3.9"
91 | handler = "function.lambda_handler"
92 |
93 | source_code_hash = data.archive_file.lambda_python.output_base64sha256
94 |
95 | role = aws_iam_role.python_lambda_exec.arn
96 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.python
File: /lessons/126/terraform/4-python-lambda.tf:98-102
98 | resource "aws_cloudwatch_log_group" "python" {
99 | name = "/aws/lambda/${aws_lambda_function.python.function_name}"
100 |
101 | retention_in_days = 14
102 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.python
File: /lessons/126/terraform/4-python-lambda.tf:98-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
98 | resource "aws_cloudwatch_log_group" "python" {
99 | name = "/aws/lambda/${aws_lambda_function.python.function_name}"
100 |
101 | retention_in_days = 14
102 | }
Check: CKV_AWS_258: "Ensure that Lambda function URLs AuthType is not None"
FAILED for resource: aws_lambda_function_url.lambda_python
File: /lessons/126/terraform/4-python-lambda.tf:120-123
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-authtype-for-your-lambda-function-urls-is-defined.html
120 | resource "aws_lambda_function_url" "lambda_python" {
121 | function_name = aws_lambda_function.python.function_name
122 | authorization_type = "NONE"
123 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public_us_east_1a
File: /lessons/127/terraform/3-subnets.tf:21-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
21 | resource "aws_subnet" "public_us_east_1a" {
22 | vpc_id = aws_vpc.main.id
23 | cidr_block = "10.0.64.0/19"
24 | availability_zone = "us-east-1a"
25 | map_public_ip_on_launch = true
26 |
27 | tags = {
28 | "Name" = "public-us-east-1a"
29 | }
30 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public_us_east_1b
File: /lessons/127/terraform/3-subnets.tf:32-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
32 | resource "aws_subnet" "public_us_east_1b" {
33 | vpc_id = aws_vpc.main.id
34 | cidr_block = "10.0.96.0/19"
35 | availability_zone = "us-east-1b"
36 | map_public_ip_on_launch = true
37 |
38 | tags = {
39 | "Name" = "public-us-east-1b"
40 | }
41 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.ec2_eg1
File: /lessons/127/terraform/6-example-1.tf:14-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
14 | resource "aws_security_group" "ec2_eg1" {
15 | name = "ec2-eg1"
16 | vpc_id = aws_vpc.main.id
17 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.alb_eg1
File: /lessons/127/terraform/6-example-1.tf:19-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
19 | resource "aws_security_group" "alb_eg1" {
20 | name = "alb-eg1"
21 | vpc_id = aws_vpc.main.id
22 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.ingress_ec2_traffic
File: /lessons/127/terraform/6-example-1.tf:24-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
24 | resource "aws_security_group_rule" "ingress_ec2_traffic" {
25 | type = "ingress"
26 | from_port = 8080
27 | to_port = 8080
28 | protocol = "tcp"
29 | security_group_id = aws_security_group.ec2_eg1.id
30 | source_security_group_id = aws_security_group.alb_eg1.id
31 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.ingress_ec2_health_check
File: /lessons/127/terraform/6-example-1.tf:33-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
33 | resource "aws_security_group_rule" "ingress_ec2_health_check" {
34 | type = "ingress"
35 | from_port = 8081
36 | to_port = 8081
37 | protocol = "tcp"
38 | security_group_id = aws_security_group.ec2_eg1.id
39 | source_security_group_id = aws_security_group.alb_eg1.id
40 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.ingress_alb_traffic
File: /lessons/127/terraform/6-example-1.tf:51-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
51 | resource "aws_security_group_rule" "ingress_alb_traffic" {
52 | type = "ingress"
53 | from_port = 80
54 | to_port = 80
55 | protocol = "tcp"
56 | security_group_id = aws_security_group.alb_eg1.id
57 | cidr_blocks = ["0.0.0.0/0"]
58 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group_rule.ingress_alb_traffic
File: /lessons/127/terraform/6-example-1.tf:51-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
51 | resource "aws_security_group_rule" "ingress_alb_traffic" {
52 | type = "ingress"
53 | from_port = 80
54 | to_port = 80
55 | protocol = "tcp"
56 | security_group_id = aws_security_group.alb_eg1.id
57 | cidr_blocks = ["0.0.0.0/0"]
58 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.egress_alb_traffic
File: /lessons/127/terraform/6-example-1.tf:60-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
60 | resource "aws_security_group_rule" "egress_alb_traffic" {
61 | type = "egress"
62 | from_port = 8080
63 | to_port = 8080
64 | protocol = "tcp"
65 | security_group_id = aws_security_group.alb_eg1.id
66 | source_security_group_id = aws_security_group.ec2_eg1.id
67 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.egress_alb_health_check
File: /lessons/127/terraform/6-example-1.tf:69-76
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
69 | resource "aws_security_group_rule" "egress_alb_health_check" {
70 | type = "egress"
71 | from_port = 8081
72 | to_port = 8081
73 | protocol = "tcp"
74 | security_group_id = aws_security_group.alb_eg1.id
75 | source_security_group_id = aws_security_group.ec2_eg1.id
76 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.my_app_eg1["my-app-00"]
File: /lessons/127/terraform/6-example-1.tf:78-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
78 | resource "aws_instance" "my_app_eg1" {
79 | for_each = local.web_servers
80 |
81 | ami = "ami-07309549f34230bcd"
82 | instance_type = each.value.machine_type
83 | key_name = "devops"
84 | subnet_id = each.value.subnet_id
85 |
86 | vpc_security_group_ids = [aws_security_group.ec2_eg1.id]
87 |
88 | tags = {
89 | Name = each.key
90 | }
91 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.my_app_eg1["my-app-00"]
File: /lessons/127/terraform/6-example-1.tf:78-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
78 | resource "aws_instance" "my_app_eg1" {
79 | for_each = local.web_servers
80 |
81 | ami = "ami-07309549f34230bcd"
82 | instance_type = each.value.machine_type
83 | key_name = "devops"
84 | subnet_id = each.value.subnet_id
85 |
86 | vpc_security_group_ids = [aws_security_group.ec2_eg1.id]
87 |
88 | tags = {
89 | Name = each.key
90 | }
91 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.my_app_eg1["my-app-00"]
File: /lessons/127/terraform/6-example-1.tf:78-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
78 | resource "aws_instance" "my_app_eg1" {
79 | for_each = local.web_servers
80 |
81 | ami = "ami-07309549f34230bcd"
82 | instance_type = each.value.machine_type
83 | key_name = "devops"
84 | subnet_id = each.value.subnet_id
85 |
86 | vpc_security_group_ids = [aws_security_group.ec2_eg1.id]
87 |
88 | tags = {
89 | Name = each.key
90 | }
91 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.my_app_eg1["my-app-00"]
File: /lessons/127/terraform/6-example-1.tf:78-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
78 | resource "aws_instance" "my_app_eg1" {
79 | for_each = local.web_servers
80 |
81 | ami = "ami-07309549f34230bcd"
82 | instance_type = each.value.machine_type
83 | key_name = "devops"
84 | subnet_id = each.value.subnet_id
85 |
86 | vpc_security_group_ids = [aws_security_group.ec2_eg1.id]
87 |
88 | tags = {
89 | Name = each.key
90 | }
91 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.my_app_eg1
File: /lessons/127/terraform/6-example-1.tf:127-143
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html
127 | resource "aws_lb" "my_app_eg1" {
128 | name = "my-app-eg1"
129 | internal = false
130 | load_balancer_type = "application"
131 | security_groups = [aws_security_group.alb_eg1.id]
132 |
133 | # access_logs {
134 | # bucket = "my-logs"
135 | # prefix = "my-app-lb"
136 | # enabled = true
137 | # }
138 |
139 | subnets = [
140 | aws_subnet.public_us_east_1a.id,
141 | aws_subnet.public_us_east_1b.id
142 | ]
143 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: aws_lb.my_app_eg1
File: /lessons/127/terraform/6-example-1.tf:127-143
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
127 | resource "aws_lb" "my_app_eg1" {
128 | name = "my-app-eg1"
129 | internal = false
130 | load_balancer_type = "application"
131 | security_groups = [aws_security_group.alb_eg1.id]
132 |
133 | # access_logs {
134 | # bucket = "my-logs"
135 | # prefix = "my-app-lb"
136 | # enabled = true
137 | # }
138 |
139 | subnets = [
140 | aws_subnet.public_us_east_1a.id,
141 | aws_subnet.public_us_east_1b.id
142 | ]
143 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.my_app_eg1
File: /lessons/127/terraform/6-example-1.tf:127-143
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
127 | resource "aws_lb" "my_app_eg1" {
128 | name = "my-app-eg1"
129 | internal = false
130 | load_balancer_type = "application"
131 | security_groups = [aws_security_group.alb_eg1.id]
132 |
133 | # access_logs {
134 | # bucket = "my-logs"
135 | # prefix = "my-app-lb"
136 | # enabled = true
137 | # }
138 |
139 | subnets = [
140 | aws_subnet.public_us_east_1a.id,
141 | aws_subnet.public_us_east_1b.id
142 | ]
143 | }
Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
FAILED for resource: aws_lb_listener.http_eg1
File: /lessons/127/terraform/6-example-1.tf:145-154
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
145 | resource "aws_lb_listener" "http_eg1" {
146 | load_balancer_arn = aws_lb.my_app_eg1.arn
147 | port = "80"
148 | protocol = "HTTP"
149 |
150 | default_action {
151 | type = "forward"
152 | target_group_arn = aws_lb_target_group.my_app_eg1.arn
153 | }
154 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.my_app_eg1["my-app-01"]
File: /lessons/127/terraform/6-example-1.tf:78-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
78 | resource "aws_instance" "my_app_eg1" {
79 | for_each = local.web_servers
80 |
81 | ami = "ami-07309549f34230bcd"
82 | instance_type = each.value.machine_type
83 | key_name = "devops"
84 | subnet_id = each.value.subnet_id
85 |
86 | vpc_security_group_ids = [aws_security_group.ec2_eg1.id]
87 |
88 | tags = {
89 | Name = each.key
90 | }
91 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.my_app_eg1["my-app-01"]
File: /lessons/127/terraform/6-example-1.tf:78-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
78 | resource "aws_instance" "my_app_eg1" {
79 | for_each = local.web_servers
80 |
81 | ami = "ami-07309549f34230bcd"
82 | instance_type = each.value.machine_type
83 | key_name = "devops"
84 | subnet_id = each.value.subnet_id
85 |
86 | vpc_security_group_ids = [aws_security_group.ec2_eg1.id]
87 |
88 | tags = {
89 | Name = each.key
90 | }
91 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.my_app_eg1["my-app-01"]
File: /lessons/127/terraform/6-example-1.tf:78-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
78 | resource "aws_instance" "my_app_eg1" {
79 | for_each = local.web_servers
80 |
81 | ami = "ami-07309549f34230bcd"
82 | instance_type = each.value.machine_type
83 | key_name = "devops"
84 | subnet_id = each.value.subnet_id
85 |
86 | vpc_security_group_ids = [aws_security_group.ec2_eg1.id]
87 |
88 | tags = {
89 | Name = each.key
90 | }
91 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.my_app_eg1["my-app-01"]
File: /lessons/127/terraform/6-example-1.tf:78-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
78 | resource "aws_instance" "my_app_eg1" {
79 | for_each = local.web_servers
80 |
81 | ami = "ami-07309549f34230bcd"
82 | instance_type = each.value.machine_type
83 | key_name = "devops"
84 | subnet_id = each.value.subnet_id
85 |
86 | vpc_security_group_ids = [aws_security_group.ec2_eg1.id]
87 |
88 | tags = {
89 | Name = each.key
90 | }
91 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.ec2_eg2
File: /lessons/127/terraform/7-example-2.tf:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
1 | resource "aws_security_group" "ec2_eg2" {
2 | name = "ec2-eg2"
3 | vpc_id = aws_vpc.main.id
4 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.alb_eg2
File: /lessons/127/terraform/7-example-2.tf:6-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
6 | resource "aws_security_group" "alb_eg2" {
7 | name = "alb-eg2"
8 | vpc_id = aws_vpc.main.id
9 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.ingress_ec2_eg2_traffic
File: /lessons/127/terraform/7-example-2.tf:11-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
11 | resource "aws_security_group_rule" "ingress_ec2_eg2_traffic" {
12 | type = "ingress"
13 | from_port = 8080
14 | to_port = 8080
15 | protocol = "tcp"
16 | security_group_id = aws_security_group.ec2_eg2.id
17 | source_security_group_id = aws_security_group.alb_eg2.id
18 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.ingress_ec2_eg2_health_check
File: /lessons/127/terraform/7-example-2.tf:20-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
20 | resource "aws_security_group_rule" "ingress_ec2_eg2_health_check" {
21 | type = "ingress"
22 | from_port = 8081
23 | to_port = 8081
24 | protocol = "tcp"
25 | security_group_id = aws_security_group.ec2_eg2.id
26 | source_security_group_id = aws_security_group.alb_eg2.id
27 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.ingress_alb_eg2_http_traffic
File: /lessons/127/terraform/7-example-2.tf:38-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
38 | resource "aws_security_group_rule" "ingress_alb_eg2_http_traffic" {
39 | type = "ingress"
40 | from_port = 80
41 | to_port = 80
42 | protocol = "tcp"
43 | security_group_id = aws_security_group.alb_eg2.id
44 | cidr_blocks = ["0.0.0.0/0"]
45 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group_rule.ingress_alb_eg2_http_traffic
File: /lessons/127/terraform/7-example-2.tf:38-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
38 | resource "aws_security_group_rule" "ingress_alb_eg2_http_traffic" {
39 | type = "ingress"
40 | from_port = 80
41 | to_port = 80
42 | protocol = "tcp"
43 | security_group_id = aws_security_group.alb_eg2.id
44 | cidr_blocks = ["0.0.0.0/0"]
45 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.ingress_alb_eg2_https_traffic
File: /lessons/127/terraform/7-example-2.tf:47-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
47 | resource "aws_security_group_rule" "ingress_alb_eg2_https_traffic" {
48 | type = "ingress"
49 | from_port = 443
50 | to_port = 443
51 | protocol = "tcp"
52 | security_group_id = aws_security_group.alb_eg2.id
53 | cidr_blocks = ["0.0.0.0/0"]
54 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.egress_alb_eg2_traffic
File: /lessons/127/terraform/7-example-2.tf:56-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
56 | resource "aws_security_group_rule" "egress_alb_eg2_traffic" {
57 | type = "egress"
58 | from_port = 8080
59 | to_port = 8080
60 | protocol = "tcp"
61 | security_group_id = aws_security_group.alb_eg2.id
62 | source_security_group_id = aws_security_group.ec2_eg2.id
63 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.egress_alb_eg2_health_check
File: /lessons/127/terraform/7-example-2.tf:65-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
65 | resource "aws_security_group_rule" "egress_alb_eg2_health_check" {
66 | type = "egress"
67 | from_port = 8081
68 | to_port = 8081
69 | protocol = "tcp"
70 | security_group_id = aws_security_group.alb_eg2.id
71 | source_security_group_id = aws_security_group.ec2_eg2.id
72 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_launch_template.my_app_eg2
File: /lessons/127/terraform/7-example-2.tf:74-79
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
74 | resource "aws_launch_template" "my_app_eg2" {
75 | name = "my-app-eg2"
76 | image_id = "ami-07309549f34230bcd"
77 | key_name = "devops"
78 | vpc_security_group_ids = [aws_security_group.ec2_eg2.id]
79 | }
Check: CKV_AWS_153: "Autoscaling groups should supply tags to launch configurations"
FAILED for resource: aws_autoscaling_group.my_app_eg2
File: /lessons/127/terraform/7-example-2.tf:99-123
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/autoscaling-groups-should-supply-tags-to-launch-configurations.html
99 | resource "aws_autoscaling_group" "my_app_eg2" {
100 | name = "my-app-eg2"
101 | min_size = 1
102 | max_size = 3
103 |
104 | health_check_type = "EC2"
105 |
106 | vpc_zone_identifier = [
107 | aws_subnet.private_us_east_1a.id,
108 | aws_subnet.private_us_east_1b.id
109 | ]
110 |
111 | target_group_arns = [aws_lb_target_group.my_app_eg2.arn]
112 |
113 | mixed_instances_policy {
114 | launch_template {
115 | launch_template_specification {
116 | launch_template_id = aws_launch_template.my_app_eg2.id
117 | }
118 | override {
119 | instance_type = "t3.micro"
120 | }
121 | }
122 | }
123 | }
Check: CKV_AWS_315: "Ensure EC2 Auto Scaling groups use EC2 launch templates"
FAILED for resource: aws_autoscaling_group.my_app_eg2
File: /lessons/127/terraform/7-example-2.tf:99-123
99 | resource "aws_autoscaling_group" "my_app_eg2" {
100 | name = "my-app-eg2"
101 | min_size = 1
102 | max_size = 3
103 |
104 | health_check_type = "EC2"
105 |
106 | vpc_zone_identifier = [
107 | aws_subnet.private_us_east_1a.id,
108 | aws_subnet.private_us_east_1b.id
109 | ]
110 |
111 | target_group_arns = [aws_lb_target_group.my_app_eg2.arn]
112 |
113 | mixed_instances_policy {
114 | launch_template {
115 | launch_template_specification {
116 | launch_template_id = aws_launch_template.my_app_eg2.id
117 | }
118 | override {
119 | instance_type = "t3.micro"
120 | }
121 | }
122 | }
123 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.my_app_eg2
File: /lessons/127/terraform/7-example-2.tf:141-151
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html
141 | resource "aws_lb" "my_app_eg2" {
142 | name = "my-app-eg2"
143 | internal = false
144 | load_balancer_type = "application"
145 | security_groups = [aws_security_group.alb_eg2.id]
146 |
147 | subnets = [
148 | aws_subnet.public_us_east_1a.id,
149 | aws_subnet.public_us_east_1b.id
150 | ]
151 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: aws_lb.my_app_eg2
File: /lessons/127/terraform/7-example-2.tf:141-151
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
141 | resource "aws_lb" "my_app_eg2" {
142 | name = "my-app-eg2"
143 | internal = false
144 | load_balancer_type = "application"
145 | security_groups = [aws_security_group.alb_eg2.id]
146 |
147 | subnets = [
148 | aws_subnet.public_us_east_1a.id,
149 | aws_subnet.public_us_east_1b.id
150 | ]
151 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.my_app_eg2
File: /lessons/127/terraform/7-example-2.tf:141-151
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
141 | resource "aws_lb" "my_app_eg2" {
142 | name = "my-app-eg2"
143 | internal = false
144 | load_balancer_type = "application"
145 | security_groups = [aws_security_group.alb_eg2.id]
146 |
147 | subnets = [
148 | aws_subnet.public_us_east_1a.id,
149 | aws_subnet.public_us_east_1b.id
150 | ]
151 | }
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
FAILED for resource: aws_acm_certificate.api
File: /lessons/127/terraform/7-example-2.tf:179-182
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy.html
179 | resource "aws_acm_certificate" "api" {
180 | domain_name = "api.antonputra.com"
181 | validation_method = "DNS"
182 | }
Check: CKV_AWS_119: "Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK"
FAILED for resource: aws_dynamodb_table.images
File: /lessons/128/terraform/3-dynamodb.tf:1-12
Guide: https://docs.bridgecrew.io/docs/ensure-that-dynamodb-tables-are-encrypted
1 | resource "aws_dynamodb_table" "images" {
2 | name = "images"
3 | billing_mode = "PROVISIONED"
4 | read_capacity = 5
5 | write_capacity = 100
6 | hash_key = "last_modified_date"
7 |
8 | attribute {
9 | name = "last_modified_date"
10 | type = "S"
11 | }
12 | }
Check: CKV_AWS_28: "Ensure Dynamodb point in time recovery (backup) is enabled"
FAILED for resource: aws_dynamodb_table.images
File: /lessons/128/terraform/3-dynamodb.tf:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-6.html
1 | resource "aws_dynamodb_table" "images" {
2 | name = "images"
3 | billing_mode = "PROVISIONED"
4 | read_capacity = 5
5 | write_capacity = 100
6 | hash_key = "last_modified_date"
7 |
8 | attribute {
9 | name = "last_modified_date"
10 | type = "S"
11 | }
12 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.rust
File: /lessons/128/terraform/4-rust-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
78 | resource "aws_lambda_function" "rust" {
79 | function_name = "rust"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_rust.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "provided.al2"
91 | handler = "bootstrap"
92 |
93 | source_code_hash = data.archive_file.lambda_rust.output_base64sha256
94 |
95 | role = aws_iam_role.rust_lambda_exec.arn
96 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.rust
File: /lessons/128/terraform/4-rust-lambda.tf:78-96
78 | resource "aws_lambda_function" "rust" {
79 | function_name = "rust"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_rust.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "provided.al2"
91 | handler = "bootstrap"
92 |
93 | source_code_hash = data.archive_file.lambda_rust.output_base64sha256
94 |
95 | role = aws_iam_role.rust_lambda_exec.arn
96 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.rust
File: /lessons/128/terraform/4-rust-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
78 | resource "aws_lambda_function" "rust" {
79 | function_name = "rust"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_rust.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "provided.al2"
91 | handler = "bootstrap"
92 |
93 | source_code_hash = data.archive_file.lambda_rust.output_base64sha256
94 |
95 | role = aws_iam_role.rust_lambda_exec.arn
96 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.rust
File: /lessons/128/terraform/4-rust-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
78 | resource "aws_lambda_function" "rust" {
79 | function_name = "rust"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_rust.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "provided.al2"
91 | handler = "bootstrap"
92 |
93 | source_code_hash = data.archive_file.lambda_rust.output_base64sha256
94 |
95 | role = aws_iam_role.rust_lambda_exec.arn
96 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.rust
File: /lessons/128/terraform/4-rust-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
78 | resource "aws_lambda_function" "rust" {
79 | function_name = "rust"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_rust.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "provided.al2"
91 | handler = "bootstrap"
92 |
93 | source_code_hash = data.archive_file.lambda_rust.output_base64sha256
94 |
95 | role = aws_iam_role.rust_lambda_exec.arn
96 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.rust
File: /lessons/128/terraform/4-rust-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
78 | resource "aws_lambda_function" "rust" {
79 | function_name = "rust"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_rust.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "provided.al2"
91 | handler = "bootstrap"
92 |
93 | source_code_hash = data.archive_file.lambda_rust.output_base64sha256
94 |
95 | role = aws_iam_role.rust_lambda_exec.arn
96 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.rust
File: /lessons/128/terraform/4-rust-lambda.tf:98-102
98 | resource "aws_cloudwatch_log_group" "rust" {
99 | name = "/aws/lambda/${aws_lambda_function.rust.function_name}"
100 |
101 | retention_in_days = 14
102 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.rust
File: /lessons/128/terraform/4-rust-lambda.tf:98-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
98 | resource "aws_cloudwatch_log_group" "rust" {
99 | name = "/aws/lambda/${aws_lambda_function.rust.function_name}"
100 |
101 | retention_in_days = 14
102 | }
Check: CKV_AWS_258: "Ensure that Lambda function URLs AuthType is not None"
FAILED for resource: aws_lambda_function_url.lambda_rust
File: /lessons/128/terraform/4-rust-lambda.tf:120-123
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-authtype-for-your-lambda-function-urls-is-defined.html
120 | resource "aws_lambda_function_url" "lambda_rust" {
121 | function_name = aws_lambda_function.rust.function_name
122 | authorization_type = "NONE"
123 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.go
File: /lessons/128/terraform/5-go-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
78 | resource "aws_lambda_function" "go" {
79 | function_name = "go"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_go.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "go1.x"
91 | handler = "main"
92 |
93 | source_code_hash = data.archive_file.lambda_go.output_base64sha256
94 |
95 | role = aws_iam_role.go_lambda_exec.arn
96 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.go
File: /lessons/128/terraform/5-go-lambda.tf:78-96
78 | resource "aws_lambda_function" "go" {
79 | function_name = "go"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_go.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "go1.x"
91 | handler = "main"
92 |
93 | source_code_hash = data.archive_file.lambda_go.output_base64sha256
94 |
95 | role = aws_iam_role.go_lambda_exec.arn
96 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.go
File: /lessons/128/terraform/5-go-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
78 | resource "aws_lambda_function" "go" {
79 | function_name = "go"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_go.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "go1.x"
91 | handler = "main"
92 |
93 | source_code_hash = data.archive_file.lambda_go.output_base64sha256
94 |
95 | role = aws_iam_role.go_lambda_exec.arn
96 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.go
File: /lessons/128/terraform/5-go-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
78 | resource "aws_lambda_function" "go" {
79 | function_name = "go"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_go.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "go1.x"
91 | handler = "main"
92 |
93 | source_code_hash = data.archive_file.lambda_go.output_base64sha256
94 |
95 | role = aws_iam_role.go_lambda_exec.arn
96 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.go
File: /lessons/128/terraform/5-go-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
78 | resource "aws_lambda_function" "go" {
79 | function_name = "go"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_go.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "go1.x"
91 | handler = "main"
92 |
93 | source_code_hash = data.archive_file.lambda_go.output_base64sha256
94 |
95 | role = aws_iam_role.go_lambda_exec.arn
96 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.go
File: /lessons/128/terraform/5-go-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
78 | resource "aws_lambda_function" "go" {
79 | function_name = "go"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_go.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "go1.x"
91 | handler = "main"
92 |
93 | source_code_hash = data.archive_file.lambda_go.output_base64sha256
94 |
95 | role = aws_iam_role.go_lambda_exec.arn
96 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.go
File: /lessons/128/terraform/5-go-lambda.tf:98-102
98 | resource "aws_cloudwatch_log_group" "go" {
99 | name = "/aws/lambda/${aws_lambda_function.go.function_name}"
100 |
101 | retention_in_days = 14
102 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.go
File: /lessons/128/terraform/5-go-lambda.tf:98-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
98 | resource "aws_cloudwatch_log_group" "go" {
99 | name = "/aws/lambda/${aws_lambda_function.go.function_name}"
100 |
101 | retention_in_days = 14
102 | }
Check: CKV_AWS_258: "Ensure that Lambda function URLs AuthType is not None"
FAILED for resource: aws_lambda_function_url.lambda_go
File: /lessons/128/terraform/5-go-lambda.tf:120-123
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-authtype-for-your-lambda-function-urls-is-defined.html
120 | resource "aws_lambda_function_url" "lambda_go" {
121 | function_name = aws_lambda_function.go.function_name
122 | authorization_type = "NONE"
123 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.go_custom
File: /lessons/128/terraform/6-go-custom-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
78 | resource "aws_lambda_function" "go_custom" {
79 | function_name = "go-custom"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_go_custom.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "provided.al2"
91 | handler = "bootstrap"
92 |
93 | source_code_hash = data.archive_file.lambda_go_custom.output_base64sha256
94 |
95 | role = aws_iam_role.go_custom_lambda_exec.arn
96 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.go_custom
File: /lessons/128/terraform/6-go-custom-lambda.tf:78-96
78 | resource "aws_lambda_function" "go_custom" {
79 | function_name = "go-custom"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_go_custom.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "provided.al2"
91 | handler = "bootstrap"
92 |
93 | source_code_hash = data.archive_file.lambda_go_custom.output_base64sha256
94 |
95 | role = aws_iam_role.go_custom_lambda_exec.arn
96 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.go_custom
File: /lessons/128/terraform/6-go-custom-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
78 | resource "aws_lambda_function" "go_custom" {
79 | function_name = "go-custom"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_go_custom.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "provided.al2"
91 | handler = "bootstrap"
92 |
93 | source_code_hash = data.archive_file.lambda_go_custom.output_base64sha256
94 |
95 | role = aws_iam_role.go_custom_lambda_exec.arn
96 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.go_custom
File: /lessons/128/terraform/6-go-custom-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
78 | resource "aws_lambda_function" "go_custom" {
79 | function_name = "go-custom"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_go_custom.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "provided.al2"
91 | handler = "bootstrap"
92 |
93 | source_code_hash = data.archive_file.lambda_go_custom.output_base64sha256
94 |
95 | role = aws_iam_role.go_custom_lambda_exec.arn
96 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.go_custom
File: /lessons/128/terraform/6-go-custom-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
78 | resource "aws_lambda_function" "go_custom" {
79 | function_name = "go-custom"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_go_custom.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "provided.al2"
91 | handler = "bootstrap"
92 |
93 | source_code_hash = data.archive_file.lambda_go_custom.output_base64sha256
94 |
95 | role = aws_iam_role.go_custom_lambda_exec.arn
96 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.go_custom
File: /lessons/128/terraform/6-go-custom-lambda.tf:78-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
78 | resource "aws_lambda_function" "go_custom" {
79 | function_name = "go-custom"
80 |
81 | s3_bucket = aws_s3_bucket.lambda_bucket.id
82 | s3_key = aws_s3_object.lambda_go_custom.key
83 |
84 | environment {
85 | variables = {
86 | BUCKET_NAME = aws_s3_bucket.images_bucket.id
87 | }
88 | }
89 |
90 | runtime = "provided.al2"
91 | handler = "bootstrap"
92 |
93 | source_code_hash = data.archive_file.lambda_go_custom.output_base64sha256
94 |
95 | role = aws_iam_role.go_custom_lambda_exec.arn
96 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.go_custom
File: /lessons/128/terraform/6-go-custom-lambda.tf:98-102
98 | resource "aws_cloudwatch_log_group" "go_custom" {
99 | name = "/aws/lambda/${aws_lambda_function.go_custom.function_name}"
100 |
101 | retention_in_days = 14
102 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.go_custom
File: /lessons/128/terraform/6-go-custom-lambda.tf:98-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
98 | resource "aws_cloudwatch_log_group" "go_custom" {
99 | name = "/aws/lambda/${aws_lambda_function.go_custom.function_name}"
100 |
101 | retention_in_days = 14
102 | }
Check: CKV_AWS_258: "Ensure that Lambda function URLs AuthType is not None"
FAILED for resource: aws_lambda_function_url.lambda_go_custom
File: /lessons/128/terraform/6-go-custom-lambda.tf:120-123
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-authtype-for-your-lambda-function-urls-is-defined.html
120 | resource "aws_lambda_function_url" "lambda_go_custom" {
121 | function_name = aws_lambda_function.go_custom.function_name
122 | authorization_type = "NONE"
123 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.go_hello
File: /lessons/129/terraform/2-aws-hello-world-function.tf:25-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
25 | resource "aws_lambda_function" "go_hello" {
26 | function_name = "hello-world"
27 |
28 | memory_size = 1024
29 | timeout = 60
30 |
31 | s3_bucket = aws_s3_bucket.functions.id
32 | s3_key = aws_s3_object.lambda_go_hello.key
33 |
34 | environment {
35 | variables = {
36 | BUCKET_NAME = aws_s3_bucket.images.id
37 | }
38 | }
39 |
40 | runtime = "go1.x"
41 | handler = "main"
42 |
43 | source_code_hash = data.archive_file.lambda_go_hello.output_base64sha256
44 |
45 | role = aws_iam_role.go_hello_lambda_exec.arn
46 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.go_hello
File: /lessons/129/terraform/2-aws-hello-world-function.tf:25-46
25 | resource "aws_lambda_function" "go_hello" {
26 | function_name = "hello-world"
27 |
28 | memory_size = 1024
29 | timeout = 60
30 |
31 | s3_bucket = aws_s3_bucket.functions.id
32 | s3_key = aws_s3_object.lambda_go_hello.key
33 |
34 | environment {
35 | variables = {
36 | BUCKET_NAME = aws_s3_bucket.images.id
37 | }
38 | }
39 |
40 | runtime = "go1.x"
41 | handler = "main"
42 |
43 | source_code_hash = data.archive_file.lambda_go_hello.output_base64sha256
44 |
45 | role = aws_iam_role.go_hello_lambda_exec.arn
46 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.go_hello
File: /lessons/129/terraform/2-aws-hello-world-function.tf:25-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
25 | resource "aws_lambda_function" "go_hello" {
26 | function_name = "hello-world"
27 |
28 | memory_size = 1024
29 | timeout = 60
30 |
31 | s3_bucket = aws_s3_bucket.functions.id
32 | s3_key = aws_s3_object.lambda_go_hello.key
33 |
34 | environment {
35 | variables = {
36 | BUCKET_NAME = aws_s3_bucket.images.id
37 | }
38 | }
39 |
40 | runtime = "go1.x"
41 | handler = "main"
42 |
43 | source_code_hash = data.archive_file.lambda_go_hello.output_base64sha256
44 |
45 | role = aws_iam_role.go_hello_lambda_exec.arn
46 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.go_hello
File: /lessons/129/terraform/2-aws-hello-world-function.tf:25-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
25 | resource "aws_lambda_function" "go_hello" {
26 | function_name = "hello-world"
27 |
28 | memory_size = 1024
29 | timeout = 60
30 |
31 | s3_bucket = aws_s3_bucket.functions.id
32 | s3_key = aws_s3_object.lambda_go_hello.key
33 |
34 | environment {
35 | variables = {
36 | BUCKET_NAME = aws_s3_bucket.images.id
37 | }
38 | }
39 |
40 | runtime = "go1.x"
41 | handler = "main"
42 |
43 | source_code_hash = data.archive_file.lambda_go_hello.output_base64sha256
44 |
45 | role = aws_iam_role.go_hello_lambda_exec.arn
46 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.go_hello
File: /lessons/129/terraform/2-aws-hello-world-function.tf:25-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
25 | resource "aws_lambda_function" "go_hello" {
26 | function_name = "hello-world"
27 |
28 | memory_size = 1024
29 | timeout = 60
30 |
31 | s3_bucket = aws_s3_bucket.functions.id
32 | s3_key = aws_s3_object.lambda_go_hello.key
33 |
34 | environment {
35 | variables = {
36 | BUCKET_NAME = aws_s3_bucket.images.id
37 | }
38 | }
39 |
40 | runtime = "go1.x"
41 | handler = "main"
42 |
43 | source_code_hash = data.archive_file.lambda_go_hello.output_base64sha256
44 |
45 | role = aws_iam_role.go_hello_lambda_exec.arn
46 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.go_hello
File: /lessons/129/terraform/2-aws-hello-world-function.tf:25-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
25 | resource "aws_lambda_function" "go_hello" {
26 | function_name = "hello-world"
27 |
28 | memory_size = 1024
29 | timeout = 60
30 |
31 | s3_bucket = aws_s3_bucket.functions.id
32 | s3_key = aws_s3_object.lambda_go_hello.key
33 |
34 | environment {
35 | variables = {
36 | BUCKET_NAME = aws_s3_bucket.images.id
37 | }
38 | }
39 |
40 | runtime = "go1.x"
41 | handler = "main"
42 |
43 | source_code_hash = data.archive_file.lambda_go_hello.output_base64sha256
44 |
45 | role = aws_iam_role.go_hello_lambda_exec.arn
46 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.go_hello
File: /lessons/129/terraform/2-aws-hello-world-function.tf:48-52
48 | resource "aws_cloudwatch_log_group" "go_hello" {
49 | name = "/aws/lambda/${aws_lambda_function.go_hello.function_name}"
50 |
51 | retention_in_days = 14
52 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.go_hello
File: /lessons/129/terraform/2-aws-hello-world-function.tf:48-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
48 | resource "aws_cloudwatch_log_group" "go_hello" {
49 | name = "/aws/lambda/${aws_lambda_function.go_hello.function_name}"
50 |
51 | retention_in_days = 14
52 | }
Check: CKV_AWS_258: "Ensure that Lambda function URLs AuthType is not None"
FAILED for resource: aws_lambda_function_url.lambda_go_hello
File: /lessons/129/terraform/2-aws-hello-world-function.tf:70-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-authtype-for-your-lambda-function-urls-is-defined.html
70 | resource "aws_lambda_function_url" "lambda_go_hello" {
71 | function_name = aws_lambda_function.go_hello.function_name
72 | authorization_type = "NONE"
73 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.go
File: /lessons/129/terraform/3-aws-resizer-function.tf:45-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
45 | resource "aws_lambda_function" "go" {
46 | function_name = "resizer"
47 |
48 | memory_size = 1024
49 | timeout = 60
50 |
51 | s3_bucket = aws_s3_bucket.functions.id
52 | s3_key = aws_s3_object.lambda_go.key
53 |
54 | environment {
55 | variables = {
56 | BUCKET_NAME = aws_s3_bucket.images.id
57 | }
58 | }
59 |
60 | runtime = "go1.x"
61 | handler = "main"
62 |
63 | source_code_hash = data.archive_file.lambda_go.output_base64sha256
64 |
65 | role = aws_iam_role.go_lambda_exec.arn
66 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.go
File: /lessons/129/terraform/3-aws-resizer-function.tf:45-66
45 | resource "aws_lambda_function" "go" {
46 | function_name = "resizer"
47 |
48 | memory_size = 1024
49 | timeout = 60
50 |
51 | s3_bucket = aws_s3_bucket.functions.id
52 | s3_key = aws_s3_object.lambda_go.key
53 |
54 | environment {
55 | variables = {
56 | BUCKET_NAME = aws_s3_bucket.images.id
57 | }
58 | }
59 |
60 | runtime = "go1.x"
61 | handler = "main"
62 |
63 | source_code_hash = data.archive_file.lambda_go.output_base64sha256
64 |
65 | role = aws_iam_role.go_lambda_exec.arn
66 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.go
File: /lessons/129/terraform/3-aws-resizer-function.tf:45-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
45 | resource "aws_lambda_function" "go" {
46 | function_name = "resizer"
47 |
48 | memory_size = 1024
49 | timeout = 60
50 |
51 | s3_bucket = aws_s3_bucket.functions.id
52 | s3_key = aws_s3_object.lambda_go.key
53 |
54 | environment {
55 | variables = {
56 | BUCKET_NAME = aws_s3_bucket.images.id
57 | }
58 | }
59 |
60 | runtime = "go1.x"
61 | handler = "main"
62 |
63 | source_code_hash = data.archive_file.lambda_go.output_base64sha256
64 |
65 | role = aws_iam_role.go_lambda_exec.arn
66 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.go
File: /lessons/129/terraform/3-aws-resizer-function.tf:45-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
45 | resource "aws_lambda_function" "go" {
46 | function_name = "resizer"
47 |
48 | memory_size = 1024
49 | timeout = 60
50 |
51 | s3_bucket = aws_s3_bucket.functions.id
52 | s3_key = aws_s3_object.lambda_go.key
53 |
54 | environment {
55 | variables = {
56 | BUCKET_NAME = aws_s3_bucket.images.id
57 | }
58 | }
59 |
60 | runtime = "go1.x"
61 | handler = "main"
62 |
63 | source_code_hash = data.archive_file.lambda_go.output_base64sha256
64 |
65 | role = aws_iam_role.go_lambda_exec.arn
66 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.go
File: /lessons/129/terraform/3-aws-resizer-function.tf:45-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
45 | resource "aws_lambda_function" "go" {
46 | function_name = "resizer"
47 |
48 | memory_size = 1024
49 | timeout = 60
50 |
51 | s3_bucket = aws_s3_bucket.functions.id
52 | s3_key = aws_s3_object.lambda_go.key
53 |
54 | environment {
55 | variables = {
56 | BUCKET_NAME = aws_s3_bucket.images.id
57 | }
58 | }
59 |
60 | runtime = "go1.x"
61 | handler = "main"
62 |
63 | source_code_hash = data.archive_file.lambda_go.output_base64sha256
64 |
65 | role = aws_iam_role.go_lambda_exec.arn
66 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.go
File: /lessons/129/terraform/3-aws-resizer-function.tf:45-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
45 | resource "aws_lambda_function" "go" {
46 | function_name = "resizer"
47 |
48 | memory_size = 1024
49 | timeout = 60
50 |
51 | s3_bucket = aws_s3_bucket.functions.id
52 | s3_key = aws_s3_object.lambda_go.key
53 |
54 | environment {
55 | variables = {
56 | BUCKET_NAME = aws_s3_bucket.images.id
57 | }
58 | }
59 |
60 | runtime = "go1.x"
61 | handler = "main"
62 |
63 | source_code_hash = data.archive_file.lambda_go.output_base64sha256
64 |
65 | role = aws_iam_role.go_lambda_exec.arn
66 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.go
File: /lessons/129/terraform/3-aws-resizer-function.tf:68-72
68 | resource "aws_cloudwatch_log_group" "go" {
69 | name = "/aws/lambda/${aws_lambda_function.go.function_name}"
70 |
71 | retention_in_days = 14
72 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.go
File: /lessons/129/terraform/3-aws-resizer-function.tf:68-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
68 | resource "aws_cloudwatch_log_group" "go" {
69 | name = "/aws/lambda/${aws_lambda_function.go.function_name}"
70 |
71 | retention_in_days = 14
72 | }
Check: CKV_AWS_258: "Ensure that Lambda function URLs AuthType is not None"
FAILED for resource: aws_lambda_function_url.lambda_go
File: /lessons/129/terraform/3-aws-resizer-function.tf:90-93
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-authtype-for-your-lambda-function-urls-is-defined.html
90 | resource "aws_lambda_function_url" "lambda_go" {
91 | function_name = aws_lambda_function.go.function_name
92 | authorization_type = "NONE"
93 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: google_storage_bucket.functions
File: /lessons/129/terraform/5-gcp-buckets.tf:2-7
2 | resource "google_storage_bucket" "functions" {
3 | name = "functions-${random_id.lesson.hex}"
4 | location = "US-EAST4"
5 | force_destroy = true
6 | uniform_bucket_level_access = true
7 | }
Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
FAILED for resource: google_storage_bucket.functions
File: /lessons/129/terraform/5-gcp-buckets.tf:2-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled.html
2 | resource "google_storage_bucket" "functions" {
3 | name = "functions-${random_id.lesson.hex}"
4 | location = "US-EAST4"
5 | force_destroy = true
6 | uniform_bucket_level_access = true
7 | }
Check: CKV_GCP_62: "Bucket should log access"
FAILED for resource: google_storage_bucket.functions
File: /lessons/129/terraform/5-gcp-buckets.tf:2-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2.html
2 | resource "google_storage_bucket" "functions" {
3 | name = "functions-${random_id.lesson.hex}"
4 | location = "US-EAST4"
5 | force_destroy = true
6 | uniform_bucket_level_access = true
7 | }
Check: CKV_GCP_114: "Ensure public access prevention is enforced on Cloud Storage bucket"
FAILED for resource: google_storage_bucket.images
File: /lessons/129/terraform/5-gcp-buckets.tf:10-15
10 | resource "google_storage_bucket" "images" {
11 | name = "images-${random_id.lesson.hex}"
12 | location = "US-EAST4"
13 | force_destroy = true
14 | uniform_bucket_level_access = true
15 | }
Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
FAILED for resource: google_storage_bucket.images
File: /lessons/129/terraform/5-gcp-buckets.tf:10-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-cloud-storage-has-versioning-enabled.html
10 | resource "google_storage_bucket" "images" {
11 | name = "images-${random_id.lesson.hex}"
12 | location = "US-EAST4"
13 | force_destroy = true
14 | uniform_bucket_level_access = true
15 | }
Check: CKV_GCP_62: "Bucket should log access"
FAILED for resource: google_storage_bucket.images
File: /lessons/129/terraform/5-gcp-buckets.tf:10-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-storage-gcs-policies/bc-gcp-logging-2.html
10 | resource "google_storage_bucket" "images" {
11 | name = "images-${random_id.lesson.hex}"
12 | location = "US-EAST4"
13 | force_destroy = true
14 | uniform_bucket_level_access = true
15 | }
Check: CKV_GCP_102: "Ensure that GCP Cloud Run services are not anonymously or publicly accessible"
FAILED for resource: google_cloud_run_service_iam_member.hello_world_member
File: /lessons/129/terraform/6-gcp-hello-world-function.tf:45-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-public-policies/ensure-cloud-run-service-is-not-anonymously-or-publicly-accessible.html
45 | resource "google_cloud_run_service_iam_member" "hello_world_member" {
46 | project = google_cloudfunctions2_function.hello_world.project
47 | location = google_cloudfunctions2_function.hello_world.location
48 | service = google_cloudfunctions2_function.hello_world.name
49 | role = "roles/run.invoker"
50 | member = "allUsers"
51 | }
Check: CKV_GCP_102: "Ensure that GCP Cloud Run services are not anonymously or publicly accessible"
FAILED for resource: google_cloud_run_service_iam_member.go_member
File: /lessons/129/terraform/7-gcp-resizer-function.tf:52-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-public-policies/ensure-cloud-run-service-is-not-anonymously-or-publicly-accessible.html
52 | resource "google_cloud_run_service_iam_member" "go_member" {
53 | project = google_cloudfunctions2_function.go.project
54 | location = google_cloudfunctions2_function.go.location
55 | service = google_cloudfunctions2_function.go.name
56 | role = "roles/run.invoker"
57 | member = "allUsers"
58 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.go_gs
File: /lessons/129/terraform/8-aws-gs-resizer-function.tf:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
1 | resource "aws_lambda_function" "go_gs" {
2 | function_name = "gs-resizer"
3 |
4 | memory_size = 1024
5 | timeout = 60
6 |
7 | s3_bucket = aws_s3_bucket.functions.id
8 | s3_key = aws_s3_object.lambda_go_gs.key
9 |
10 | environment {
11 | variables = {
12 | BUCKET_NAME = google_storage_bucket.images.id
13 | }
14 | }
15 |
16 | runtime = "go1.x"
17 | handler = "main"
18 |
19 | source_code_hash = data.archive_file.lambda_go_gs.output_base64sha256
20 |
21 | role = aws_iam_role.go_lambda_exec.arn
22 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.go_gs
File: /lessons/129/terraform/8-aws-gs-resizer-function.tf:1-22
1 | resource "aws_lambda_function" "go_gs" {
2 | function_name = "gs-resizer"
3 |
4 | memory_size = 1024
5 | timeout = 60
6 |
7 | s3_bucket = aws_s3_bucket.functions.id
8 | s3_key = aws_s3_object.lambda_go_gs.key
9 |
10 | environment {
11 | variables = {
12 | BUCKET_NAME = google_storage_bucket.images.id
13 | }
14 | }
15 |
16 | runtime = "go1.x"
17 | handler = "main"
18 |
19 | source_code_hash = data.archive_file.lambda_go_gs.output_base64sha256
20 |
21 | role = aws_iam_role.go_lambda_exec.arn
22 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.go_gs
File: /lessons/129/terraform/8-aws-gs-resizer-function.tf:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
1 | resource "aws_lambda_function" "go_gs" {
2 | function_name = "gs-resizer"
3 |
4 | memory_size = 1024
5 | timeout = 60
6 |
7 | s3_bucket = aws_s3_bucket.functions.id
8 | s3_key = aws_s3_object.lambda_go_gs.key
9 |
10 | environment {
11 | variables = {
12 | BUCKET_NAME = google_storage_bucket.images.id
13 | }
14 | }
15 |
16 | runtime = "go1.x"
17 | handler = "main"
18 |
19 | source_code_hash = data.archive_file.lambda_go_gs.output_base64sha256
20 |
21 | role = aws_iam_role.go_lambda_exec.arn
22 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.go_gs
File: /lessons/129/terraform/8-aws-gs-resizer-function.tf:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
1 | resource "aws_lambda_function" "go_gs" {
2 | function_name = "gs-resizer"
3 |
4 | memory_size = 1024
5 | timeout = 60
6 |
7 | s3_bucket = aws_s3_bucket.functions.id
8 | s3_key = aws_s3_object.lambda_go_gs.key
9 |
10 | environment {
11 | variables = {
12 | BUCKET_NAME = google_storage_bucket.images.id
13 | }
14 | }
15 |
16 | runtime = "go1.x"
17 | handler = "main"
18 |
19 | source_code_hash = data.archive_file.lambda_go_gs.output_base64sha256
20 |
21 | role = aws_iam_role.go_lambda_exec.arn
22 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.go_gs
File: /lessons/129/terraform/8-aws-gs-resizer-function.tf:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
1 | resource "aws_lambda_function" "go_gs" {
2 | function_name = "gs-resizer"
3 |
4 | memory_size = 1024
5 | timeout = 60
6 |
7 | s3_bucket = aws_s3_bucket.functions.id
8 | s3_key = aws_s3_object.lambda_go_gs.key
9 |
10 | environment {
11 | variables = {
12 | BUCKET_NAME = google_storage_bucket.images.id
13 | }
14 | }
15 |
16 | runtime = "go1.x"
17 | handler = "main"
18 |
19 | source_code_hash = data.archive_file.lambda_go_gs.output_base64sha256
20 |
21 | role = aws_iam_role.go_lambda_exec.arn
22 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.go_gs
File: /lessons/129/terraform/8-aws-gs-resizer-function.tf:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
1 | resource "aws_lambda_function" "go_gs" {
2 | function_name = "gs-resizer"
3 |
4 | memory_size = 1024
5 | timeout = 60
6 |
7 | s3_bucket = aws_s3_bucket.functions.id
8 | s3_key = aws_s3_object.lambda_go_gs.key
9 |
10 | environment {
11 | variables = {
12 | BUCKET_NAME = google_storage_bucket.images.id
13 | }
14 | }
15 |
16 | runtime = "go1.x"
17 | handler = "main"
18 |
19 | source_code_hash = data.archive_file.lambda_go_gs.output_base64sha256
20 |
21 | role = aws_iam_role.go_lambda_exec.arn
22 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.go_gs
File: /lessons/129/terraform/8-aws-gs-resizer-function.tf:24-28
24 | resource "aws_cloudwatch_log_group" "go_gs" {
25 | name = "/aws/lambda/${aws_lambda_function.go_gs.function_name}"
26 |
27 | retention_in_days = 14
28 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.go_gs
File: /lessons/129/terraform/8-aws-gs-resizer-function.tf:24-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
24 | resource "aws_cloudwatch_log_group" "go_gs" {
25 | name = "/aws/lambda/${aws_lambda_function.go_gs.function_name}"
26 |
27 | retention_in_days = 14
28 | }
Check: CKV_AWS_258: "Ensure that Lambda function URLs AuthType is not None"
FAILED for resource: aws_lambda_function_url.lambda_go_gs
File: /lessons/129/terraform/8-aws-gs-resizer-function.tf:46-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-authtype-for-your-lambda-function-urls-is-defined.html
46 | resource "aws_lambda_function_url" "lambda_go_gs" {
47 | function_name = aws_lambda_function.go_gs.function_name
48 | authorization_type = "NONE"
49 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.my_app
File: /lessons/130/terraform/12-ec2.tf:1-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
1 | resource "aws_security_group" "my_app" {
2 | name = "my-app"
3 | description = "Allow My App Access"
4 | vpc_id = aws_vpc.main.id
5 |
6 | ingress {
7 | description = "Allow Node Exporter Access"
8 | from_port = 9100
9 | to_port = 9100
10 | protocol = "tcp"
11 | security_groups = [aws_eks_cluster.demo.vpc_config[0].cluster_security_group_id]
12 | }
13 |
14 | ingress {
15 | description = "Allow SSH Access"
16 | from_port = 22
17 | to_port = 22
18 | protocol = "tcp"
19 | cidr_blocks = ["0.0.0.0/0"]
20 | }
21 |
22 | egress {
23 | from_port = 0
24 | to_port = 0
25 | protocol = "-1"
26 | cidr_blocks = ["0.0.0.0/0"]
27 | }
28 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.my_app
File: /lessons/130/terraform/12-ec2.tf:1-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
1 | resource "aws_security_group" "my_app" {
2 | name = "my-app"
3 | description = "Allow My App Access"
4 | vpc_id = aws_vpc.main.id
5 |
6 | ingress {
7 | description = "Allow Node Exporter Access"
8 | from_port = 9100
9 | to_port = 9100
10 | protocol = "tcp"
11 | security_groups = [aws_eks_cluster.demo.vpc_config[0].cluster_security_group_id]
12 | }
13 |
14 | ingress {
15 | description = "Allow SSH Access"
16 | from_port = 22
17 | to_port = 22
18 | protocol = "tcp"
19 | cidr_blocks = ["0.0.0.0/0"]
20 | }
21 |
22 | egress {
23 | from_port = 0
24 | to_port = 0
25 | protocol = "-1"
26 | cidr_blocks = ["0.0.0.0/0"]
27 | }
28 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.my_app
File: /lessons/130/terraform/12-ec2.tf:46-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
46 | resource "aws_instance" "my_app" {
47 | ami = data.aws_ami.ubuntu.id
48 | instance_type = "t3.micro"
49 | key_name = "devops"
50 | subnet_id = aws_subnet.public_us_east_1a.id
51 | vpc_security_group_ids = [aws_security_group.my_app.id]
52 |
53 | user_data = <> /etc/systemd/system/node_exporter.service
63 | [Unit]
64 | Description=Node Exporter
65 | Wants=network-online.target
66 | After=network-online.target
67 |
68 | StartLimitIntervalSec=500
69 | StartLimitBurst=5
70 |
71 | [Service]
72 | User=node_exporter
73 | Group=node_exporter
74 | Type=simple
75 | Restart=on-failure
76 | RestartSec=5s
77 | ExecStart=/usr/local/bin/node_exporter
78 |
79 | [Install]
80 | WantedBy=multi-user.target
81 | EOT
82 |
83 | systemctl enable node_exporter
84 | systemctl start node_exporter
85 | EOF
86 |
87 | tags = {
88 | Name = "My App"
89 | node-exporter = "true"
90 | }
91 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.my_app
File: /lessons/130/terraform/12-ec2.tf:46-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
46 | resource "aws_instance" "my_app" {
47 | ami = data.aws_ami.ubuntu.id
48 | instance_type = "t3.micro"
49 | key_name = "devops"
50 | subnet_id = aws_subnet.public_us_east_1a.id
51 | vpc_security_group_ids = [aws_security_group.my_app.id]
52 |
53 | user_data = <> /etc/systemd/system/node_exporter.service
63 | [Unit]
64 | Description=Node Exporter
65 | Wants=network-online.target
66 | After=network-online.target
67 |
68 | StartLimitIntervalSec=500
69 | StartLimitBurst=5
70 |
71 | [Service]
72 | User=node_exporter
73 | Group=node_exporter
74 | Type=simple
75 | Restart=on-failure
76 | RestartSec=5s
77 | ExecStart=/usr/local/bin/node_exporter
78 |
79 | [Install]
80 | WantedBy=multi-user.target
81 | EOT
82 |
83 | systemctl enable node_exporter
84 | systemctl start node_exporter
85 | EOF
86 |
87 | tags = {
88 | Name = "My App"
89 | node-exporter = "true"
90 | }
91 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.my_app
File: /lessons/130/terraform/12-ec2.tf:46-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
46 | resource "aws_instance" "my_app" {
47 | ami = data.aws_ami.ubuntu.id
48 | instance_type = "t3.micro"
49 | key_name = "devops"
50 | subnet_id = aws_subnet.public_us_east_1a.id
51 | vpc_security_group_ids = [aws_security_group.my_app.id]
52 |
53 | user_data = <> /etc/systemd/system/node_exporter.service
63 | [Unit]
64 | Description=Node Exporter
65 | Wants=network-online.target
66 | After=network-online.target
67 |
68 | StartLimitIntervalSec=500
69 | StartLimitBurst=5
70 |
71 | [Service]
72 | User=node_exporter
73 | Group=node_exporter
74 | Type=simple
75 | Restart=on-failure
76 | RestartSec=5s
77 | ExecStart=/usr/local/bin/node_exporter
78 |
79 | [Install]
80 | WantedBy=multi-user.target
81 | EOT
82 |
83 | systemctl enable node_exporter
84 | systemctl start node_exporter
85 | EOF
86 |
87 | tags = {
88 | Name = "My App"
89 | node-exporter = "true"
90 | }
91 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.my_app
File: /lessons/130/terraform/12-ec2.tf:46-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
46 | resource "aws_instance" "my_app" {
47 | ami = data.aws_ami.ubuntu.id
48 | instance_type = "t3.micro"
49 | key_name = "devops"
50 | subnet_id = aws_subnet.public_us_east_1a.id
51 | vpc_security_group_ids = [aws_security_group.my_app.id]
52 |
53 | user_data = <> /etc/systemd/system/node_exporter.service
63 | [Unit]
64 | Description=Node Exporter
65 | Wants=network-online.target
66 | After=network-online.target
67 |
68 | StartLimitIntervalSec=500
69 | StartLimitBurst=5
70 |
71 | [Service]
72 | User=node_exporter
73 | Group=node_exporter
74 | Type=simple
75 | Restart=on-failure
76 | RestartSec=5s
77 | ExecStart=/usr/local/bin/node_exporter
78 |
79 | [Install]
80 | WantedBy=multi-user.target
81 | EOT
82 |
83 | systemctl enable node_exporter
84 | systemctl start node_exporter
85 | EOF
86 |
87 | tags = {
88 | Name = "My App"
89 | node-exporter = "true"
90 | }
91 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public_us_east_1a
File: /lessons/130/terraform/3-subnets.tf:25-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
25 | resource "aws_subnet" "public_us_east_1a" {
26 | vpc_id = aws_vpc.main.id
27 | cidr_block = "10.0.64.0/19"
28 | availability_zone = "us-east-1a"
29 | map_public_ip_on_launch = true
30 |
31 | tags = {
32 | "Name" = "public-us-east-1a"
33 | "kubernetes.io/role/elb" = "1"
34 | "kubernetes.io/cluster/demo" = "owned"
35 | }
36 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public_us_east_1b
File: /lessons/130/terraform/3-subnets.tf:38-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
38 | resource "aws_subnet" "public_us_east_1b" {
39 | vpc_id = aws_vpc.main.id
40 | cidr_block = "10.0.96.0/19"
41 | availability_zone = "us-east-1b"
42 | map_public_ip_on_launch = true
43 |
44 | tags = {
45 | "Name" = "public-us-east-1b"
46 | "kubernetes.io/role/elb" = "1"
47 | "kubernetes.io/cluster/demo" = "owned"
48 | }
49 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/130/terraform/6-eks.tf:25-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
25 | resource "aws_eks_cluster" "demo" {
26 | name = "demo"
27 | role_arn = aws_iam_role.demo.arn
28 |
29 | vpc_config {
30 | subnet_ids = [
31 | aws_subnet.private_us_east_1a.id,
32 | aws_subnet.private_us_east_1b.id,
33 | aws_subnet.public_us_east_1a.id,
34 | aws_subnet.public_us_east_1b.id
35 | ]
36 | }
37 |
38 | depends_on = [aws_iam_role_policy_attachment.demo_amazon_eks_cluster_policy]
39 | }
Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/130/terraform/6-eks.tf:25-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
25 | resource "aws_eks_cluster" "demo" {
26 | name = "demo"
27 | role_arn = aws_iam_role.demo.arn
28 |
29 | vpc_config {
30 | subnet_ids = [
31 | aws_subnet.private_us_east_1a.id,
32 | aws_subnet.private_us_east_1b.id,
33 | aws_subnet.public_us_east_1a.id,
34 | aws_subnet.public_us_east_1b.id
35 | ]
36 | }
37 |
38 | depends_on = [aws_iam_role_policy_attachment.demo_amazon_eks_cluster_policy]
39 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/130/terraform/6-eks.tf:25-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
25 | resource "aws_eks_cluster" "demo" {
26 | name = "demo"
27 | role_arn = aws_iam_role.demo.arn
28 |
29 | vpc_config {
30 | subnet_ids = [
31 | aws_subnet.private_us_east_1a.id,
32 | aws_subnet.private_us_east_1b.id,
33 | aws_subnet.public_us_east_1a.id,
34 | aws_subnet.public_us_east_1b.id
35 | ]
36 | }
37 |
38 | depends_on = [aws_iam_role_policy_attachment.demo_amazon_eks_cluster_policy]
39 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/130/terraform/6-eks.tf:25-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
25 | resource "aws_eks_cluster" "demo" {
26 | name = "demo"
27 | role_arn = aws_iam_role.demo.arn
28 |
29 | vpc_config {
30 | subnet_ids = [
31 | aws_subnet.private_us_east_1a.id,
32 | aws_subnet.private_us_east_1b.id,
33 | aws_subnet.public_us_east_1a.id,
34 | aws_subnet.public_us_east_1b.id
35 | ]
36 | }
37 |
38 | depends_on = [aws_iam_role_policy_attachment.demo_amazon_eks_cluster_policy]
39 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.prometheus_demo
File: /lessons/130/terraform/9-prometheus.tf:1-4
1 | resource "aws_cloudwatch_log_group" "prometheus_demo" {
2 | name = "/aws/prometheus/demo"
3 | retention_in_days = 14
4 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.prometheus_demo
File: /lessons/130/terraform/9-prometheus.tf:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
1 | resource "aws_cloudwatch_log_group" "prometheus_demo" {
2 | name = "/aws/prometheus/demo"
3 | retention_in_days = 14
4 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.prometheus_slack
File: /lessons/131/terraform/12-lambda-prometheus-slack.tf:46-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
46 | resource "aws_lambda_function" "prometheus_slack" {
47 | function_name = "prometheus-slack"
48 |
49 | s3_bucket = aws_s3_bucket.lambda_bucket.id
50 | s3_key = aws_s3_object.prometheus_slack.key
51 |
52 | runtime = "python3.9"
53 | handler = "function.lambda_handler"
54 |
55 | source_code_hash = data.archive_file.prometheus_slack.output_base64sha256
56 |
57 | role = aws_iam_role.prometheus_slack.arn
58 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.prometheus_slack
File: /lessons/131/terraform/12-lambda-prometheus-slack.tf:46-58
46 | resource "aws_lambda_function" "prometheus_slack" {
47 | function_name = "prometheus-slack"
48 |
49 | s3_bucket = aws_s3_bucket.lambda_bucket.id
50 | s3_key = aws_s3_object.prometheus_slack.key
51 |
52 | runtime = "python3.9"
53 | handler = "function.lambda_handler"
54 |
55 | source_code_hash = data.archive_file.prometheus_slack.output_base64sha256
56 |
57 | role = aws_iam_role.prometheus_slack.arn
58 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.prometheus_slack
File: /lessons/131/terraform/12-lambda-prometheus-slack.tf:46-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
46 | resource "aws_lambda_function" "prometheus_slack" {
47 | function_name = "prometheus-slack"
48 |
49 | s3_bucket = aws_s3_bucket.lambda_bucket.id
50 | s3_key = aws_s3_object.prometheus_slack.key
51 |
52 | runtime = "python3.9"
53 | handler = "function.lambda_handler"
54 |
55 | source_code_hash = data.archive_file.prometheus_slack.output_base64sha256
56 |
57 | role = aws_iam_role.prometheus_slack.arn
58 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.prometheus_slack
File: /lessons/131/terraform/12-lambda-prometheus-slack.tf:46-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
46 | resource "aws_lambda_function" "prometheus_slack" {
47 | function_name = "prometheus-slack"
48 |
49 | s3_bucket = aws_s3_bucket.lambda_bucket.id
50 | s3_key = aws_s3_object.prometheus_slack.key
51 |
52 | runtime = "python3.9"
53 | handler = "function.lambda_handler"
54 |
55 | source_code_hash = data.archive_file.prometheus_slack.output_base64sha256
56 |
57 | role = aws_iam_role.prometheus_slack.arn
58 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.prometheus_slack
File: /lessons/131/terraform/12-lambda-prometheus-slack.tf:46-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
46 | resource "aws_lambda_function" "prometheus_slack" {
47 | function_name = "prometheus-slack"
48 |
49 | s3_bucket = aws_s3_bucket.lambda_bucket.id
50 | s3_key = aws_s3_object.prometheus_slack.key
51 |
52 | runtime = "python3.9"
53 | handler = "function.lambda_handler"
54 |
55 | source_code_hash = data.archive_file.prometheus_slack.output_base64sha256
56 |
57 | role = aws_iam_role.prometheus_slack.arn
58 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.prometheus_slack
File: /lessons/131/terraform/12-lambda-prometheus-slack.tf:61-65
61 | resource "aws_cloudwatch_log_group" "prometheus_slack" {
62 | name = "/aws/lambda/${aws_lambda_function.prometheus_slack.function_name}"
63 |
64 | retention_in_days = 14
65 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.prometheus_slack
File: /lessons/131/terraform/12-lambda-prometheus-slack.tf:61-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
61 | resource "aws_cloudwatch_log_group" "prometheus_slack" {
62 | name = "/aws/lambda/${aws_lambda_function.prometheus_slack.function_name}"
63 |
64 | retention_in_days = 14
65 | }
Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.prometheus_pagerduty
File: /lessons/131/terraform/13-lambda-prometheus-pagerduty.tf:46-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
46 | resource "aws_lambda_function" "prometheus_pagerduty" {
47 | function_name = "prometheus-pagerduty"
48 |
49 | s3_bucket = aws_s3_bucket.lambda_bucket.id
50 | s3_key = aws_s3_object.prometheus_pagerduty.key
51 |
52 | runtime = "python3.9"
53 | handler = "function.lambda_handler"
54 |
55 | source_code_hash = data.archive_file.prometheus_pagerduty.output_base64sha256
56 |
57 | role = aws_iam_role.prometheus_pagerduty.arn
58 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.prometheus_pagerduty
File: /lessons/131/terraform/13-lambda-prometheus-pagerduty.tf:46-58
46 | resource "aws_lambda_function" "prometheus_pagerduty" {
47 | function_name = "prometheus-pagerduty"
48 |
49 | s3_bucket = aws_s3_bucket.lambda_bucket.id
50 | s3_key = aws_s3_object.prometheus_pagerduty.key
51 |
52 | runtime = "python3.9"
53 | handler = "function.lambda_handler"
54 |
55 | source_code_hash = data.archive_file.prometheus_pagerduty.output_base64sha256
56 |
57 | role = aws_iam_role.prometheus_pagerduty.arn
58 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.prometheus_pagerduty
File: /lessons/131/terraform/13-lambda-prometheus-pagerduty.tf:46-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
46 | resource "aws_lambda_function" "prometheus_pagerduty" {
47 | function_name = "prometheus-pagerduty"
48 |
49 | s3_bucket = aws_s3_bucket.lambda_bucket.id
50 | s3_key = aws_s3_object.prometheus_pagerduty.key
51 |
52 | runtime = "python3.9"
53 | handler = "function.lambda_handler"
54 |
55 | source_code_hash = data.archive_file.prometheus_pagerduty.output_base64sha256
56 |
57 | role = aws_iam_role.prometheus_pagerduty.arn
58 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.prometheus_pagerduty
File: /lessons/131/terraform/13-lambda-prometheus-pagerduty.tf:46-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
46 | resource "aws_lambda_function" "prometheus_pagerduty" {
47 | function_name = "prometheus-pagerduty"
48 |
49 | s3_bucket = aws_s3_bucket.lambda_bucket.id
50 | s3_key = aws_s3_object.prometheus_pagerduty.key
51 |
52 | runtime = "python3.9"
53 | handler = "function.lambda_handler"
54 |
55 | source_code_hash = data.archive_file.prometheus_pagerduty.output_base64sha256
56 |
57 | role = aws_iam_role.prometheus_pagerduty.arn
58 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.prometheus_pagerduty
File: /lessons/131/terraform/13-lambda-prometheus-pagerduty.tf:46-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
46 | resource "aws_lambda_function" "prometheus_pagerduty" {
47 | function_name = "prometheus-pagerduty"
48 |
49 | s3_bucket = aws_s3_bucket.lambda_bucket.id
50 | s3_key = aws_s3_object.prometheus_pagerduty.key
51 |
52 | runtime = "python3.9"
53 | handler = "function.lambda_handler"
54 |
55 | source_code_hash = data.archive_file.prometheus_pagerduty.output_base64sha256
56 |
57 | role = aws_iam_role.prometheus_pagerduty.arn
58 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.prometheus_pagerduty
File: /lessons/131/terraform/13-lambda-prometheus-pagerduty.tf:61-65
61 | resource "aws_cloudwatch_log_group" "prometheus_pagerduty" {
62 | name = "/aws/lambda/${aws_lambda_function.prometheus_pagerduty.function_name}"
63 |
64 | retention_in_days = 14
65 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.prometheus_pagerduty
File: /lessons/131/terraform/13-lambda-prometheus-pagerduty.tf:61-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
61 | resource "aws_cloudwatch_log_group" "prometheus_pagerduty" {
62 | name = "/aws/lambda/${aws_lambda_function.prometheus_pagerduty.function_name}"
63 |
64 | retention_in_days = 14
65 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public_us_east_1a
File: /lessons/131/terraform/3-subnet.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
1 | resource "aws_subnet" "public_us_east_1a" {
2 | vpc_id = aws_vpc.main.id
3 | cidr_block = "10.0.0.0/19"
4 | availability_zone = "us-east-1a"
5 | map_public_ip_on_launch = true
6 |
7 | tags = {
8 | "Name" = "public-us-east-1a"
9 | }
10 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.my_app
File: /lessons/131/terraform/5-ec2.tf:36-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
36 | resource "aws_security_group" "my_app" {
37 | name = "my-app"
38 | description = "Allow My App Access"
39 | vpc_id = aws_vpc.main.id
40 |
41 | ingress {
42 | description = "Allow SSH Access"
43 | from_port = 22
44 | to_port = 22
45 | protocol = "tcp"
46 | cidr_blocks = ["0.0.0.0/0"]
47 | }
48 |
49 | ingress {
50 | description = "Allow Prometheus UI Access (only for demo)"
51 | from_port = 9090
52 | to_port = 9090
53 | protocol = "tcp"
54 | cidr_blocks = ["0.0.0.0/0"]
55 | }
56 |
57 | egress {
58 | from_port = 0
59 | to_port = 0
60 | protocol = "-1"
61 | cidr_blocks = ["0.0.0.0/0"]
62 | }
63 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.my_app
File: /lessons/131/terraform/5-ec2.tf:36-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
36 | resource "aws_security_group" "my_app" {
37 | name = "my-app"
38 | description = "Allow My App Access"
39 | vpc_id = aws_vpc.main.id
40 |
41 | ingress {
42 | description = "Allow SSH Access"
43 | from_port = 22
44 | to_port = 22
45 | protocol = "tcp"
46 | cidr_blocks = ["0.0.0.0/0"]
47 | }
48 |
49 | ingress {
50 | description = "Allow Prometheus UI Access (only for demo)"
51 | from_port = 9090
52 | to_port = 9090
53 | protocol = "tcp"
54 | cidr_blocks = ["0.0.0.0/0"]
55 | }
56 |
57 | egress {
58 | from_port = 0
59 | to_port = 0
60 | protocol = "-1"
61 | cidr_blocks = ["0.0.0.0/0"]
62 | }
63 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.my_app
File: /lessons/131/terraform/5-ec2.tf:81-101
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
81 | resource "aws_instance" "my_app" {
82 | ami = data.aws_ami.ubuntu.id
83 | instance_type = "t3.micro"
84 | key_name = "devops"
85 | subnet_id = aws_subnet.public_us_east_1a.id
86 | vpc_security_group_ids = [aws_security_group.my_app.id]
87 |
88 | iam_instance_profile = aws_iam_instance_profile.prometheus_demo.name
89 |
90 | user_data = templatefile("bootstrap.sh.tpl",
91 | {
92 | prometheus_ver = "2.39.1",
93 | node_exporter_ver = "1.4.0",
94 | remote_write_url = aws_prometheus_workspace.demo.prometheus_endpoint
95 | })
96 |
97 | tags = {
98 | Name = "my-app.example.pvt"
99 | node-exporter = "true"
100 | }
101 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.my_app
File: /lessons/131/terraform/5-ec2.tf:81-101
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
81 | resource "aws_instance" "my_app" {
82 | ami = data.aws_ami.ubuntu.id
83 | instance_type = "t3.micro"
84 | key_name = "devops"
85 | subnet_id = aws_subnet.public_us_east_1a.id
86 | vpc_security_group_ids = [aws_security_group.my_app.id]
87 |
88 | iam_instance_profile = aws_iam_instance_profile.prometheus_demo.name
89 |
90 | user_data = templatefile("bootstrap.sh.tpl",
91 | {
92 | prometheus_ver = "2.39.1",
93 | node_exporter_ver = "1.4.0",
94 | remote_write_url = aws_prometheus_workspace.demo.prometheus_endpoint
95 | })
96 |
97 | tags = {
98 | Name = "my-app.example.pvt"
99 | node-exporter = "true"
100 | }
101 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.my_app
File: /lessons/131/terraform/5-ec2.tf:81-101
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
81 | resource "aws_instance" "my_app" {
82 | ami = data.aws_ami.ubuntu.id
83 | instance_type = "t3.micro"
84 | key_name = "devops"
85 | subnet_id = aws_subnet.public_us_east_1a.id
86 | vpc_security_group_ids = [aws_security_group.my_app.id]
87 |
88 | iam_instance_profile = aws_iam_instance_profile.prometheus_demo.name
89 |
90 | user_data = templatefile("bootstrap.sh.tpl",
91 | {
92 | prometheus_ver = "2.39.1",
93 | node_exporter_ver = "1.4.0",
94 | remote_write_url = aws_prometheus_workspace.demo.prometheus_endpoint
95 | })
96 |
97 | tags = {
98 | Name = "my-app.example.pvt"
99 | node-exporter = "true"
100 | }
101 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.my_app
File: /lessons/131/terraform/5-ec2.tf:81-101
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
81 | resource "aws_instance" "my_app" {
82 | ami = data.aws_ami.ubuntu.id
83 | instance_type = "t3.micro"
84 | key_name = "devops"
85 | subnet_id = aws_subnet.public_us_east_1a.id
86 | vpc_security_group_ids = [aws_security_group.my_app.id]
87 |
88 | iam_instance_profile = aws_iam_instance_profile.prometheus_demo.name
89 |
90 | user_data = templatefile("bootstrap.sh.tpl",
91 | {
92 | prometheus_ver = "2.39.1",
93 | node_exporter_ver = "1.4.0",
94 | remote_write_url = aws_prometheus_workspace.demo.prometheus_endpoint
95 | })
96 |
97 | tags = {
98 | Name = "my-app.example.pvt"
99 | node-exporter = "true"
100 | }
101 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.prometheus_demo
File: /lessons/131/terraform/6-prometheus.tf:1-4
1 | resource "aws_cloudwatch_log_group" "prometheus_demo" {
2 | name = "/aws/prometheus/demo"
3 | retention_in_days = 14
4 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.prometheus_demo
File: /lessons/131/terraform/6-prometheus.tf:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
1 | resource "aws_cloudwatch_log_group" "prometheus_demo" {
2 | name = "/aws/prometheus/demo"
3 | retention_in_days = 14
4 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.alarms
File: /lessons/131/terraform/7-sns-topic.tf:4-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-15.html
4 | resource "aws_sns_topic" "alarms" {
5 | name = "alarms"
6 |
7 | policy = <> /etc/systemd/system/node_exporter.service
64 | [Unit]
65 | Description=Node Exporter
66 | Wants=network-online.target
67 | After=network-online.target
68 | StartLimitIntervalSec=500
69 | StartLimitBurst=5
70 |
71 | [Service]
72 | User=node_exporter
73 | Group=node_exporter
74 | Type=simple
75 | Restart=on-failure
76 | RestartSec=5s
77 | ExecStart=/usr/local/bin/node_exporter
78 |
79 | [Install]
80 | WantedBy=multi-user.target
81 | EOT
82 |
83 | systemctl enable node_exporter
84 | systemctl start node_exporter
85 | EOF
86 |
87 | tags = {
88 | Name = "myapp"
89 | service = "myapp"
90 | node-exporter = "true"
91 | }
92 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.test
File: /lessons/154/terraform/14-ec2.tf:44-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
44 | resource "aws_instance" "test" {
45 | ami = data.aws_ami.ubuntu_jammy.id
46 | instance_type = "t3a.small"
47 | subnet_id = aws_subnet.public_us_east_1a.id
48 | # key_name = "devops" # TODO: update to yours
49 |
50 | vpc_security_group_ids = [
51 | aws_security_group.test.id
52 | ]
53 |
54 | user_data = <> /etc/systemd/system/node_exporter.service
64 | [Unit]
65 | Description=Node Exporter
66 | Wants=network-online.target
67 | After=network-online.target
68 | StartLimitIntervalSec=500
69 | StartLimitBurst=5
70 |
71 | [Service]
72 | User=node_exporter
73 | Group=node_exporter
74 | Type=simple
75 | Restart=on-failure
76 | RestartSec=5s
77 | ExecStart=/usr/local/bin/node_exporter
78 |
79 | [Install]
80 | WantedBy=multi-user.target
81 | EOT
82 |
83 | systemctl enable node_exporter
84 | systemctl start node_exporter
85 | EOF
86 |
87 | tags = {
88 | Name = "myapp"
89 | service = "myapp"
90 | node-exporter = "true"
91 | }
92 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.test
File: /lessons/154/terraform/14-ec2.tf:44-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
44 | resource "aws_instance" "test" {
45 | ami = data.aws_ami.ubuntu_jammy.id
46 | instance_type = "t3a.small"
47 | subnet_id = aws_subnet.public_us_east_1a.id
48 | # key_name = "devops" # TODO: update to yours
49 |
50 | vpc_security_group_ids = [
51 | aws_security_group.test.id
52 | ]
53 |
54 | user_data = <> /etc/systemd/system/node_exporter.service
64 | [Unit]
65 | Description=Node Exporter
66 | Wants=network-online.target
67 | After=network-online.target
68 | StartLimitIntervalSec=500
69 | StartLimitBurst=5
70 |
71 | [Service]
72 | User=node_exporter
73 | Group=node_exporter
74 | Type=simple
75 | Restart=on-failure
76 | RestartSec=5s
77 | ExecStart=/usr/local/bin/node_exporter
78 |
79 | [Install]
80 | WantedBy=multi-user.target
81 | EOT
82 |
83 | systemctl enable node_exporter
84 | systemctl start node_exporter
85 | EOF
86 |
87 | tags = {
88 | Name = "myapp"
89 | service = "myapp"
90 | node-exporter = "true"
91 | }
92 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.test
File: /lessons/154/terraform/14-ec2.tf:44-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
44 | resource "aws_instance" "test" {
45 | ami = data.aws_ami.ubuntu_jammy.id
46 | instance_type = "t3a.small"
47 | subnet_id = aws_subnet.public_us_east_1a.id
48 | # key_name = "devops" # TODO: update to yours
49 |
50 | vpc_security_group_ids = [
51 | aws_security_group.test.id
52 | ]
53 |
54 | user_data = <> /etc/systemd/system/node_exporter.service
64 | [Unit]
65 | Description=Node Exporter
66 | Wants=network-online.target
67 | After=network-online.target
68 | StartLimitIntervalSec=500
69 | StartLimitBurst=5
70 |
71 | [Service]
72 | User=node_exporter
73 | Group=node_exporter
74 | Type=simple
75 | Restart=on-failure
76 | RestartSec=5s
77 | ExecStart=/usr/local/bin/node_exporter
78 |
79 | [Install]
80 | WantedBy=multi-user.target
81 | EOT
82 |
83 | systemctl enable node_exporter
84 | systemctl start node_exporter
85 | EOF
86 |
87 | tags = {
88 | Name = "myapp"
89 | service = "myapp"
90 | node-exporter = "true"
91 | }
92 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public_us_east_1a
File: /lessons/154/terraform/3-subnets.tf:25-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
25 | resource "aws_subnet" "public_us_east_1a" {
26 | vpc_id = aws_vpc.main.id
27 | cidr_block = "10.0.64.0/19"
28 | availability_zone = "us-east-1a"
29 | map_public_ip_on_launch = true
30 |
31 | tags = {
32 | "Name" = "public-us-east-1a"
33 | "kubernetes.io/role/elb" = "1"
34 | "kubernetes.io/cluster/demo" = "owned"
35 | }
36 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public_us_east_1b
File: /lessons/154/terraform/3-subnets.tf:38-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
38 | resource "aws_subnet" "public_us_east_1b" {
39 | vpc_id = aws_vpc.main.id
40 | cidr_block = "10.0.96.0/19"
41 | availability_zone = "us-east-1b"
42 | map_public_ip_on_launch = true
43 |
44 | tags = {
45 | "Name" = "public-us-east-1b"
46 | "kubernetes.io/role/elb" = "1"
47 | "kubernetes.io/cluster/demo" = "owned"
48 | }
49 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/154/terraform/6-eks.tf:25-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
25 | resource "aws_eks_cluster" "demo" {
26 | name = "demo"
27 | version = "1.24"
28 | role_arn = aws_iam_role.demo.arn
29 |
30 | vpc_config {
31 | subnet_ids = [
32 | aws_subnet.private_us_east_1a.id,
33 | aws_subnet.private_us_east_1b.id,
34 | aws_subnet.public_us_east_1a.id,
35 | aws_subnet.public_us_east_1b.id
36 | ]
37 | }
38 |
39 | depends_on = [aws_iam_role_policy_attachment.demo_amazon_eks_cluster_policy]
40 | }
Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/154/terraform/6-eks.tf:25-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
25 | resource "aws_eks_cluster" "demo" {
26 | name = "demo"
27 | version = "1.24"
28 | role_arn = aws_iam_role.demo.arn
29 |
30 | vpc_config {
31 | subnet_ids = [
32 | aws_subnet.private_us_east_1a.id,
33 | aws_subnet.private_us_east_1b.id,
34 | aws_subnet.public_us_east_1a.id,
35 | aws_subnet.public_us_east_1b.id
36 | ]
37 | }
38 |
39 | depends_on = [aws_iam_role_policy_attachment.demo_amazon_eks_cluster_policy]
40 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/154/terraform/6-eks.tf:25-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
25 | resource "aws_eks_cluster" "demo" {
26 | name = "demo"
27 | version = "1.24"
28 | role_arn = aws_iam_role.demo.arn
29 |
30 | vpc_config {
31 | subnet_ids = [
32 | aws_subnet.private_us_east_1a.id,
33 | aws_subnet.private_us_east_1b.id,
34 | aws_subnet.public_us_east_1a.id,
35 | aws_subnet.public_us_east_1b.id
36 | ]
37 | }
38 |
39 | depends_on = [aws_iam_role_policy_attachment.demo_amazon_eks_cluster_policy]
40 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/154/terraform/6-eks.tf:25-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
25 | resource "aws_eks_cluster" "demo" {
26 | name = "demo"
27 | version = "1.24"
28 | role_arn = aws_iam_role.demo.arn
29 |
30 | vpc_config {
31 | subnet_ids = [
32 | aws_subnet.private_us_east_1a.id,
33 | aws_subnet.private_us_east_1b.id,
34 | aws_subnet.public_us_east_1a.id,
35 | aws_subnet.public_us_east_1b.id
36 | ]
37 | }
38 |
39 | depends_on = [aws_iam_role_policy_attachment.demo_amazon_eks_cluster_policy]
40 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public_us_east_1a
File: /lessons/155/eks-terraform/3-subnets.tf:25-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
25 | resource "aws_subnet" "public_us_east_1a" {
26 | vpc_id = aws_vpc.main.id
27 | cidr_block = "10.0.64.0/19"
28 | availability_zone = "us-east-1a"
29 | map_public_ip_on_launch = true
30 |
31 | tags = {
32 | "Name" = "public-us-east-1a"
33 | "kubernetes.io/role/elb" = "1"
34 | "kubernetes.io/cluster/demo" = "owned"
35 | }
36 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public_us_east_1b
File: /lessons/155/eks-terraform/3-subnets.tf:38-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
38 | resource "aws_subnet" "public_us_east_1b" {
39 | vpc_id = aws_vpc.main.id
40 | cidr_block = "10.0.96.0/19"
41 | availability_zone = "us-east-1b"
42 | map_public_ip_on_launch = true
43 |
44 | tags = {
45 | "Name" = "public-us-east-1b"
46 | "kubernetes.io/role/elb" = "1"
47 | "kubernetes.io/cluster/demo" = "owned"
48 | }
49 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/155/eks-terraform/6-eks.tf:25-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
25 | resource "aws_eks_cluster" "demo" {
26 | name = "demo"
27 | version = "1.25"
28 | role_arn = aws_iam_role.demo.arn
29 |
30 | vpc_config {
31 | subnet_ids = [
32 | aws_subnet.private_us_east_1a.id,
33 | aws_subnet.private_us_east_1b.id,
34 | aws_subnet.public_us_east_1a.id,
35 | aws_subnet.public_us_east_1b.id
36 | ]
37 | }
38 |
39 | depends_on = [aws_iam_role_policy_attachment.demo_amazon_eks_cluster_policy]
40 | }
Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/155/eks-terraform/6-eks.tf:25-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
25 | resource "aws_eks_cluster" "demo" {
26 | name = "demo"
27 | version = "1.25"
28 | role_arn = aws_iam_role.demo.arn
29 |
30 | vpc_config {
31 | subnet_ids = [
32 | aws_subnet.private_us_east_1a.id,
33 | aws_subnet.private_us_east_1b.id,
34 | aws_subnet.public_us_east_1a.id,
35 | aws_subnet.public_us_east_1b.id
36 | ]
37 | }
38 |
39 | depends_on = [aws_iam_role_policy_attachment.demo_amazon_eks_cluster_policy]
40 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/155/eks-terraform/6-eks.tf:25-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
25 | resource "aws_eks_cluster" "demo" {
26 | name = "demo"
27 | version = "1.25"
28 | role_arn = aws_iam_role.demo.arn
29 |
30 | vpc_config {
31 | subnet_ids = [
32 | aws_subnet.private_us_east_1a.id,
33 | aws_subnet.private_us_east_1b.id,
34 | aws_subnet.public_us_east_1a.id,
35 | aws_subnet.public_us_east_1b.id
36 | ]
37 | }
38 |
39 | depends_on = [aws_iam_role_policy_attachment.demo_amazon_eks_cluster_policy]
40 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.demo
File: /lessons/155/eks-terraform/6-eks.tf:25-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
25 | resource "aws_eks_cluster" "demo" {
26 | name = "demo"
27 | version = "1.25"
28 | role_arn = aws_iam_role.demo.arn
29 |
30 | vpc_config {
31 | subnet_ids = [
32 | aws_subnet.private_us_east_1a.id,
33 | aws_subnet.private_us_east_1b.id,
34 | aws_subnet.public_us_east_1a.id,
35 | aws_subnet.public_us_east_1b.id
36 | ]
37 | }
38 |
39 | depends_on = [aws_iam_role_policy_attachment.demo_amazon_eks_cluster_policy]
40 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.eks_console_access
File: /lessons/156/terraform/11-developer-role.tf:40-67
40 | resource "aws_iam_policy" "eks_console_access" {
41 | name = "EKSConsoleAccess"
42 |
43 | policy = < index.html
25 | nohup busybox httpd -f -p ${var.server_port} &
26 | EOF
27 |
28 | user_data_replace_on_change = true
29 |
30 | tags = {
31 | Name = "my-ubuntu"
32 | }
33 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.example
File: /lessons/164/main.tf:16-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
16 | resource "aws_instance" "example" {
17 | ami = "ami-0a695f0d95cefc163"
18 | instance_type = "t3.micro"
19 |
20 | vpc_security_group_ids = [aws_security_group.instance.id]
21 |
22 | user_data = <<-EOF
23 | #!/bin/bash
24 | echo "Hello, World" > index.html
25 | nohup busybox httpd -f -p ${var.server_port} &
26 | EOF
27 |
28 | user_data_replace_on_change = true
29 |
30 | tags = {
31 | Name = "my-ubuntu"
32 | }
33 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.example
File: /lessons/164/main.tf:16-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
16 | resource "aws_instance" "example" {
17 | ami = "ami-0a695f0d95cefc163"
18 | instance_type = "t3.micro"
19 |
20 | vpc_security_group_ids = [aws_security_group.instance.id]
21 |
22 | user_data = <<-EOF
23 | #!/bin/bash
24 | echo "Hello, World" > index.html
25 | nohup busybox httpd -f -p ${var.server_port} &
26 | EOF
27 |
28 | user_data_replace_on_change = true
29 |
30 | tags = {
31 | Name = "my-ubuntu"
32 | }
33 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.example
File: /lessons/164/main.tf:16-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
16 | resource "aws_instance" "example" {
17 | ami = "ami-0a695f0d95cefc163"
18 | instance_type = "t3.micro"
19 |
20 | vpc_security_group_ids = [aws_security_group.instance.id]
21 |
22 | user_data = <<-EOF
23 | #!/bin/bash
24 | echo "Hello, World" > index.html
25 | nohup busybox httpd -f -p ${var.server_port} &
26 | EOF
27 |
28 | user_data_replace_on_change = true
29 |
30 | tags = {
31 | Name = "my-ubuntu"
32 | }
33 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_launch_configuration.example
File: /lessons/164/main.tf:35-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
35 | resource "aws_launch_configuration" "example" {
36 | image_id = "ami-0a695f0d95cefc163"
37 | instance_type = "t3.micro"
38 | security_groups = [aws_security_group.instance.id]
39 |
40 | user_data = <<-EOF
41 | #!/bin/bash
42 | echo "Hello, World" > index.html
43 | nohup busybox httpd -f -p ${var.server_port} &
44 | EOF
45 |
46 | # Required with an autoscaling group.
47 | lifecycle {
48 | create_before_destroy = true
49 | }
50 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_launch_configuration.example
File: /lessons/164/main.tf:35-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
35 | resource "aws_launch_configuration" "example" {
36 | image_id = "ami-0a695f0d95cefc163"
37 | instance_type = "t3.micro"
38 | security_groups = [aws_security_group.instance.id]
39 |
40 | user_data = <<-EOF
41 | #!/bin/bash
42 | echo "Hello, World" > index.html
43 | nohup busybox httpd -f -p ${var.server_port} &
44 | EOF
45 |
46 | # Required with an autoscaling group.
47 | lifecycle {
48 | create_before_destroy = true
49 | }
50 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.instance
File: /lessons/164/main.tf:52-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
52 | resource "aws_security_group" "instance" {
53 | name = "web"
54 |
55 | ingress {
56 | from_port = var.server_port
57 | to_port = var.server_port
58 | protocol = "tcp"
59 | cidr_blocks = ["0.0.0.0/0"]
60 | }
61 | }
Check: CKV_AWS_315: "Ensure EC2 Auto Scaling groups use EC2 launch templates"
FAILED for resource: aws_autoscaling_group.example
File: /lessons/164/main.tf:63-78
63 | resource "aws_autoscaling_group" "example" {
64 | launch_configuration = aws_launch_configuration.example.name
65 | vpc_zone_identifier = data.aws_subnets.default.ids
66 |
67 | target_group_arns = [aws_lb_target_group.asg.arn]
68 | health_check_type = "ELB"
69 |
70 | min_size = 2
71 | max_size = 10
72 |
73 | tag {
74 | key = "Name"
75 | value = "web"
76 | propagate_at_launch = true
77 | }
78 | }
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
FAILED for resource: aws_lb.example
File: /lessons/164/main.tf:80-85
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html
80 | resource "aws_lb" "example" {
81 | name = "web"
82 | load_balancer_type = "application"
83 | subnets = data.aws_subnets.default.ids
84 | security_groups = [aws_security_group.alb.id]
85 | }
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
FAILED for resource: aws_lb.example
File: /lessons/164/main.tf:80-85
Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62
80 | resource "aws_lb" "example" {
81 | name = "web"
82 | load_balancer_type = "application"
83 | subnets = data.aws_subnets.default.ids
84 | security_groups = [aws_security_group.alb.id]
85 | }
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
FAILED for resource: aws_lb.example
File: /lessons/164/main.tf:80-85
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html
80 | resource "aws_lb" "example" {
81 | name = "web"
82 | load_balancer_type = "application"
83 | subnets = data.aws_subnets.default.ids
84 | security_groups = [aws_security_group.alb.id]
85 | }
Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
FAILED for resource: aws_lb_listener.http
File: /lessons/164/main.tf:87-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-29.html
87 | resource "aws_lb_listener" "http" {
88 | load_balancer_arn = aws_lb.example.arn
89 | port = 80
90 | protocol = "HTTP"
91 |
92 | # By default, it just shows a simple 404 page
93 | default_action {
94 | type = "fixed-response"
95 |
96 | fixed_response {
97 | content_type = "text/plain"
98 | message_body = "404: page not found"
99 | status_code = 404
100 | }
101 | }
102 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.alb
File: /lessons/164/main.tf:104-121
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
104 | resource "aws_security_group" "alb" {
105 | name = "web-alb"
106 | # Allow inbound HTTP requests
107 | ingress {
108 | from_port = 80
109 | to_port = 80
110 | protocol = "tcp"
111 | cidr_blocks = ["0.0.0.0/0"]
112 | }
113 |
114 | # Allow all outbound requests
115 | egress {
116 | from_port = 0
117 | to_port = 0
118 | protocol = "-1"
119 | cidr_blocks = ["0.0.0.0/0"]
120 | }
121 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.alb
File: /lessons/164/main.tf:104-121
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
104 | resource "aws_security_group" "alb" {
105 | name = "web-alb"
106 | # Allow inbound HTTP requests
107 | ingress {
108 | from_port = 80
109 | to_port = 80
110 | protocol = "tcp"
111 | cidr_blocks = ["0.0.0.0/0"]
112 | }
113 |
114 | # Allow all outbound requests
115 | egress {
116 | from_port = 0
117 | to_port = 0
118 | protocol = "-1"
119 | cidr_blocks = ["0.0.0.0/0"]
120 | }
121 | }
Check: CKV_AWS_119: "Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK"
FAILED for resource: aws_dynamodb_table.terraform_state
File: /lessons/165/1-example/main.tf:39-48
Guide: https://docs.bridgecrew.io/docs/ensure-that-dynamodb-tables-are-encrypted
39 | resource "aws_dynamodb_table" "terraform_state" {
40 | name = "terraform-state"
41 | billing_mode = "PAY_PER_REQUEST"
42 | hash_key = "LockID"
43 |
44 | attribute {
45 | name = "LockID"
46 | type = "S"
47 | }
48 | }
Check: CKV_AWS_28: "Ensure Dynamodb point in time recovery (backup) is enabled"
FAILED for resource: aws_dynamodb_table.terraform_state
File: /lessons/165/1-example/main.tf:39-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-6.html
39 | resource "aws_dynamodb_table" "terraform_state" {
40 | name = "terraform-state"
41 | billing_mode = "PAY_PER_REQUEST"
42 | hash_key = "LockID"
43 |
44 | attribute {
45 | name = "LockID"
46 | type = "S"
47 | }
48 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.example
File: /lessons/165/3-example/main.tf:5-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
5 | resource "aws_instance" "example" {
6 | ami = "ami-0a695f0d95cefc163"
7 |
8 | instance_type = (
9 | terraform.workspace == "default" ? "t3.medium" : "t3.micro"
10 | )
11 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.example
File: /lessons/165/3-example/main.tf:5-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
5 | resource "aws_instance" "example" {
6 | ami = "ami-0a695f0d95cefc163"
7 |
8 | instance_type = (
9 | terraform.workspace == "default" ? "t3.medium" : "t3.micro"
10 | )
11 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.example
File: /lessons/165/3-example/main.tf:5-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
5 | resource "aws_instance" "example" {
6 | ami = "ami-0a695f0d95cefc163"
7 |
8 | instance_type = (
9 | terraform.workspace == "default" ? "t3.medium" : "t3.micro"
10 | )
11 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.example
File: /lessons/165/3-example/main.tf:5-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
5 | resource "aws_instance" "example" {
6 | ami = "ami-0a695f0d95cefc163"
7 |
8 | instance_type = (
9 | terraform.workspace == "default" ? "t3.medium" : "t3.micro"
10 | )
11 | }
Check: CKV_AWS_119: "Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK"
FAILED for resource: aws_dynamodb_table.terraform_state
File: /lessons/165/global/s3/main.tf:39-48
Guide: https://docs.bridgecrew.io/docs/ensure-that-dynamodb-tables-are-encrypted
39 | resource "aws_dynamodb_table" "terraform_state" {
40 | name = "terraform-state"
41 | billing_mode = "PAY_PER_REQUEST"
42 | hash_key = "LockID"
43 |
44 | attribute {
45 | name = "LockID"
46 | type = "S"
47 | }
48 | }
Check: CKV_AWS_28: "Ensure Dynamodb point in time recovery (backup) is enabled"
FAILED for resource: aws_dynamodb_table.terraform_state
File: /lessons/165/global/s3/main.tf:39-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-6.html
39 | resource "aws_dynamodb_table" "terraform_state" {
40 | name = "terraform-state"
41 | billing_mode = "PAY_PER_REQUEST"
42 | hash_key = "LockID"
43 |
44 | attribute {
45 | name = "LockID"
46 | type = "S"
47 | }
48 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.example
File: /lessons/165/infra/main.tf:5-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
5 | resource "aws_instance" "example" {
6 | ami = "ami-0a695f0d95cefc163"
7 | instance_type = "t3.micro"
8 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.example
File: /lessons/165/infra/main.tf:5-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
5 | resource "aws_instance" "example" {
6 | ami = "ami-0a695f0d95cefc163"
7 | instance_type = "t3.micro"
8 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.example
File: /lessons/165/infra/main.tf:5-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
5 | resource "aws_instance" "example" {
6 | ami = "ami-0a695f0d95cefc163"
7 | instance_type = "t3.micro"
8 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.example
File: /lessons/165/infra/main.tf:5-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
5 | resource "aws_instance" "example" {
6 | ami = "ami-0a695f0d95cefc163"
7 | instance_type = "t3.micro"
8 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/infra/main.tf:10-22
10 | resource "aws_db_instance" "mydb" {
11 | db_name = "mydb"
12 | engine = "postgres"
13 | engine_version = "15"
14 | instance_class = "db.t4g.micro"
15 | allocated_storage = 10
16 |
17 | publicly_accessible = true
18 | skip_final_snapshot = true
19 |
20 | username = "root"
21 | password = "devops123"
22 | }
Check: CKV_AWS_17: "Ensure all data stored in RDS is not publicly accessible"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/infra/main.tf:10-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-2.html
10 | resource "aws_db_instance" "mydb" {
11 | db_name = "mydb"
12 | engine = "postgres"
13 | engine_version = "15"
14 | instance_class = "db.t4g.micro"
15 | allocated_storage = 10
16 |
17 | publicly_accessible = true
18 | skip_final_snapshot = true
19 |
20 | username = "root"
21 | password = "devops123"
22 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/infra/main.tf:10-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
10 | resource "aws_db_instance" "mydb" {
11 | db_name = "mydb"
12 | engine = "postgres"
13 | engine_version = "15"
14 | instance_class = "db.t4g.micro"
15 | allocated_storage = 10
16 |
17 | publicly_accessible = true
18 | skip_final_snapshot = true
19 |
20 | username = "root"
21 | password = "devops123"
22 | }
Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/infra/main.tf:10-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-rds-database-has-iam-authentication-enabled.html
10 | resource "aws_db_instance" "mydb" {
11 | db_name = "mydb"
12 | engine = "postgres"
13 | engine_version = "15"
14 | instance_class = "db.t4g.micro"
15 | allocated_storage = 10
16 |
17 | publicly_accessible = true
18 | skip_final_snapshot = true
19 |
20 | username = "root"
21 | password = "devops123"
22 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/infra/main.tf:10-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
10 | resource "aws_db_instance" "mydb" {
11 | db_name = "mydb"
12 | engine = "postgres"
13 | engine_version = "15"
14 | instance_class = "db.t4g.micro"
15 | allocated_storage = 10
16 |
17 | publicly_accessible = true
18 | skip_final_snapshot = true
19 |
20 | username = "root"
21 | password = "devops123"
22 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/infra/main.tf:10-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
10 | resource "aws_db_instance" "mydb" {
11 | db_name = "mydb"
12 | engine = "postgres"
13 | engine_version = "15"
14 | instance_class = "db.t4g.micro"
15 | allocated_storage = 10
16 |
17 | publicly_accessible = true
18 | skip_final_snapshot = true
19 |
20 | username = "root"
21 | password = "devops123"
22 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/infra/main.tf:10-22
10 | resource "aws_db_instance" "mydb" {
11 | db_name = "mydb"
12 | engine = "postgres"
13 | engine_version = "15"
14 | instance_class = "db.t4g.micro"
15 | allocated_storage = 10
16 |
17 | publicly_accessible = true
18 | skip_final_snapshot = true
19 |
20 | username = "root"
21 | password = "devops123"
22 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/infra/main.tf:10-22
10 | resource "aws_db_instance" "mydb" {
11 | db_name = "mydb"
12 | engine = "postgres"
13 | engine_version = "15"
14 | instance_class = "db.t4g.micro"
15 | allocated_storage = 10
16 |
17 | publicly_accessible = true
18 | skip_final_snapshot = true
19 |
20 | username = "root"
21 | password = "devops123"
22 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/infra/main.tf:10-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
10 | resource "aws_db_instance" "mydb" {
11 | db_name = "mydb"
12 | engine = "postgres"
13 | engine_version = "15"
14 | instance_class = "db.t4g.micro"
15 | allocated_storage = 10
16 |
17 | publicly_accessible = true
18 | skip_final_snapshot = true
19 |
20 | username = "root"
21 | password = "devops123"
22 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/infra/main.tf:10-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
10 | resource "aws_db_instance" "mydb" {
11 | db_name = "mydb"
12 | engine = "postgres"
13 | engine_version = "15"
14 | instance_class = "db.t4g.micro"
15 | allocated_storage = 10
16 |
17 | publicly_accessible = true
18 | skip_final_snapshot = true
19 |
20 | username = "root"
21 | password = "devops123"
22 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/staging/data-stores/postgres/main.tf:11-23
11 | resource "aws_db_instance" "mydb" {
12 | db_name = "mydb"
13 | engine = "postgres"
14 | engine_version = "15"
15 | instance_class = "db.t4g.micro"
16 | allocated_storage = 10
17 |
18 | skip_final_snapshot = true
19 | publicly_accessible = true
20 |
21 | username = var.username
22 | password = var.password
23 | }
Check: CKV_AWS_17: "Ensure all data stored in RDS is not publicly accessible"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/staging/data-stores/postgres/main.tf:11-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-2.html
11 | resource "aws_db_instance" "mydb" {
12 | db_name = "mydb"
13 | engine = "postgres"
14 | engine_version = "15"
15 | instance_class = "db.t4g.micro"
16 | allocated_storage = 10
17 |
18 | skip_final_snapshot = true
19 | publicly_accessible = true
20 |
21 | username = var.username
22 | password = var.password
23 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/staging/data-stores/postgres/main.tf:11-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
11 | resource "aws_db_instance" "mydb" {
12 | db_name = "mydb"
13 | engine = "postgres"
14 | engine_version = "15"
15 | instance_class = "db.t4g.micro"
16 | allocated_storage = 10
17 |
18 | skip_final_snapshot = true
19 | publicly_accessible = true
20 |
21 | username = var.username
22 | password = var.password
23 | }
Check: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/staging/data-stores/postgres/main.tf:11-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-rds-database-has-iam-authentication-enabled.html
11 | resource "aws_db_instance" "mydb" {
12 | db_name = "mydb"
13 | engine = "postgres"
14 | engine_version = "15"
15 | instance_class = "db.t4g.micro"
16 | allocated_storage = 10
17 |
18 | skip_final_snapshot = true
19 | publicly_accessible = true
20 |
21 | username = var.username
22 | password = var.password
23 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/staging/data-stores/postgres/main.tf:11-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
11 | resource "aws_db_instance" "mydb" {
12 | db_name = "mydb"
13 | engine = "postgres"
14 | engine_version = "15"
15 | instance_class = "db.t4g.micro"
16 | allocated_storage = 10
17 |
18 | skip_final_snapshot = true
19 | publicly_accessible = true
20 |
21 | username = var.username
22 | password = var.password
23 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/staging/data-stores/postgres/main.tf:11-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
11 | resource "aws_db_instance" "mydb" {
12 | db_name = "mydb"
13 | engine = "postgres"
14 | engine_version = "15"
15 | instance_class = "db.t4g.micro"
16 | allocated_storage = 10
17 |
18 | skip_final_snapshot = true
19 | publicly_accessible = true
20 |
21 | username = var.username
22 | password = var.password
23 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/staging/data-stores/postgres/main.tf:11-23
11 | resource "aws_db_instance" "mydb" {
12 | db_name = "mydb"
13 | engine = "postgres"
14 | engine_version = "15"
15 | instance_class = "db.t4g.micro"
16 | allocated_storage = 10
17 |
18 | skip_final_snapshot = true
19 | publicly_accessible = true
20 |
21 | username = var.username
22 | password = var.password
23 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/staging/data-stores/postgres/main.tf:11-23
11 | resource "aws_db_instance" "mydb" {
12 | db_name = "mydb"
13 | engine = "postgres"
14 | engine_version = "15"
15 | instance_class = "db.t4g.micro"
16 | allocated_storage = 10
17 |
18 | skip_final_snapshot = true
19 | publicly_accessible = true
20 |
21 | username = var.username
22 | password = var.password
23 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/staging/data-stores/postgres/main.tf:11-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
11 | resource "aws_db_instance" "mydb" {
12 | db_name = "mydb"
13 | engine = "postgres"
14 | engine_version = "15"
15 | instance_class = "db.t4g.micro"
16 | allocated_storage = 10
17 |
18 | skip_final_snapshot = true
19 | publicly_accessible = true
20 |
21 | username = var.username
22 | password = var.password
23 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/staging/data-stores/postgres/main.tf:11-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
11 | resource "aws_db_instance" "mydb" {
12 | db_name = "mydb"
13 | engine = "postgres"
14 | engine_version = "15"
15 | instance_class = "db.t4g.micro"
16 | allocated_storage = 10
17 |
18 | skip_final_snapshot = true
19 | publicly_accessible = true
20 |
21 | username = var.username
22 | password = var.password
23 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.instance
File: /lessons/165/staging/services/web/main.tf:11-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
11 | resource "aws_security_group" "instance" {
12 | name = "web"
13 |
14 | ingress {
15 | from_port = var.server_port
16 | to_port = var.server_port
17 | protocol = "tcp"
18 | cidr_blocks = ["0.0.0.0/0"]
19 | }
20 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.example
File: /lessons/165/staging/services/web/main.tf:22-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
22 | resource "aws_instance" "example" {
23 | ami = "ami-0a695f0d95cefc163"
24 | instance_type = "t3.micro"
25 |
26 | vpc_security_group_ids = [aws_security_group.instance.id]
27 |
28 | user_data = templatefile("user-data.sh", {
29 | server_port = var.server_port
30 | postgres_address = data.terraform_remote_state.postgres.outputs.address
31 | postgres_port = data.terraform_remote_state.postgres.outputs.port
32 | })
33 |
34 | user_data_replace_on_change = true
35 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.example
File: /lessons/165/staging/services/web/main.tf:22-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
22 | resource "aws_instance" "example" {
23 | ami = "ami-0a695f0d95cefc163"
24 | instance_type = "t3.micro"
25 |
26 | vpc_security_group_ids = [aws_security_group.instance.id]
27 |
28 | user_data = templatefile("user-data.sh", {
29 | server_port = var.server_port
30 | postgres_address = data.terraform_remote_state.postgres.outputs.address
31 | postgres_port = data.terraform_remote_state.postgres.outputs.port
32 | })
33 |
34 | user_data_replace_on_change = true
35 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.example
File: /lessons/165/staging/services/web/main.tf:22-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
22 | resource "aws_instance" "example" {
23 | ami = "ami-0a695f0d95cefc163"
24 | instance_type = "t3.micro"
25 |
26 | vpc_security_group_ids = [aws_security_group.instance.id]
27 |
28 | user_data = templatefile("user-data.sh", {
29 | server_port = var.server_port
30 | postgres_address = data.terraform_remote_state.postgres.outputs.address
31 | postgres_port = data.terraform_remote_state.postgres.outputs.port
32 | })
33 |
34 | user_data_replace_on_change = true
35 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.example
File: /lessons/165/staging/services/web/main.tf:22-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
22 | resource "aws_instance" "example" {
23 | ami = "ami-0a695f0d95cefc163"
24 | instance_type = "t3.micro"
25 |
26 | vpc_security_group_ids = [aws_security_group.instance.id]
27 |
28 | user_data = templatefile("user-data.sh", {
29 | server_port = var.server_port
30 | postgres_address = data.terraform_remote_state.postgres.outputs.address
31 | postgres_port = data.terraform_remote_state.postgres.outputs.port
32 | })
33 |
34 | user_data_replace_on_change = true
35 | }
Check: CKV_AWS_76: "Ensure API Gateway has Access Logging enabled"
FAILED for resource: aws_apigatewayv2_stage.dev
File: /lessons/167/terraform/11-api-gateway.tf:6-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-17.html
6 | resource "aws_apigatewayv2_stage" "dev" {
7 | api_id = aws_apigatewayv2_api.main.id
8 |
9 | name = "dev"
10 | auto_deploy = true
11 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.vpc_link
File: /lessons/167/terraform/12-integration.tf:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
1 | resource "aws_security_group" "vpc_link" {
2 | name = "vpc-link"
3 | vpc_id = module.vpc.vpc_id
4 |
5 | egress {
6 | from_port = 0
7 | to_port = 0
8 | protocol = "-1"
9 | cidr_blocks = ["0.0.0.0/0"]
10 | }
11 | }
Check: CKV_AWS_309: "Ensure API GatewayV2 routes specify an authorization type"
FAILED for resource: aws_apigatewayv2_route.get_echo
File: /lessons/167/terraform/12-integration.tf:29-34
29 | resource "aws_apigatewayv2_route" "get_echo" {
30 | api_id = aws_apigatewayv2_api.main.id
31 |
32 | route_key = "GET /echo"
33 | target = "integrations/${aws_apigatewayv2_integration.eks.id}"
34 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.this
File: /lessons/167/terraform/3-eks.tf:25-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
25 | resource "aws_eks_cluster" "this" {
26 | name = var.eks_cluster_name
27 | version = "1.27"
28 | role_arn = aws_iam_role.eks.arn
29 |
30 | vpc_config {
31 | subnet_ids = concat(
32 | module.vpc.private_subnets,
33 | module.vpc.public_subnets
34 | )
35 | }
36 |
37 | depends_on = [aws_iam_role_policy_attachment.eks_amazon_eks_cluster_policy]
38 | }
Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
FAILED for resource: aws_eks_cluster.this
File: /lessons/167/terraform/3-eks.tf:25-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
25 | resource "aws_eks_cluster" "this" {
26 | name = var.eks_cluster_name
27 | version = "1.27"
28 | role_arn = aws_iam_role.eks.arn
29 |
30 | vpc_config {
31 | subnet_ids = concat(
32 | module.vpc.private_subnets,
33 | module.vpc.public_subnets
34 | )
35 | }
36 |
37 | depends_on = [aws_iam_role_policy_attachment.eks_amazon_eks_cluster_policy]
38 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.this
File: /lessons/167/terraform/3-eks.tf:25-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
25 | resource "aws_eks_cluster" "this" {
26 | name = var.eks_cluster_name
27 | version = "1.27"
28 | role_arn = aws_iam_role.eks.arn
29 |
30 | vpc_config {
31 | subnet_ids = concat(
32 | module.vpc.private_subnets,
33 | module.vpc.public_subnets
34 | )
35 | }
36 |
37 | depends_on = [aws_iam_role_policy_attachment.eks_amazon_eks_cluster_policy]
38 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.this
File: /lessons/167/terraform/3-eks.tf:25-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
25 | resource "aws_eks_cluster" "this" {
26 | name = var.eks_cluster_name
27 | version = "1.27"
28 | role_arn = aws_iam_role.eks.arn
29 |
30 | vpc_config {
31 | subnet_ids = concat(
32 | module.vpc.private_subnets,
33 | module.vpc.public_subnets
34 | )
35 | }
36 |
37 | depends_on = [aws_iam_role_policy_attachment.eks_amazon_eks_cluster_policy]
38 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.allow_web
File: /lessons/167/terraform/5-sg.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
1 | resource "aws_security_group_rule" "allow_web" {
2 | type = "ingress"
3 | from_port = 80
4 | to_port = 80
5 | protocol = "tcp"
6 | cidr_blocks = ["0.0.0.0/0"]
7 | security_group_id = aws_eks_cluster.this.vpc_config[0].cluster_security_group_id
8 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group_rule.allow_web
File: /lessons/167/terraform/5-sg.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
1 | resource "aws_security_group_rule" "allow_web" {
2 | type = "ingress"
3 | from_port = 80
4 | to_port = 80
5 | protocol = "tcp"
6 | cidr_blocks = ["0.0.0.0/0"]
7 | security_group_id = aws_eks_cluster.this.vpc_config[0].cluster_security_group_id
8 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.allow_web_node_port
File: /lessons/167/terraform/5-sg.tf:10-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
10 | resource "aws_security_group_rule" "allow_web_node_port" {
11 | type = "ingress"
12 | from_port = 30010
13 | to_port = 30010
14 | protocol = "tcp"
15 | cidr_blocks = ["0.0.0.0/0"]
16 | security_group_id = aws_eks_cluster.this.vpc_config[0].cluster_security_group_id
17 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public_zone1
File: /lessons/175/terraform/4-subnets.tf:25-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
25 | resource "aws_subnet" "public_zone1" {
26 | vpc_id = aws_vpc.main.id
27 | cidr_block = "10.0.64.0/19"
28 | availability_zone = local.zone1
29 | map_public_ip_on_launch = true
30 |
31 | tags = {
32 | "Name" = "${local.env}-public-${local.zone1}"
33 | "kubernetes.io/role/elb" = "1"
34 | "kubernetes.io/cluster/${local.env}-${local.eks_name}" = "owned"
35 | }
36 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.public_zone2
File: /lessons/175/terraform/4-subnets.tf:38-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
38 | resource "aws_subnet" "public_zone2" {
39 | vpc_id = aws_vpc.main.id
40 | cidr_block = "10.0.96.0/19"
41 | availability_zone = local.zone2
42 | map_public_ip_on_launch = true
43 |
44 | tags = {
45 | "Name" = "${local.env}-public-${local.zone2}"
46 | "kubernetes.io/role/elb" = "1"
47 | "kubernetes.io/cluster/${local.env}-${local.eks_name}" = "owned"
48 | }
49 | }
Check: CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
FAILED for resource: aws_eks_cluster.eks
File: /lessons/175/terraform/7-eks.tf:25-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-2.html
25 | resource "aws_eks_cluster" "eks" {
26 | name = "${local.env}-${local.eks_name}"
27 | version = local.eks_version
28 | role_arn = aws_iam_role.eks.arn
29 |
30 | vpc_config {
31 | endpoint_private_access = false
32 | endpoint_public_access = true
33 |
34 | subnet_ids = [
35 | aws_subnet.private_zone1.id,
36 | aws_subnet.private_zone2.id
37 | ]
38 | }
39 |
40 | depends_on = [aws_iam_role_policy_attachment.eks]
41 | }
Check: CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
FAILED for resource: aws_eks_cluster.eks
File: /lessons/175/terraform/7-eks.tf:25-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-4.html
25 | resource "aws_eks_cluster" "eks" {
26 | name = "${local.env}-${local.eks_name}"
27 | version = local.eks_version
28 | role_arn = aws_iam_role.eks.arn
29 |
30 | vpc_config {
31 | endpoint_private_access = false
32 | endpoint_public_access = true
33 |
34 | subnet_ids = [
35 | aws_subnet.private_zone1.id,
36 | aws_subnet.private_zone2.id
37 | ]
38 | }
39 |
40 | depends_on = [aws_iam_role_policy_attachment.eks]
41 | }
Check: CKV_AWS_38: "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0"
FAILED for resource: aws_eks_cluster.eks
File: /lessons/175/terraform/7-eks.tf:25-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-1.html
25 | resource "aws_eks_cluster" "eks" {
26 | name = "${local.env}-${local.eks_name}"
27 | version = local.eks_version
28 | role_arn = aws_iam_role.eks.arn
29 |
30 | vpc_config {
31 | endpoint_private_access = false
32 | endpoint_public_access = true
33 |
34 | subnet_ids = [
35 | aws_subnet.private_zone1.id,
36 | aws_subnet.private_zone2.id
37 | ]
38 | }
39 |
40 | depends_on = [aws_iam_role_policy_attachment.eks]
41 | }
Check: CKV_AWS_58: "Ensure EKS Cluster has Secrets Encryption Enabled"
FAILED for resource: aws_eks_cluster.eks
File: /lessons/175/terraform/7-eks.tf:25-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-kubernetes-policies/bc-aws-kubernetes-3.html
25 | resource "aws_eks_cluster" "eks" {
26 | name = "${local.env}-${local.eks_name}"
27 | version = local.eks_version
28 | role_arn = aws_iam_role.eks.arn
29 |
30 | vpc_config {
31 | endpoint_private_access = false
32 | endpoint_public_access = true
33 |
34 | subnet_ids = [
35 | aws_subnet.private_zone1.id,
36 | aws_subnet.private_zone2.id
37 | ]
38 | }
39 |
40 | depends_on = [aws_iam_role_policy_attachment.eks]
41 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: google_compute_network.main
File: /lessons/120/terraform/2-vpc.tf:9-16
9 | resource "google_compute_network" "main" {
10 | name = "main"
11 | routing_mode = "REGIONAL"
12 | auto_create_subnetworks = false
13 | delete_default_routes_on_create = true
14 |
15 | depends_on = [google_project_service.compute]
16 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: google_compute_network.main
File: /lessons/132/terraform/2-vpc.tf:1-10
1 | resource "google_compute_network" "main" {
2 | name = "main"
3 | routing_mode = "REGIONAL"
4 | auto_create_subnetworks = false
5 | delete_default_routes_on_create = true
6 |
7 | depends_on = [
8 | google_project_service.api
9 | ]
10 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: google_project.host-staging
File: /lessons/069/terraform/2-projects.tf:2-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
2 | resource "google_project" "host-staging" {
3 | name = local.host_project_name
4 | project_id = local.host_project_id
5 | billing_account = local.billing_account
6 | org_id = local.org_id
7 | auto_create_network = false
8 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: google_project.k8s-staging
File: /lessons/069/terraform/2-projects.tf:11-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
11 | resource "google_project" "k8s-staging" {
12 | name = local.service_project_name
13 | project_id = local.service_project_id
14 | billing_account = local.billing_account
15 | org_id = local.org_id
16 | auto_create_network = false
17 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: google_project.antonputra_host
File: /lessons/148/terraform/1-projects.tf:5-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
5 | resource "google_project" "antonputra_host" {
6 | name = "antonputra-host"
7 | project_id = "antonputra-host-${random_id.lesson_id.dec}"
8 | billing_account = "01FDA3-9697F3-6F05B8"
9 | org_id = "206720471760"
10 | auto_create_network = false
11 | }
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
FAILED for resource: google_project.antonputra_service
File: /lessons/148/terraform/1-projects.tf:13-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project.html
13 | resource "google_project" "antonputra_service" {
14 | name = "antonputra-service"
15 | project_id = "antonputra-service-${random_id.lesson_id.dec}"
16 | billing_account = "01FDA3-9697F3-6F05B8"
17 | org_id = "206720471760"
18 | auto_create_network = false
19 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/115/terraform/1-lambda-bucket.tf:6-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
6 | resource "aws_s3_bucket" "lambda_bucket" {
7 | bucket = random_pet.lambda_bucket_name.id
8 | force_destroy = true
9 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.test
File: /lessons/115/terraform/5-test-bucket.tf:6-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
6 | resource "aws_s3_bucket" "test" {
7 | bucket = random_pet.test_bucket_name.id
8 | force_destroy = true
9 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/117/terraform/2-lambda-bucket.tf:6-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
6 | resource "aws_s3_bucket" "lambda_bucket" {
7 | bucket = random_pet.lambda_bucket_name.id
8 | force_destroy = true
9 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/122/terraform/8-lambda-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/124/terraform/1-lambda-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.images_bucket
File: /lessons/124/terraform/2-images-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
8 | resource "aws_s3_bucket" "images_bucket" {
9 | bucket = random_pet.images_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/126/terraform/1-lambda-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.images_bucket
File: /lessons/126/terraform/2-images-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
8 | resource "aws_s3_bucket" "images_bucket" {
9 | bucket = random_pet.images_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/128/terraform/1-lambda-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.images_bucket
File: /lessons/128/terraform/2-images-bucket.tf:7-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
7 | resource "aws_s3_bucket" "images_bucket" {
8 | bucket = "images-${random_id.server.hex}"
9 | force_destroy = true
10 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.functions
File: /lessons/129/terraform/1-aws-buckets.tf:2-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
2 | resource "aws_s3_bucket" "functions" {
3 | bucket = "functions-${random_id.lesson.hex}"
4 | force_destroy = true
5 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.images
File: /lessons/129/terraform/1-aws-buckets.tf:18-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
18 | resource "aws_s3_bucket" "images" {
19 | bucket = "images-${random_id.lesson.hex}"
20 | force_destroy = true
21 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/131/terraform/11-lambda-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.terraform_state
File: /lessons/165/1-example/main.tf:5-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
5 | resource "aws_s3_bucket" "terraform_state" {
6 | bucket = "antonputra-terraform-state"
7 |
8 | lifecycle {
9 | prevent_destroy = true
10 | }
11 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.terraform_state
File: /lessons/165/global/s3/main.tf:5-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
5 | resource "aws_s3_bucket" "terraform_state" {
6 | bucket = "antonputra-terraform-state"
7 |
8 | lifecycle {
9 | prevent_destroy = true
10 | }
11 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/115/terraform/1-lambda-bucket.tf:6-9
6 | resource "aws_s3_bucket" "lambda_bucket" {
7 | bucket = random_pet.lambda_bucket_name.id
8 | force_destroy = true
9 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.test
File: /lessons/115/terraform/5-test-bucket.tf:6-9
6 | resource "aws_s3_bucket" "test" {
7 | bucket = random_pet.test_bucket_name.id
8 | force_destroy = true
9 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/117/terraform/2-lambda-bucket.tf:6-9
6 | resource "aws_s3_bucket" "lambda_bucket" {
7 | bucket = random_pet.lambda_bucket_name.id
8 | force_destroy = true
9 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/122/terraform/8-lambda-bucket.tf:8-11
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/124/terraform/1-lambda-bucket.tf:8-11
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.images_bucket
File: /lessons/124/terraform/2-images-bucket.tf:8-11
8 | resource "aws_s3_bucket" "images_bucket" {
9 | bucket = random_pet.images_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/126/terraform/1-lambda-bucket.tf:8-11
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.images_bucket
File: /lessons/126/terraform/2-images-bucket.tf:8-11
8 | resource "aws_s3_bucket" "images_bucket" {
9 | bucket = random_pet.images_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/128/terraform/1-lambda-bucket.tf:8-11
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.images_bucket
File: /lessons/128/terraform/2-images-bucket.tf:7-10
7 | resource "aws_s3_bucket" "images_bucket" {
8 | bucket = "images-${random_id.server.hex}"
9 | force_destroy = true
10 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.functions
File: /lessons/129/terraform/1-aws-buckets.tf:2-5
2 | resource "aws_s3_bucket" "functions" {
3 | bucket = "functions-${random_id.lesson.hex}"
4 | force_destroy = true
5 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.images
File: /lessons/129/terraform/1-aws-buckets.tf:18-21
18 | resource "aws_s3_bucket" "images" {
19 | bucket = "images-${random_id.lesson.hex}"
20 | force_destroy = true
21 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/131/terraform/11-lambda-bucket.tf:8-11
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.terraform_state
File: /lessons/165/1-example/main.tf:5-11
5 | resource "aws_s3_bucket" "terraform_state" {
6 | bucket = "antonputra-terraform-state"
7 |
8 | lifecycle {
9 | prevent_destroy = true
10 | }
11 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.terraform_state
File: /lessons/165/global/s3/main.tf:5-11
5 | resource "aws_s3_bucket" "terraform_state" {
6 | bucket = "antonputra-terraform-state"
7 |
8 | lifecycle {
9 | prevent_destroy = true
10 | }
11 | }
Check: CKV2_AWS_16: "Ensure that Auto Scaling is enabled on your DynamoDB tables"
FAILED for resource: aws_dynamodb_table.meta
File: /lessons/124/terraform/3-dynamodb.tf:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-auto-scaling-is-enabled-on-your-dynamodb-tables.html
1 | resource "aws_dynamodb_table" "meta" {
2 | name = "Meta"
3 | billing_mode = "PROVISIONED"
4 | read_capacity = 5
5 | write_capacity = 5
6 | hash_key = "LastModified"
7 |
8 | attribute {
9 | name = "LastModified"
10 | type = "S"
11 | }
12 | }
Check: CKV2_AWS_16: "Ensure that Auto Scaling is enabled on your DynamoDB tables"
FAILED for resource: aws_dynamodb_table.meta
File: /lessons/126/terraform/3-dynamodb.tf:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-auto-scaling-is-enabled-on-your-dynamodb-tables.html
2 | resource "aws_dynamodb_table" "meta" {
3 | name = "Meta"
4 | billing_mode = "PROVISIONED"
5 | read_capacity = 5
6 | write_capacity = 1000
7 | hash_key = "LastModified"
8 |
9 | attribute {
10 | name = "LastModified"
11 | type = "S"
12 | }
13 | }
Check: CKV2_AWS_16: "Ensure that Auto Scaling is enabled on your DynamoDB tables"
FAILED for resource: aws_dynamodb_table.images
File: /lessons/128/terraform/3-dynamodb.tf:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-auto-scaling-is-enabled-on-your-dynamodb-tables.html
1 | resource "aws_dynamodb_table" "images" {
2 | name = "images"
3 | billing_mode = "PROVISIONED"
4 | read_capacity = 5
5 | write_capacity = 100
6 | hash_key = "last_modified_date"
7 |
8 | attribute {
9 | name = "last_modified_date"
10 | type = "S"
11 | }
12 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/162/1-part/3-rds.tf:1-14
1 | resource "aws_db_instance" "mydb" {
2 | db_name = "mydb"
3 | engine = "postgres"
4 | engine_version = "15"
5 | instance_class = "db.t4g.micro"
6 | allocated_storage = 10
7 |
8 | publicly_accessible = true
9 | skip_final_snapshot = true
10 | db_subnet_group_name = aws_db_subnet_group.public.name
11 |
12 | username = "root"
13 | password = "devops123"
14 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/162/2-part/3-rds.tf:1-14
1 | resource "aws_db_instance" "mydb" {
2 | db_name = "mydb"
3 | engine = "postgres"
4 | engine_version = "15"
5 | instance_class = "db.t4g.micro"
6 | allocated_storage = 10
7 |
8 | publicly_accessible = true
9 | skip_final_snapshot = true
10 | db_subnet_group_name = aws_db_subnet_group.public.name
11 |
12 | username = var.username
13 | password = var.password
14 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/162/3-part/3-rds.tf:12-25
12 | resource "aws_db_instance" "mydb" {
13 | db_name = "mydb"
14 | engine = "postgres"
15 | engine_version = "15"
16 | instance_class = "db.t4g.micro"
17 | allocated_storage = 10
18 |
19 | publicly_accessible = true
20 | skip_final_snapshot = true
21 | db_subnet_group_name = aws_db_subnet_group.public.name
22 |
23 | username = local.db_creds.username
24 | password = local.db_creds.password
25 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/162/5-part/3-rds.tf:11-24
11 | resource "aws_db_instance" "mydb" {
12 | db_name = "mydb"
13 | engine = "postgres"
14 | engine_version = "15"
15 | instance_class = "db.t4g.micro"
16 | allocated_storage = 10
17 |
18 | publicly_accessible = true
19 | skip_final_snapshot = true
20 | db_subnet_group_name = aws_db_subnet_group.public.name
21 |
22 | username = local.db_creds.username
23 | password = local.db_creds.password
24 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/infra/main.tf:10-22
10 | resource "aws_db_instance" "mydb" {
11 | db_name = "mydb"
12 | engine = "postgres"
13 | engine_version = "15"
14 | instance_class = "db.t4g.micro"
15 | allocated_storage = 10
16 |
17 | publicly_accessible = true
18 | skip_final_snapshot = true
19 |
20 | username = "root"
21 | password = "devops123"
22 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/staging/data-stores/postgres/main.tf:11-23
11 | resource "aws_db_instance" "mydb" {
12 | db_name = "mydb"
13 | engine = "postgres"
14 | engine_version = "15"
15 | instance_class = "db.t4g.micro"
16 | allocated_storage = 10
17 |
18 | skip_final_snapshot = true
19 | publicly_accessible = true
20 |
21 | username = var.username
22 | password = var.password
23 | }
Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
FAILED for resource: aws_route_table.private
File: /lessons/089/terraform/5-routes.tf:3-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic.html
3 | resource "aws_route_table" "private" {
4 | vpc_id = aws_vpc.main.id
5 |
6 | route = [
7 | {
8 | cidr_block = "0.0.0.0/0"
9 | nat_gateway_id = aws_nat_gateway.nat.id
10 | carrier_gateway_id = ""
11 | destination_prefix_list_id = ""
12 | egress_only_gateway_id = ""
13 | gateway_id = ""
14 | instance_id = ""
15 | ipv6_cidr_block = ""
16 | local_gateway_id = ""
17 | network_interface_id = ""
18 | transit_gateway_id = ""
19 | vpc_endpoint_id = ""
20 | vpc_peering_connection_id = ""
21 | },
22 | ]
23 |
24 | tags = {
25 | Name = "private"
26 | }
27 | }
Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
FAILED for resource: aws_route_table.public
File: /lessons/089/terraform/5-routes.tf:29-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic.html
29 | resource "aws_route_table" "public" {
30 | vpc_id = aws_vpc.main.id
31 |
32 | route = [
33 | {
34 | cidr_block = "0.0.0.0/0"
35 | gateway_id = aws_internet_gateway.igw.id
36 | nat_gateway_id = ""
37 | carrier_gateway_id = ""
38 | destination_prefix_list_id = ""
39 | egress_only_gateway_id = ""
40 | instance_id = ""
41 | ipv6_cidr_block = ""
42 | local_gateway_id = ""
43 | network_interface_id = ""
44 | transit_gateway_id = ""
45 | vpc_endpoint_id = ""
46 | vpc_peering_connection_id = ""
47 | },
48 | ]
49 |
50 | tags = {
51 | Name = "public"
52 | }
53 | }
Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
FAILED for resource: aws_route_table.private
File: /lessons/090/terraform/5-routes.tf:3-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic.html
3 | resource "aws_route_table" "private" {
4 | vpc_id = aws_vpc.main.id
5 |
6 | route = [
7 | {
8 | cidr_block = "0.0.0.0/0"
9 | nat_gateway_id = aws_nat_gateway.nat.id
10 | carrier_gateway_id = ""
11 | destination_prefix_list_id = ""
12 | egress_only_gateway_id = ""
13 | gateway_id = ""
14 | instance_id = ""
15 | ipv6_cidr_block = ""
16 | local_gateway_id = ""
17 | network_interface_id = ""
18 | transit_gateway_id = ""
19 | vpc_endpoint_id = ""
20 | vpc_peering_connection_id = ""
21 | },
22 | ]
23 |
24 | tags = {
25 | Name = "private"
26 | }
27 | }
Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
FAILED for resource: aws_route_table.public
File: /lessons/090/terraform/5-routes.tf:29-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic.html
29 | resource "aws_route_table" "public" {
30 | vpc_id = aws_vpc.main.id
31 |
32 | route = [
33 | {
34 | cidr_block = "0.0.0.0/0"
35 | gateway_id = aws_internet_gateway.igw.id
36 | nat_gateway_id = ""
37 | carrier_gateway_id = ""
38 | destination_prefix_list_id = ""
39 | egress_only_gateway_id = ""
40 | instance_id = ""
41 | ipv6_cidr_block = ""
42 | local_gateway_id = ""
43 | network_interface_id = ""
44 | transit_gateway_id = ""
45 | vpc_endpoint_id = ""
46 | vpc_peering_connection_id = ""
47 | },
48 | ]
49 |
50 | tags = {
51 | Name = "public"
52 | }
53 | }
Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
FAILED for resource: aws_route_table.private
File: /lessons/091/terraform/5-routes.tf:3-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic.html
3 | resource "aws_route_table" "private" {
4 | vpc_id = aws_vpc.main.id
5 |
6 | route = [
7 | {
8 | cidr_block = "0.0.0.0/0"
9 | nat_gateway_id = aws_nat_gateway.nat.id
10 | carrier_gateway_id = ""
11 | destination_prefix_list_id = ""
12 | egress_only_gateway_id = ""
13 | gateway_id = ""
14 | instance_id = ""
15 | ipv6_cidr_block = ""
16 | local_gateway_id = ""
17 | network_interface_id = ""
18 | transit_gateway_id = ""
19 | vpc_endpoint_id = ""
20 | vpc_peering_connection_id = ""
21 | },
22 | ]
23 |
24 | tags = {
25 | Name = "private"
26 | }
27 | }
Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
FAILED for resource: aws_route_table.public
File: /lessons/091/terraform/5-routes.tf:29-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic.html
29 | resource "aws_route_table" "public" {
30 | vpc_id = aws_vpc.main.id
31 |
32 | route = [
33 | {
34 | cidr_block = "0.0.0.0/0"
35 | gateway_id = aws_internet_gateway.igw.id
36 | nat_gateway_id = ""
37 | carrier_gateway_id = ""
38 | destination_prefix_list_id = ""
39 | egress_only_gateway_id = ""
40 | instance_id = ""
41 | ipv6_cidr_block = ""
42 | local_gateway_id = ""
43 | network_interface_id = ""
44 | transit_gateway_id = ""
45 | vpc_endpoint_id = ""
46 | vpc_peering_connection_id = ""
47 | },
48 | ]
49 |
50 | tags = {
51 | Name = "public"
52 | }
53 | }
Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
FAILED for resource: aws_route_table.private
File: /lessons/099/terraform/5-routes.tf:3-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic.html
3 | resource "aws_route_table" "private" {
4 | vpc_id = aws_vpc.main.id
5 |
6 | route = [
7 | {
8 | cidr_block = "0.0.0.0/0"
9 | nat_gateway_id = aws_nat_gateway.nat.id
10 | carrier_gateway_id = ""
11 | destination_prefix_list_id = ""
12 | egress_only_gateway_id = ""
13 | gateway_id = ""
14 | instance_id = ""
15 | ipv6_cidr_block = ""
16 | local_gateway_id = ""
17 | network_interface_id = ""
18 | transit_gateway_id = ""
19 | vpc_endpoint_id = ""
20 | vpc_peering_connection_id = ""
21 | },
22 | ]
23 |
24 | tags = {
25 | Name = "private"
26 | }
27 | }
Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
FAILED for resource: aws_route_table.public
File: /lessons/099/terraform/5-routes.tf:29-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic.html
29 | resource "aws_route_table" "public" {
30 | vpc_id = aws_vpc.main.id
31 |
32 | route = [
33 | {
34 | cidr_block = "0.0.0.0/0"
35 | gateway_id = aws_internet_gateway.igw.id
36 | nat_gateway_id = ""
37 | carrier_gateway_id = ""
38 | destination_prefix_list_id = ""
39 | egress_only_gateway_id = ""
40 | instance_id = ""
41 | ipv6_cidr_block = ""
42 | local_gateway_id = ""
43 | network_interface_id = ""
44 | transit_gateway_id = ""
45 | vpc_endpoint_id = ""
46 | vpc_peering_connection_id = ""
47 | },
48 | ]
49 |
50 | tags = {
51 | Name = "public"
52 | }
53 | }
Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
FAILED for resource: aws_route_table.private
File: /lessons/102/terraform/5-routes.tf:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic.html
1 | resource "aws_route_table" "private" {
2 | vpc_id = aws_vpc.main.id
3 |
4 | route = [
5 | {
6 | cidr_block = "0.0.0.0/0"
7 | nat_gateway_id = aws_nat_gateway.nat.id
8 | carrier_gateway_id = ""
9 | destination_prefix_list_id = ""
10 | egress_only_gateway_id = ""
11 | gateway_id = ""
12 | instance_id = ""
13 | ipv6_cidr_block = ""
14 | local_gateway_id = ""
15 | network_interface_id = ""
16 | transit_gateway_id = ""
17 | vpc_endpoint_id = ""
18 | vpc_peering_connection_id = ""
19 | },
20 | ]
21 |
22 | tags = {
23 | Name = "private"
24 | }
25 | }
Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
FAILED for resource: aws_route_table.public
File: /lessons/102/terraform/5-routes.tf:27-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic.html
27 | resource "aws_route_table" "public" {
28 | vpc_id = aws_vpc.main.id
29 |
30 | route = [
31 | {
32 | cidr_block = "0.0.0.0/0"
33 | gateway_id = aws_internet_gateway.igw.id
34 | nat_gateway_id = ""
35 | carrier_gateway_id = ""
36 | destination_prefix_list_id = ""
37 | egress_only_gateway_id = ""
38 | instance_id = ""
39 | ipv6_cidr_block = ""
40 | local_gateway_id = ""
41 | network_interface_id = ""
42 | transit_gateway_id = ""
43 | vpc_endpoint_id = ""
44 | vpc_peering_connection_id = ""
45 | },
46 | ]
47 |
48 | tags = {
49 | Name = "public"
50 | }
51 | }
Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
FAILED for resource: aws_route_table.public
File: /lessons/104/terraform/4-routes.tf:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic.html
1 | resource "aws_route_table" "public" {
2 | vpc_id = aws_vpc.main.id
3 |
4 | route = [
5 | {
6 | cidr_block = "0.0.0.0/0"
7 | gateway_id = aws_internet_gateway.igw.id
8 | nat_gateway_id = ""
9 | carrier_gateway_id = ""
10 | destination_prefix_list_id = ""
11 | egress_only_gateway_id = ""
12 | instance_id = ""
13 | ipv6_cidr_block = ""
14 | local_gateway_id = ""
15 | network_interface_id = ""
16 | transit_gateway_id = ""
17 | vpc_endpoint_id = ""
18 | vpc_peering_connection_id = ""
19 | },
20 | ]
21 |
22 | tags = {
23 | Name = "public"
24 | }
25 | }
Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
FAILED for resource: aws_route_table.private
File: /lessons/105/aws-terraform/5-routes.tf:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic.html
1 | resource "aws_route_table" "private" {
2 | vpc_id = aws_vpc.main.id
3 |
4 | route = [
5 | {
6 | cidr_block = "0.0.0.0/0"
7 | nat_gateway_id = aws_nat_gateway.nat.id
8 | carrier_gateway_id = ""
9 | destination_prefix_list_id = ""
10 | egress_only_gateway_id = ""
11 | gateway_id = ""
12 | instance_id = ""
13 | ipv6_cidr_block = ""
14 | local_gateway_id = ""
15 | network_interface_id = ""
16 | transit_gateway_id = ""
17 | vpc_endpoint_id = ""
18 | vpc_peering_connection_id = ""
19 | },
20 | ]
21 |
22 | tags = {
23 | Name = "private"
24 | }
25 | }
Check: CKV2_AWS_44: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
FAILED for resource: aws_route_table.public
File: /lessons/105/aws-terraform/5-routes.tf:27-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-route-table-with-vpc-peering-does-not-contain-routes-overly-permissive-to-all-traffic.html
27 | resource "aws_route_table" "public" {
28 | vpc_id = aws_vpc.main.id
29 |
30 | route = [
31 | {
32 | cidr_block = "0.0.0.0/0"
33 | gateway_id = aws_internet_gateway.igw.id
34 | nat_gateway_id = ""
35 | carrier_gateway_id = ""
36 | destination_prefix_list_id = ""
37 | egress_only_gateway_id = ""
38 | instance_id = ""
39 | ipv6_cidr_block = ""
40 | local_gateway_id = ""
41 | network_interface_id = ""
42 | transit_gateway_id = ""
43 | vpc_endpoint_id = ""
44 | vpc_peering_connection_id = ""
45 | },
46 | ]
47 |
48 | tags = {
49 | Name = "public"
50 | }
51 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: aws_eip.nat1
File: /lessons/038/terraform/eips.tf:5-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html
5 | resource "aws_eip" "nat1" {
6 | # EIP may require IGW to exist prior to association.
7 | # Use depends_on to set an explicit dependency on the IGW.
8 | depends_on = [aws_internet_gateway.main]
9 | }
Check: CKV2_AWS_19: "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
FAILED for resource: aws_eip.nat2
File: /lessons/038/terraform/eips.tf:11-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-all-eip-addresses-allocated-to-a-vpc-are-attached-to-ec2-instances.html
11 | resource "aws_eip" "nat2" {
12 | # EIP may require IGW to exist prior to association.
13 | # Use depends_on to set an explicit dependency on the IGW.
14 | depends_on = [aws_internet_gateway.main]
15 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/020/main.tf:8-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
8 | resource "aws_vpc" "main" {
9 | cidr_block = "10.0.0.0/18"
10 |
11 | tags = {
12 | Name = "main"
13 | }
14 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/038/terraform/vpc.tf:4-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
4 | resource "aws_vpc" "main" {
5 | # The CIDR block for the VPC.
6 | cidr_block = "192.168.0.0/16"
7 |
8 | # Makes your instances shared on the host.
9 | instance_tenancy = "default"
10 |
11 | # Required for EKS. Enable/disable DNS support in the VPC.
12 | enable_dns_support = true
13 |
14 | # Required for EKS. Enable/disable DNS hostnames in the VPC.
15 | enable_dns_hostnames = true
16 |
17 | # Enable/disable ClassicLink for the VPC.
18 | enable_classiclink = false
19 |
20 | # Enable/disable ClassicLink DNS Support for the VPC.
21 | enable_classiclink_dns_support = false
22 |
23 | # Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC.
24 | assign_generated_ipv6_cidr_block = false
25 |
26 | # A map of tags to assign to the resource.
27 | tags = {
28 | Name = "main"
29 | }
30 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/089/terraform/1-vpc.tf:3-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
3 | resource "aws_vpc" "main" {
4 | cidr_block = "10.0.0.0/16"
5 |
6 | tags = {
7 | Name = "main"
8 | }
9 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/090/terraform/1-vpc.tf:3-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
3 | resource "aws_vpc" "main" {
4 | cidr_block = "10.0.0.0/16"
5 |
6 | tags = {
7 | Name = "main"
8 | }
9 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/091/terraform/1-vpc.tf:3-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
3 | resource "aws_vpc" "main" {
4 | cidr_block = "10.0.0.0/16"
5 |
6 | tags = {
7 | Name = "main"
8 | }
9 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/099/terraform/1-vpc.tf:3-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
3 | resource "aws_vpc" "main" {
4 | cidr_block = "10.0.0.0/16"
5 |
6 | tags = {
7 | Name = "main"
8 | }
9 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/102/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/104/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/105/aws-terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/112/terraform/1-vpc.tf:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_hostnames = true
5 |
6 | tags = {
7 | Name = "main"
8 | }
9 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/113/terraform/1-vpc.tf:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | # Must be enabled for EFS
5 | enable_dns_support = true
6 | enable_dns_hostnames = true
7 |
8 | tags = {
9 | Name = "main"
10 | }
11 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/114/terraform/1-vpc.tf:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | # Must be enabled for EFS
5 | enable_dns_support = true
6 | enable_dns_hostnames = true
7 |
8 | tags = {
9 | Name = "main"
10 | }
11 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/116/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/118/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/119/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/121/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/122/terraform/1-vpc.tf:2-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
2 | resource "aws_vpc" "main" {
3 | cidr_block = "10.0.0.0/16"
4 |
5 | enable_dns_support = true
6 | enable_dns_hostnames = true
7 |
8 | tags = {
9 | Name = "main"
10 | }
11 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/127/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/130/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/131/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/133/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/134/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/135/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/136/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/138/terraform/01-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/139/0-terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/140/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/142/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/143/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/144/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/145/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/146/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/147/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/149/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/150/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/151/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/152/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/153/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/154/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/155/eks-terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/156/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.this
File: /lessons/160/git-infrastructure-modules/vpc/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "this" {
2 | cidr_block = var.vpc_cidr_block
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "${var.env}-main"
9 | }
10 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/160/infrastructure-live-v1/dev/vpc/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "dev-main"
9 | }
10 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/160/infrastructure-live-v1/staging/vpc/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "staging-main"
9 | }
10 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: module.vpc.aws_vpc.this
File: /lessons/160/infrastructure-modules/vpc/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "this" {
2 | cidr_block = var.vpc_cidr_block
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "${var.env}-main"
9 | }
10 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/161/0-intro/declarative.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "staging-main"
6 | }
7 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/161/1-loop/1-count/vpc.tf:1-3
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/161/1-loop/2-for_each/vpc.tf:1-3
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/161/2-conditionals/2-if-else/vpc.tf:1-3
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: module.vpcs.aws_vpc.main
File: /lessons/161/modules/vpc/main.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: module.vpcs.aws_vpc.database[0]
File: /lessons/161/modules/vpc/main.tf:9-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
9 | resource "aws_vpc" "database" {
10 | count = var.enable_database_vpc ? 1 : 0
11 |
12 | cidr_block = "10.1.0.0/16"
13 |
14 | tags = {
15 | Name = "database"
16 | }
17 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /lessons/175/terraform/2-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "${local.env}-main"
9 | }
10 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: aws_lb_listener.app
File: /lessons/063/main.tf:77-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
77 | resource "aws_lb_listener" "app" {
78 | load_balancer_arn = aws_lb.app.arn
79 | port = "80"
80 | protocol = "HTTP"
81 |
82 | default_action {
83 | type = "forward"
84 | # target_group_arn = aws_lb_target_group.blue.arn
85 | forward {
86 | target_group {
87 | arn = aws_lb_target_group.blue.arn
88 | weight = lookup(local.traffic_dist_map[var.traffic_distribution], "blue", 100)
89 | }
90 |
91 | target_group {
92 | arn = aws_lb_target_group.green.arn
93 | weight = lookup(local.traffic_dist_map[var.traffic_distribution], "green", 0)
94 | }
95 |
96 | stickiness {
97 | enabled = false
98 | duration = 1
99 | }
100 | }
101 | }
102 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: aws_lb_listener.http_eg1
File: /lessons/127/terraform/6-example-1.tf:145-154
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
145 | resource "aws_lb_listener" "http_eg1" {
146 | load_balancer_arn = aws_lb.my_app_eg1.arn
147 | port = "80"
148 | protocol = "HTTP"
149 |
150 | default_action {
151 | type = "forward"
152 | target_group_arn = aws_lb_target_group.my_app_eg1.arn
153 | }
154 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: aws_lb_listener.my_app_eg2_tls
File: /lessons/127/terraform/7-example-2.tf:218-231
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
218 | resource "aws_lb_listener" "my_app_eg2_tls" {
219 | load_balancer_arn = aws_lb.my_app_eg2.arn
220 | port = "443"
221 | protocol = "HTTPS"
222 | certificate_arn = aws_acm_certificate.api.arn
223 | ssl_policy = "ELBSecurityPolicy-2016-08"
224 |
225 | default_action {
226 | type = "forward"
227 | target_group_arn = aws_lb_target_group.my_app_eg2.arn
228 | }
229 |
230 | depends_on = [aws_acm_certificate_validation.api]
231 | }
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
FAILED for resource: aws_lb_listener.http
File: /lessons/164/main.tf:87-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html
87 | resource "aws_lb_listener" "http" {
88 | load_balancer_arn = aws_lb.example.arn
89 | port = 80
90 | protocol = "HTTP"
91 |
92 | # By default, it just shows a simple 404 page
93 | default_action {
94 | type = "fixed-response"
95 |
96 | fixed_response {
97 | content_type = "text/plain"
98 | message_body = "404: page not found"
99 | status_code = 404
100 | }
101 | }
102 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
FAILED for resource: aws_lb.app
File: /lessons/063/main.tf:64-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
64 | resource "aws_lb" "app" {
65 | name = "app-lb"
66 | internal = false
67 | load_balancer_type = "application"
68 | subnets = [
69 | local.public_a_subnet_id,
70 | local.public_b_subnet_id
71 | ]
72 | security_groups = [aws_security_group.web.id]
73 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
FAILED for resource: aws_lb.my_app_eg1
File: /lessons/127/terraform/6-example-1.tf:127-143
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
127 | resource "aws_lb" "my_app_eg1" {
128 | name = "my-app-eg1"
129 | internal = false
130 | load_balancer_type = "application"
131 | security_groups = [aws_security_group.alb_eg1.id]
132 |
133 | # access_logs {
134 | # bucket = "my-logs"
135 | # prefix = "my-app-lb"
136 | # enabled = true
137 | # }
138 |
139 | subnets = [
140 | aws_subnet.public_us_east_1a.id,
141 | aws_subnet.public_us_east_1b.id
142 | ]
143 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
FAILED for resource: aws_lb.my_app_eg2
File: /lessons/127/terraform/7-example-2.tf:141-151
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
141 | resource "aws_lb" "my_app_eg2" {
142 | name = "my-app-eg2"
143 | internal = false
144 | load_balancer_type = "application"
145 | security_groups = [aws_security_group.alb_eg2.id]
146 |
147 | subnets = [
148 | aws_subnet.public_us_east_1a.id,
149 | aws_subnet.public_us_east_1b.id
150 | ]
151 | }
Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
FAILED for resource: aws_lb.example
File: /lessons/164/main.tf:80-85
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html
80 | resource "aws_lb" "example" {
81 | name = "web"
82 | load_balancer_type = "application"
83 | subnets = data.aws_subnets.default.ids
84 | security_groups = [aws_security_group.alb.id]
85 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/115/terraform/1-lambda-bucket.tf:6-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
6 | resource "aws_s3_bucket" "lambda_bucket" {
7 | bucket = random_pet.lambda_bucket_name.id
8 | force_destroy = true
9 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.test
File: /lessons/115/terraform/5-test-bucket.tf:6-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
6 | resource "aws_s3_bucket" "test" {
7 | bucket = random_pet.test_bucket_name.id
8 | force_destroy = true
9 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/117/terraform/2-lambda-bucket.tf:6-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
6 | resource "aws_s3_bucket" "lambda_bucket" {
7 | bucket = random_pet.lambda_bucket_name.id
8 | force_destroy = true
9 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/122/terraform/8-lambda-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/124/terraform/1-lambda-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.images_bucket
File: /lessons/124/terraform/2-images-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
8 | resource "aws_s3_bucket" "images_bucket" {
9 | bucket = random_pet.images_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/126/terraform/1-lambda-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.images_bucket
File: /lessons/126/terraform/2-images-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
8 | resource "aws_s3_bucket" "images_bucket" {
9 | bucket = random_pet.images_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/128/terraform/1-lambda-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.images_bucket
File: /lessons/128/terraform/2-images-bucket.tf:7-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
7 | resource "aws_s3_bucket" "images_bucket" {
8 | bucket = "images-${random_id.server.hex}"
9 | force_destroy = true
10 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.functions
File: /lessons/129/terraform/1-aws-buckets.tf:2-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
2 | resource "aws_s3_bucket" "functions" {
3 | bucket = "functions-${random_id.lesson.hex}"
4 | force_destroy = true
5 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.images
File: /lessons/129/terraform/1-aws-buckets.tf:18-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
18 | resource "aws_s3_bucket" "images" {
19 | bucket = "images-${random_id.lesson.hex}"
20 | force_destroy = true
21 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/131/terraform/11-lambda-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: aws_security_group.vpc_link
File: /lessons/116/terraform/9-integration.tf:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
1 | resource "aws_security_group" "vpc_link" {
2 | name = "vpc-link"
3 | vpc_id = aws_vpc.main.id
4 |
5 | egress {
6 | from_port = 0
7 | to_port = 0
8 | protocol = "-1"
9 | cidr_blocks = ["0.0.0.0/0"]
10 | }
11 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: aws_security_group.web
File: /lessons/161/1-loop/1-count/sg.tf:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
1 | resource "aws_security_group" "web" {
2 | name = "allow-web-access"
3 | vpc_id = aws_vpc.main.id
4 |
5 | ingress {
6 | from_port = 80
7 | to_port = 80
8 | protocol = "tcp"
9 | cidr_blocks = ["0.0.0.0/0"]
10 | }
11 |
12 | ingress {
13 | from_port = 443
14 | to_port = 443
15 | protocol = "tcp"
16 | cidr_blocks = ["0.0.0.0/0"]
17 | }
18 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: aws_security_group.vpc_link
File: /lessons/167/terraform/12-integration.tf:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
1 | resource "aws_security_group" "vpc_link" {
2 | name = "vpc-link"
3 | vpc_id = module.vpc.vpc_id
4 |
5 | egress {
6 | from_port = 0
7 | to_port = 0
8 | protocol = "-1"
9 | cidr_blocks = ["0.0.0.0/0"]
10 | }
11 | }
Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
FAILED for resource: aws_route53_zone.devops
File: /lessons/020/main.tf:163-166
163 | resource "aws_route53_zone" "devops" {
164 | name = "devopsbyexample.io"
165 | comment = ""
166 | }
Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
FAILED for resource: aws_route53_zone.antonputra
File: /lessons/144/terraform/14.dns.tf:6-12
6 | resource "aws_route53_zone" "antonputra" {
7 | name = "antonputra.pvt"
8 |
9 | vpc {
10 | vpc_id = aws_vpc.main.id
11 | }
12 | }
Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
FAILED for resource: aws_route53_zone.private
File: /lessons/145/terraform/13-private-dns.tf:6-12
6 | resource "aws_route53_zone" "private" {
7 | name = local.private_route53_zone
8 |
9 | vpc {
10 | vpc_id = aws_vpc.main.id
11 | }
12 | }
Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
FAILED for resource: aws_route53_zone.antonputra_pvt
File: /lessons/146/terraform/14.dns.tf:2-8
2 | resource "aws_route53_zone" "antonputra_pvt" {
3 | name = "antonputra.pvt"
4 |
5 | vpc {
6 | vpc_id = aws_vpc.main.id
7 | }
8 | }
Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
FAILED for resource: aws_route53_zone.private
File: /lessons/147/terraform/13-private-dns.tf:8-14
8 | resource "aws_route53_zone" "private" {
9 | name = local.private_route53_zone
10 |
11 | vpc {
12 | vpc_id = aws_vpc.main.id
13 | }
14 | }
Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
FAILED for resource: aws_route53_zone.private
File: /lessons/149/terraform/13-private-dns.tf:6-12
6 | resource "aws_route53_zone" "private" {
7 | name = local.private_route53_zone
8 |
9 | vpc {
10 | vpc_id = aws_vpc.main.id
11 | }
12 | }
Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
FAILED for resource: aws_route53_zone.private
File: /lessons/150/terraform/13-private-dns.tf:7-13
7 | resource "aws_route53_zone" "private" {
8 | name = local.private_route53_zone
9 |
10 | vpc {
11 | vpc_id = aws_vpc.main.id
12 | }
13 | }
Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
FAILED for resource: aws_route53_zone.antonputra
File: /lessons/151/terraform/13.dns.tf:6-12
6 | resource "aws_route53_zone" "antonputra" {
7 | name = "antonputra.pvt"
8 |
9 | vpc {
10 | vpc_id = aws_vpc.main.id
11 | }
12 | }
Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
FAILED for resource: aws_route53_zone.antonputra
File: /lessons/153/terraform/13.dns.tf:6-12
6 | resource "aws_route53_zone" "antonputra" {
7 | name = "antonputra.pvt"
8 |
9 | vpc {
10 | vpc_id = aws_vpc.main.id
11 | }
12 | }
Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
FAILED for resource: aws_lb.app
File: /lessons/063/main.tf:64-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones.html
64 | resource "aws_lb" "app" {
65 | name = "app-lb"
66 | internal = false
67 | load_balancer_type = "application"
68 | subnets = [
69 | local.public_a_subnet_id,
70 | local.public_b_subnet_id
71 | ]
72 | security_groups = [aws_security_group.web.id]
73 | }
Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
FAILED for resource: aws_lb.my_app_eg1
File: /lessons/127/terraform/6-example-1.tf:127-143
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones.html
127 | resource "aws_lb" "my_app_eg1" {
128 | name = "my-app-eg1"
129 | internal = false
130 | load_balancer_type = "application"
131 | security_groups = [aws_security_group.alb_eg1.id]
132 |
133 | # access_logs {
134 | # bucket = "my-logs"
135 | # prefix = "my-app-lb"
136 | # enabled = true
137 | # }
138 |
139 | subnets = [
140 | aws_subnet.public_us_east_1a.id,
141 | aws_subnet.public_us_east_1b.id
142 | ]
143 | }
Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
FAILED for resource: aws_lb.example
File: /lessons/164/main.tf:80-85
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones.html
80 | resource "aws_lb" "example" {
81 | name = "web"
82 | load_balancer_type = "application"
83 | subnets = data.aws_subnets.default.ids
84 | security_groups = [aws_security_group.alb.id]
85 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/115/terraform/1-lambda-bucket.tf:6-9
6 | resource "aws_s3_bucket" "lambda_bucket" {
7 | bucket = random_pet.lambda_bucket_name.id
8 | force_destroy = true
9 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.test
File: /lessons/115/terraform/5-test-bucket.tf:6-9
6 | resource "aws_s3_bucket" "test" {
7 | bucket = random_pet.test_bucket_name.id
8 | force_destroy = true
9 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/117/terraform/2-lambda-bucket.tf:6-9
6 | resource "aws_s3_bucket" "lambda_bucket" {
7 | bucket = random_pet.lambda_bucket_name.id
8 | force_destroy = true
9 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/122/terraform/8-lambda-bucket.tf:8-11
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/124/terraform/1-lambda-bucket.tf:8-11
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.images_bucket
File: /lessons/124/terraform/2-images-bucket.tf:8-11
8 | resource "aws_s3_bucket" "images_bucket" {
9 | bucket = random_pet.images_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/126/terraform/1-lambda-bucket.tf:8-11
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.images_bucket
File: /lessons/126/terraform/2-images-bucket.tf:8-11
8 | resource "aws_s3_bucket" "images_bucket" {
9 | bucket = random_pet.images_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/128/terraform/1-lambda-bucket.tf:8-11
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.images_bucket
File: /lessons/128/terraform/2-images-bucket.tf:7-10
7 | resource "aws_s3_bucket" "images_bucket" {
8 | bucket = "images-${random_id.server.hex}"
9 | force_destroy = true
10 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.functions
File: /lessons/129/terraform/1-aws-buckets.tf:2-5
2 | resource "aws_s3_bucket" "functions" {
3 | bucket = "functions-${random_id.lesson.hex}"
4 | force_destroy = true
5 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.images
File: /lessons/129/terraform/1-aws-buckets.tf:18-21
18 | resource "aws_s3_bucket" "images" {
19 | bucket = "images-${random_id.lesson.hex}"
20 | force_destroy = true
21 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/131/terraform/11-lambda-bucket.tf:8-11
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.terraform_state
File: /lessons/165/1-example/main.tf:5-11
5 | resource "aws_s3_bucket" "terraform_state" {
6 | bucket = "antonputra-terraform-state"
7 |
8 | lifecycle {
9 | prevent_destroy = true
10 | }
11 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.terraform_state
File: /lessons/165/global/s3/main.tf:5-11
5 | resource "aws_s3_bucket" "terraform_state" {
6 | bucket = "antonputra-terraform-state"
7 |
8 | lifecycle {
9 | prevent_destroy = true
10 | }
11 | }
Check: CKV2_AWS_30: "Ensure Postgres RDS as aws_db_instance has Query Logging enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/162/1-part/3-rds.tf:1-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-postgres-rds-has-query-logging-enabled.html
1 | resource "aws_db_instance" "mydb" {
2 | db_name = "mydb"
3 | engine = "postgres"
4 | engine_version = "15"
5 | instance_class = "db.t4g.micro"
6 | allocated_storage = 10
7 |
8 | publicly_accessible = true
9 | skip_final_snapshot = true
10 | db_subnet_group_name = aws_db_subnet_group.public.name
11 |
12 | username = "root"
13 | password = "devops123"
14 | }
Check: CKV2_AWS_30: "Ensure Postgres RDS as aws_db_instance has Query Logging enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/162/2-part/3-rds.tf:1-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-postgres-rds-has-query-logging-enabled.html
1 | resource "aws_db_instance" "mydb" {
2 | db_name = "mydb"
3 | engine = "postgres"
4 | engine_version = "15"
5 | instance_class = "db.t4g.micro"
6 | allocated_storage = 10
7 |
8 | publicly_accessible = true
9 | skip_final_snapshot = true
10 | db_subnet_group_name = aws_db_subnet_group.public.name
11 |
12 | username = var.username
13 | password = var.password
14 | }
Check: CKV2_AWS_30: "Ensure Postgres RDS as aws_db_instance has Query Logging enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/162/3-part/3-rds.tf:12-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-postgres-rds-has-query-logging-enabled.html
12 | resource "aws_db_instance" "mydb" {
13 | db_name = "mydb"
14 | engine = "postgres"
15 | engine_version = "15"
16 | instance_class = "db.t4g.micro"
17 | allocated_storage = 10
18 |
19 | publicly_accessible = true
20 | skip_final_snapshot = true
21 | db_subnet_group_name = aws_db_subnet_group.public.name
22 |
23 | username = local.db_creds.username
24 | password = local.db_creds.password
25 | }
Check: CKV2_AWS_30: "Ensure Postgres RDS as aws_db_instance has Query Logging enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/162/5-part/3-rds.tf:11-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-postgres-rds-has-query-logging-enabled.html
11 | resource "aws_db_instance" "mydb" {
12 | db_name = "mydb"
13 | engine = "postgres"
14 | engine_version = "15"
15 | instance_class = "db.t4g.micro"
16 | allocated_storage = 10
17 |
18 | publicly_accessible = true
19 | skip_final_snapshot = true
20 | db_subnet_group_name = aws_db_subnet_group.public.name
21 |
22 | username = local.db_creds.username
23 | password = local.db_creds.password
24 | }
Check: CKV2_AWS_30: "Ensure Postgres RDS as aws_db_instance has Query Logging enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/infra/main.tf:10-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-postgres-rds-has-query-logging-enabled.html
10 | resource "aws_db_instance" "mydb" {
11 | db_name = "mydb"
12 | engine = "postgres"
13 | engine_version = "15"
14 | instance_class = "db.t4g.micro"
15 | allocated_storage = 10
16 |
17 | publicly_accessible = true
18 | skip_final_snapshot = true
19 |
20 | username = "root"
21 | password = "devops123"
22 | }
Check: CKV2_AWS_30: "Ensure Postgres RDS as aws_db_instance has Query Logging enabled"
FAILED for resource: aws_db_instance.mydb
File: /lessons/165/staging/data-stores/postgres/main.tf:11-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-postgres-rds-has-query-logging-enabled.html
11 | resource "aws_db_instance" "mydb" {
12 | db_name = "mydb"
13 | engine = "postgres"
14 | engine_version = "15"
15 | instance_class = "db.t4g.micro"
16 | allocated_storage = 10
17 |
18 | skip_final_snapshot = true
19 | publicly_accessible = true
20 |
21 | username = var.username
22 | password = var.password
23 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/115/terraform/1-lambda-bucket.tf:6-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
6 | resource "aws_s3_bucket" "lambda_bucket" {
7 | bucket = random_pet.lambda_bucket_name.id
8 | force_destroy = true
9 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.test
File: /lessons/115/terraform/5-test-bucket.tf:6-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
6 | resource "aws_s3_bucket" "test" {
7 | bucket = random_pet.test_bucket_name.id
8 | force_destroy = true
9 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/117/terraform/2-lambda-bucket.tf:6-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
6 | resource "aws_s3_bucket" "lambda_bucket" {
7 | bucket = random_pet.lambda_bucket_name.id
8 | force_destroy = true
9 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/122/terraform/8-lambda-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/124/terraform/1-lambda-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.images_bucket
File: /lessons/124/terraform/2-images-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
8 | resource "aws_s3_bucket" "images_bucket" {
9 | bucket = random_pet.images_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/126/terraform/1-lambda-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.images_bucket
File: /lessons/126/terraform/2-images-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
8 | resource "aws_s3_bucket" "images_bucket" {
9 | bucket = random_pet.images_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/128/terraform/1-lambda-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.images_bucket
File: /lessons/128/terraform/2-images-bucket.tf:7-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
7 | resource "aws_s3_bucket" "images_bucket" {
8 | bucket = "images-${random_id.server.hex}"
9 | force_destroy = true
10 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.functions
File: /lessons/129/terraform/1-aws-buckets.tf:2-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
2 | resource "aws_s3_bucket" "functions" {
3 | bucket = "functions-${random_id.lesson.hex}"
4 | force_destroy = true
5 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.images
File: /lessons/129/terraform/1-aws-buckets.tf:18-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
18 | resource "aws_s3_bucket" "images" {
19 | bucket = "images-${random_id.lesson.hex}"
20 | force_destroy = true
21 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/131/terraform/11-lambda-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.terraform_state
File: /lessons/165/1-example/main.tf:5-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
5 | resource "aws_s3_bucket" "terraform_state" {
6 | bucket = "antonputra-terraform-state"
7 |
8 | lifecycle {
9 | prevent_destroy = true
10 | }
11 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.terraform_state
File: /lessons/165/global/s3/main.tf:5-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
5 | resource "aws_s3_bucket" "terraform_state" {
6 | bucket = "antonputra-terraform-state"
7 |
8 | lifecycle {
9 | prevent_destroy = true
10 | }
11 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/115/terraform/1-lambda-bucket.tf:6-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
6 | resource "aws_s3_bucket" "lambda_bucket" {
7 | bucket = random_pet.lambda_bucket_name.id
8 | force_destroy = true
9 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.test
File: /lessons/115/terraform/5-test-bucket.tf:6-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
6 | resource "aws_s3_bucket" "test" {
7 | bucket = random_pet.test_bucket_name.id
8 | force_destroy = true
9 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/117/terraform/2-lambda-bucket.tf:6-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
6 | resource "aws_s3_bucket" "lambda_bucket" {
7 | bucket = random_pet.lambda_bucket_name.id
8 | force_destroy = true
9 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/122/terraform/8-lambda-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/124/terraform/1-lambda-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.images_bucket
File: /lessons/124/terraform/2-images-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
8 | resource "aws_s3_bucket" "images_bucket" {
9 | bucket = random_pet.images_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/126/terraform/1-lambda-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.images_bucket
File: /lessons/126/terraform/2-images-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
8 | resource "aws_s3_bucket" "images_bucket" {
9 | bucket = random_pet.images_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/128/terraform/1-lambda-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.images_bucket
File: /lessons/128/terraform/2-images-bucket.tf:7-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
7 | resource "aws_s3_bucket" "images_bucket" {
8 | bucket = "images-${random_id.server.hex}"
9 | force_destroy = true
10 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.functions
File: /lessons/129/terraform/1-aws-buckets.tf:2-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
2 | resource "aws_s3_bucket" "functions" {
3 | bucket = "functions-${random_id.lesson.hex}"
4 | force_destroy = true
5 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.images
File: /lessons/129/terraform/1-aws-buckets.tf:18-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
18 | resource "aws_s3_bucket" "images" {
19 | bucket = "images-${random_id.lesson.hex}"
20 | force_destroy = true
21 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.lambda_bucket
File: /lessons/131/terraform/11-lambda-bucket.tf:8-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
8 | resource "aws_s3_bucket" "lambda_bucket" {
9 | bucket = random_pet.lambda_bucket_name.id
10 | force_destroy = true
11 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.terraform_state
File: /lessons/165/1-example/main.tf:5-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
5 | resource "aws_s3_bucket" "terraform_state" {
6 | bucket = "antonputra-terraform-state"
7 |
8 | lifecycle {
9 | prevent_destroy = true
10 | }
11 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.terraform_state
File: /lessons/165/global/s3/main.tf:5-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
5 | resource "aws_s3_bucket" "terraform_state" {
6 | bucket = "antonputra-terraform-state"
7 |
8 | lifecycle {
9 | prevent_destroy = true
10 | }
11 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.nginx
File: /lessons/014/main.tf:39-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
39 | resource "aws_instance" "nginx" {
40 | ami = "ami-0dba2cb6798deb6d8"
41 | subnet_id = "subnet-060a1ae52cf0a73d6"
42 | instance_type = "t2.micro"
43 | associate_public_ip_address = true
44 | security_groups = [aws_security_group.nginx.id]
45 | key_name = local.key_name
46 |
47 | provisioner "remote-exec" {
48 | inline = ["echo 'Wait until SSH is ready'"]
49 |
50 | connection {
51 | type = "ssh"
52 | user = local.ssh_user
53 | private_key = file(local.private_key_path)
54 | host = aws_instance.nginx.public_ip
55 | }
56 | }
57 | provisioner "local-exec" {
58 | command = "ansible-playbook -i ${aws_instance.nginx.public_ip}, --private-key ${local.private_key_path} nginx.yaml"
59 | }
60 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.nginx
File: /lessons/020/main.tf:149-158
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
149 | resource "aws_instance" "nginx" {
150 | ami = "ami-0dba2cb6798deb6d8"
151 | instance_type = "t2.micro"
152 | vpc_security_group_ids = [aws_security_group.nginx.id]
153 | key_name = "devops"
154 |
155 | tags = {
156 | Name = "Nginx"
157 | }
158 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.server
File: /lessons/040/main.tf:4-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
4 | resource "aws_instance" "server" {
5 | # The AMI to use for the instance.
6 | ami = var.ami
7 |
8 | # The type of instance to start.
9 | instance_type = "t2.micro"
10 |
11 | lifecycle {
12 | create_before_destroy = true
13 | ignore_changes = [tags]
14 | }
15 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.ubuntu
File: /lessons/053/infra-2/main.tf:20-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
20 | resource "aws_instance" "ubuntu" {
21 | ami = "ami-013f17f36f8b1fefb"
22 | instance_type = "t3.micro"
23 | subnet_id = "subnet-07fc2d0816e1f6100"
24 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.blue[0]
File: /lessons/063/blue.tf:3-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
3 | resource "aws_instance" "blue" {
4 | count = var.enable_blue_env ? var.blue_instance_count : 0
5 |
6 | ami = local.ubuntu_ami
7 | instance_type = "t2.micro"
8 | subnet_id = local.private_a_subnet_id
9 | vpc_security_group_ids = [aws_security_group.web.id]
10 |
11 | user_data = templatefile("./init-script.sh", {
12 | file_content = "blue version 1.2 - ${count.index}"
13 | })
14 |
15 | tags = {
16 | Name = "blue version 1.2 - ${count.index}"
17 | }
18 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.green
File: /lessons/063/green.tf:3-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
3 | resource "aws_instance" "green" {
4 | count = var.enable_green_env ? var.green_instance_count : 0
5 |
6 | ami = local.ubuntu_ami
7 | instance_type = "t2.micro"
8 | subnet_id = local.private_a_subnet_id
9 | vpc_security_group_ids = [aws_security_group.web.id]
10 |
11 | user_data = templatefile("./init-script.sh", {
12 | file_content = "green version 1.1 - ${count.index}"
13 | })
14 |
15 | tags = {
16 | Name = "green version 1.1 - ${count.index}"
17 | }
18 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.web
File: /lessons/104/terraform/5-ec2.tf:28-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
28 | resource "aws_instance" "web" {
29 | ami = data.aws_ami.ubuntu.id
30 | instance_type = "t3.small"
31 |
32 | key_name = local.key_name
33 |
34 | network_interface {
35 | network_interface_id = aws_network_interface.monitoring.id
36 | device_index = 0
37 | }
38 |
39 | tags = {
40 | Name = "monitoring"
41 | }
42 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.my-app-example-2
File: /lessons/118/terraform/10-ec2-example-2.tf:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
1 | resource "aws_instance" "my-app-example-2" {
2 | ami = "ami-0d5482f3cb962780f"
3 | instance_type = "t3.micro"
4 | key_name = "devops"
5 | subnet_id = aws_subnet.private-us-east-1a.id
6 |
7 | vpc_security_group_ids = [aws_security_group.my-app-example-2.id]
8 |
9 | tags = {
10 | Name = "my-app-example-2"
11 | }
12 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.my-app-example-1
File: /lessons/118/terraform/7-ec2-example-1.tf:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
1 | resource "aws_instance" "my-app-example-1" {
2 | ami = "ami-0d5482f3cb962780f"
3 | instance_type = "t3.micro"
4 | key_name = "devops"
5 | subnet_id = aws_subnet.public-us-east-1a.id
6 |
7 | associate_public_ip_address = true
8 | vpc_security_group_ids = [aws_security_group.my-app-example-1.id]
9 |
10 | tags = {
11 | Name = "my-app-example-1"
12 | }
13 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.my_server
File: /lessons/121/terraform/6-ec2.tf:38-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
38 | resource "aws_instance" "my_server" {
39 | ami = data.aws_ami.ubuntu.id
40 | instance_type = "t3.micro"
41 |
42 | key_name = "old-key"
43 | subnet_id = aws_subnet.public-us-east-1a.id
44 | vpc_security_group_ids = [aws_security_group.my_server_ssh_access.id]
45 |
46 | associate_public_ip_address = true
47 |
48 | tags = {
49 | Name = "My Server"
50 | }
51 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.my_server
File: /lessons/122/terraform/6-ec2.tf:41-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
41 | resource "aws_instance" "my_server" {
42 | ami = data.aws_ami.ubuntu.id
43 | instance_type = "t3.micro"
44 |
45 | # create devops key pair manually before you run terraform
46 | key_name = "devops"
47 |
48 | subnet_id = aws_subnet.public_us_east_1a.id
49 | vpc_security_group_ids = [aws_security_group.my_server_ssh_access.id]
50 |
51 | associate_public_ip_address = true
52 |
53 | tags = {
54 | Name = "my-server"
55 | }
56 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.my_app_eg1["my-app-00"]
File: /lessons/127/terraform/6-example-1.tf:78-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
78 | resource "aws_instance" "my_app_eg1" {
79 | for_each = local.web_servers
80 |
81 | ami = "ami-07309549f34230bcd"
82 | instance_type = each.value.machine_type
83 | key_name = "devops"
84 | subnet_id = each.value.subnet_id
85 |
86 | vpc_security_group_ids = [aws_security_group.ec2_eg1.id]
87 |
88 | tags = {
89 | Name = each.key
90 | }
91 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.my_app
File: /lessons/130/terraform/12-ec2.tf:46-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
46 | resource "aws_instance" "my_app" {
47 | ami = data.aws_ami.ubuntu.id
48 | instance_type = "t3.micro"
49 | key_name = "devops"
50 | subnet_id = aws_subnet.public_us_east_1a.id
51 | vpc_security_group_ids = [aws_security_group.my_app.id]
52 |
53 | user_data = <> /etc/systemd/system/node_exporter.service
63 | [Unit]
64 | Description=Node Exporter
65 | Wants=network-online.target
66 | After=network-online.target
67 |
68 | StartLimitIntervalSec=500
69 | StartLimitBurst=5
70 |
71 | [Service]
72 | User=node_exporter
73 | Group=node_exporter
74 | Type=simple
75 | Restart=on-failure
76 | RestartSec=5s
77 | ExecStart=/usr/local/bin/node_exporter
78 |
79 | [Install]
80 | WantedBy=multi-user.target
81 | EOT
82 |
83 | systemctl enable node_exporter
84 | systemctl start node_exporter
85 | EOF
86 |
87 | tags = {
88 | Name = "My App"
89 | node-exporter = "true"
90 | }
91 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.nginx
File: /lessons/146/terraform/10-nginx-ec2.tf:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
1 | resource "aws_instance" "nginx" {
2 | ami = data.aws_ami.ubuntu_jammy.id
3 | key_name = "devops"
4 | instance_type = "t3a.small"
5 | subnet_id = aws_subnet.public_us_east_1a.id
6 |
7 | vpc_security_group_ids = [
8 | aws_security_group.ssh.id,
9 | aws_security_group.proxy.id
10 | ]
11 |
12 | tags = {
13 | Name = "nginx.antonputra.pvt"
14 | service = "nginx"
15 | node-exporter = "true"
16 | }
17 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.apache
File: /lessons/146/terraform/11-apache-ec2.tf:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
1 | resource "aws_instance" "apache" {
2 | ami = data.aws_ami.ubuntu_jammy.id
3 | key_name = "devops"
4 | instance_type = "t3a.small"
5 | subnet_id = aws_subnet.public_us_east_1a.id
6 |
7 | vpc_security_group_ids = [
8 | aws_security_group.ssh.id,
9 | aws_security_group.proxy.id
10 | ]
11 |
12 | tags = {
13 | Name = "apache.antonputra.pvt"
14 | service = "apache"
15 | node-exporter = "true"
16 | }
17 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.client
File: /lessons/146/terraform/13-client.tf:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
1 | resource "aws_instance" "client" {
2 | ami = data.aws_ami.ubuntu_jammy.id
3 | key_name = "devops"
4 | instance_type = "t3a.xlarge"
5 | subnet_id = aws_subnet.public_us_east_1a.id
6 |
7 | vpc_security_group_ids = [
8 | aws_security_group.ssh.id,
9 | aws_security_group.client.id
10 | ]
11 |
12 | tags = {
13 | Name = "client.antonputra.pvt"
14 | service = "client"
15 | node-exporter = "true"
16 | }
17 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.myapp
File: /lessons/146/terraform/9-myapp-ec2.tf:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
1 | resource "aws_instance" "myapp" {
2 | ami = data.aws_ami.ubuntu_jammy.id
3 | key_name = "devops"
4 | instance_type = "t3a.large"
5 | subnet_id = aws_subnet.public_us_east_1a.id
6 |
7 | vpc_security_group_ids = [
8 | aws_security_group.ssh.id,
9 | aws_security_group.myapp.id
10 | ]
11 |
12 | tags = {
13 | Name = "myapp-000.antonputra.pvt"
14 | service = "myapp"
15 | node-exporter = "true"
16 | rust-exporter = "true"
17 | }
18 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.client
File: /lessons/147/terraform/15-client.tf:38-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
38 | resource "aws_instance" "client" {
39 | ami = data.aws_ami.ubuntu_jammy.id
40 | key_name = "devops"
41 | instance_type = "t3a.xlarge"
42 | subnet_id = aws_subnet.public_us_east_1a.id
43 |
44 | vpc_security_group_ids = [
45 | aws_security_group.client.id
46 | ]
47 |
48 | tags = {
49 | Name = "client.antonputra.pvt"
50 | service = "client"
51 | node-exporter = "true"
52 | }
53 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.client
File: /lessons/149/terraform/15-client.tf:38-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
38 | resource "aws_instance" "client" {
39 | ami = data.aws_ami.ubuntu_jammy.id
40 | key_name = "devops"
41 | instance_type = "t3a.xlarge"
42 | subnet_id = aws_subnet.public_us_east_1a.id
43 |
44 | vpc_security_group_ids = [
45 | aws_security_group.client.id
46 | ]
47 |
48 | tags = {
49 | Name = "client.antonputra.pvt"
50 | service = "client"
51 | node-exporter = "true"
52 | }
53 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.client
File: /lessons/150/terraform/15-client.tf:38-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
38 | resource "aws_instance" "client" {
39 | ami = data.aws_ami.ubuntu_jammy.id
40 | key_name = "devops"
41 | instance_type = "t3a.xlarge"
42 | subnet_id = aws_subnet.public_us_east_1a.id
43 |
44 | vpc_security_group_ids = [
45 | aws_security_group.client.id
46 | ]
47 |
48 | tags = {
49 | Name = "client.antonputra.pvt"
50 | service = "client"
51 | node-exporter = "true"
52 | }
53 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.envoy
File: /lessons/151/terraform/10-envoy.tf:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
1 | resource "aws_instance" "envoy" {
2 | ami = data.aws_ami.ubuntu_jammy.id
3 | instance_type = "m6a.large"
4 | subnet_id = aws_subnet.public_us_east_1a.id
5 | key_name = "devops" # TODO: update to yours
6 |
7 | vpc_security_group_ids = [
8 | aws_security_group.proxy.id,
9 | aws_security_group.ssh.id
10 | ]
11 |
12 | tags = {
13 | Name = "envoy"
14 | service = "envoy"
15 | node-exporter = "true"
16 | }
17 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.nginx
File: /lessons/151/terraform/11-nginx.tf:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
1 | resource "aws_instance" "nginx" {
2 | ami = data.aws_ami.ubuntu_jammy.id
3 | instance_type = "m6a.large"
4 | subnet_id = aws_subnet.public_us_east_1a.id
5 | key_name = "devops" # TODO: update to yours
6 |
7 | vpc_security_group_ids = [
8 | aws_security_group.proxy.id,
9 | aws_security_group.ssh.id
10 | ]
11 |
12 | tags = {
13 | Name = "nginx"
14 | service = "nginx"
15 | node-exporter = "true"
16 | }
17 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.myapp
File: /lessons/151/terraform/8-myapp.tf:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
1 | resource "aws_instance" "myapp" {
2 | ami = data.aws_ami.ubuntu_jammy.id
3 | instance_type = "m6a.xlarge"
4 | subnet_id = aws_subnet.public_us_east_1a.id
5 | key_name = "devops" # TODO: update to yours
6 |
7 | vpc_security_group_ids = [
8 | aws_security_group.myapp.id,
9 | aws_security_group.ssh.id
10 | ]
11 |
12 | tags = {
13 | Name = "myapp"
14 | service = "myapp"
15 | node-exporter = "true"
16 | }
17 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.caddy
File: /lessons/153/terraform/10-caddy.tf:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
1 | resource "aws_instance" "caddy" {
2 | ami = data.aws_ami.ubuntu_jammy.id
3 | instance_type = "m6a.large"
4 | subnet_id = aws_subnet.public_us_east_1a.id
5 | key_name = "devops" # TODO: update to yours
6 |
7 | vpc_security_group_ids = [
8 | aws_security_group.proxy.id,
9 | aws_security_group.ssh.id
10 | ]
11 |
12 | tags = {
13 | Name = "caddy"
14 | service = "caddy"
15 | node-exporter = "true"
16 | }
17 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.traefik
File: /lessons/153/terraform/11-traefik.tf:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
1 | resource "aws_instance" "traefik" {
2 | ami = data.aws_ami.ubuntu_jammy.id
3 | instance_type = "m6a.large"
4 | subnet_id = aws_subnet.public_us_east_1a.id
5 | key_name = "devops" # TODO: update to yours
6 |
7 | vpc_security_group_ids = [
8 | aws_security_group.proxy.id,
9 | aws_security_group.ssh.id
10 | ]
11 |
12 | tags = {
13 | Name = "traefik"
14 | service = "traefik"
15 | node-exporter = "true"
16 | }
17 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.myapp
File: /lessons/153/terraform/8-myapp.tf:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
1 | resource "aws_instance" "myapp" {
2 | ami = data.aws_ami.ubuntu_jammy.id
3 | instance_type = "m6a.xlarge"
4 | subnet_id = aws_subnet.public_us_east_1a.id
5 | key_name = "devops" # TODO: update to yours
6 |
7 | vpc_security_group_ids = [
8 | aws_security_group.myapp.id,
9 | aws_security_group.ssh.id
10 | ]
11 |
12 | tags = {
13 | Name = "myapp"
14 | service = "myapp"
15 | node-exporter = "true"
16 | }
17 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.test
File: /lessons/154/terraform/14-ec2.tf:44-92
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
44 | resource "aws_instance" "test" {
45 | ami = data.aws_ami.ubuntu_jammy.id
46 | instance_type = "t3a.small"
47 | subnet_id = aws_subnet.public_us_east_1a.id
48 | # key_name = "devops" # TODO: update to yours
49 |
50 | vpc_security_group_ids = [
51 | aws_security_group.test.id
52 | ]
53 |
54 | user_data = <> /etc/systemd/system/node_exporter.service
64 | [Unit]
65 | Description=Node Exporter
66 | Wants=network-online.target
67 | After=network-online.target
68 | StartLimitIntervalSec=500
69 | StartLimitBurst=5
70 |
71 | [Service]
72 | User=node_exporter
73 | Group=node_exporter
74 | Type=simple
75 | Restart=on-failure
76 | RestartSec=5s
77 | ExecStart=/usr/local/bin/node_exporter
78 |
79 | [Install]
80 | WantedBy=multi-user.target
81 | EOT
82 |
83 | systemctl enable node_exporter
84 | systemctl start node_exporter
85 | EOF
86 |
87 | tags = {
88 | Name = "myapp"
89 | service = "myapp"
90 | node-exporter = "true"
91 | }
92 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.nginx
File: /lessons/161/0-intro/copy-paste.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
1 | resource "aws_instance" "nginx" {
2 | ami = "ami-0f35953afaa5c8c60"
3 | instance_type = "t3.micro"
4 |
5 | tags = {
6 | Name = "staging-nginx"
7 | }
8 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.nginx_2
File: /lessons/161/0-intro/copy-paste.tf:10-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
10 | resource "aws_instance" "nginx_2" {
11 | ami = "ami-0f35953afaa5c8c60"
12 | instance_type = "t3.micro"
13 |
14 | tags = {
15 | Name = "staging-nginx"
16 | }
17 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.nginx
File: /lessons/161/0-intro/declarative.tf:9-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
9 | resource "aws_instance" "nginx" {
10 | ami = "ami-0f35953afaa5c8c60"
11 | instance_type = "t3.micro"
12 |
13 | tags = {
14 | Name = "staging-nginx"
15 | }
16 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.web["nginx-0"]
File: /lessons/161/1-loop/2-for_each/ec2.tf:14-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
14 | resource "aws_instance" "web" {
15 | for_each = local.web_servers
16 |
17 | ami = "ami-1234567890"
18 | instance_type = each.value.instance_type
19 | availability_zone = each.value.availability_zone
20 |
21 | tags = {
22 | Name = each.key
23 | }
24 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.example
File: /lessons/164/main.tf:16-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
16 | resource "aws_instance" "example" {
17 | ami = "ami-0a695f0d95cefc163"
18 | instance_type = "t3.micro"
19 |
20 | vpc_security_group_ids = [aws_security_group.instance.id]
21 |
22 | user_data = <<-EOF
23 | #!/bin/bash
24 | echo "Hello, World" > index.html
25 | nohup busybox httpd -f -p ${var.server_port} &
26 | EOF
27 |
28 | user_data_replace_on_change = true
29 |
30 | tags = {
31 | Name = "my-ubuntu"
32 | }
33 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.example
File: /lessons/165/3-example/main.tf:5-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
5 | resource "aws_instance" "example" {
6 | ami = "ami-0a695f0d95cefc163"
7 |
8 | instance_type = (
9 | terraform.workspace == "default" ? "t3.medium" : "t3.micro"
10 | )
11 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.example
File: /lessons/165/infra/main.tf:5-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
5 | resource "aws_instance" "example" {
6 | ami = "ami-0a695f0d95cefc163"
7 | instance_type = "t3.micro"
8 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.example
File: /lessons/165/staging/services/web/main.tf:22-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
22 | resource "aws_instance" "example" {
23 | ami = "ami-0a695f0d95cefc163"
24 | instance_type = "t3.micro"
25 |
26 | vpc_security_group_ids = [aws_security_group.instance.id]
27 |
28 | user_data = templatefile("user-data.sh", {
29 | server_port = var.server_port
30 | postgres_address = data.terraform_remote_state.postgres.outputs.address
31 | postgres_port = data.terraform_remote_state.postgres.outputs.port
32 | })
33 |
34 | user_data_replace_on_change = true
35 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.blue[1]
File: /lessons/063/blue.tf:3-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
3 | resource "aws_instance" "blue" {
4 | count = var.enable_blue_env ? var.blue_instance_count : 0
5 |
6 | ami = local.ubuntu_ami
7 | instance_type = "t2.micro"
8 | subnet_id = local.private_a_subnet_id
9 | vpc_security_group_ids = [aws_security_group.web.id]
10 |
11 | user_data = templatefile("./init-script.sh", {
12 | file_content = "blue version 1.2 - ${count.index}"
13 | })
14 |
15 | tags = {
16 | Name = "blue version 1.2 - ${count.index}"
17 | }
18 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.my_app_eg1["my-app-01"]
File: /lessons/127/terraform/6-example-1.tf:78-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
78 | resource "aws_instance" "my_app_eg1" {
79 | for_each = local.web_servers
80 |
81 | ami = "ami-07309549f34230bcd"
82 | instance_type = each.value.machine_type
83 | key_name = "devops"
84 | subnet_id = each.value.subnet_id
85 |
86 | vpc_security_group_ids = [aws_security_group.ec2_eg1.id]
87 |
88 | tags = {
89 | Name = each.key
90 | }
91 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.web["nginx-1"]
File: /lessons/161/1-loop/2-for_each/ec2.tf:14-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
14 | resource "aws_instance" "web" {
15 | for_each = local.web_servers
16 |
17 | ami = "ami-1234567890"
18 | instance_type = each.value.instance_type
19 | availability_zone = each.value.availability_zone
20 |
21 | tags = {
22 | Name = each.key
23 | }
24 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/020/main.tf:8-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
8 | resource "aws_vpc" "main" {
9 | cidr_block = "10.0.0.0/18"
10 |
11 | tags = {
12 | Name = "main"
13 | }
14 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/038/terraform/vpc.tf:4-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
4 | resource "aws_vpc" "main" {
5 | # The CIDR block for the VPC.
6 | cidr_block = "192.168.0.0/16"
7 |
8 | # Makes your instances shared on the host.
9 | instance_tenancy = "default"
10 |
11 | # Required for EKS. Enable/disable DNS support in the VPC.
12 | enable_dns_support = true
13 |
14 | # Required for EKS. Enable/disable DNS hostnames in the VPC.
15 | enable_dns_hostnames = true
16 |
17 | # Enable/disable ClassicLink for the VPC.
18 | enable_classiclink = false
19 |
20 | # Enable/disable ClassicLink DNS Support for the VPC.
21 | enable_classiclink_dns_support = false
22 |
23 | # Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC.
24 | assign_generated_ipv6_cidr_block = false
25 |
26 | # A map of tags to assign to the resource.
27 | tags = {
28 | Name = "main"
29 | }
30 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/089/terraform/1-vpc.tf:3-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
3 | resource "aws_vpc" "main" {
4 | cidr_block = "10.0.0.0/16"
5 |
6 | tags = {
7 | Name = "main"
8 | }
9 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/090/terraform/1-vpc.tf:3-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
3 | resource "aws_vpc" "main" {
4 | cidr_block = "10.0.0.0/16"
5 |
6 | tags = {
7 | Name = "main"
8 | }
9 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/091/terraform/1-vpc.tf:3-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
3 | resource "aws_vpc" "main" {
4 | cidr_block = "10.0.0.0/16"
5 |
6 | tags = {
7 | Name = "main"
8 | }
9 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/099/terraform/1-vpc.tf:3-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
3 | resource "aws_vpc" "main" {
4 | cidr_block = "10.0.0.0/16"
5 |
6 | tags = {
7 | Name = "main"
8 | }
9 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/102/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/104/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/105/aws-terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/112/terraform/1-vpc.tf:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_hostnames = true
5 |
6 | tags = {
7 | Name = "main"
8 | }
9 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/113/terraform/1-vpc.tf:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | # Must be enabled for EFS
5 | enable_dns_support = true
6 | enable_dns_hostnames = true
7 |
8 | tags = {
9 | Name = "main"
10 | }
11 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/114/terraform/1-vpc.tf:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | # Must be enabled for EFS
5 | enable_dns_support = true
6 | enable_dns_hostnames = true
7 |
8 | tags = {
9 | Name = "main"
10 | }
11 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/116/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/118/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/119/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/121/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/122/terraform/1-vpc.tf:2-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
2 | resource "aws_vpc" "main" {
3 | cidr_block = "10.0.0.0/16"
4 |
5 | enable_dns_support = true
6 | enable_dns_hostnames = true
7 |
8 | tags = {
9 | Name = "main"
10 | }
11 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/127/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/130/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/131/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/133/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/134/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/135/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/136/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/138/terraform/01-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/139/0-terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/140/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/142/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/143/terraform/1-vpc.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/144/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/145/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/146/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/147/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/149/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/150/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/151/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/152/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/153/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/154/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/155/eks-terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/156/terraform/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "main"
9 | }
10 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.this
File: /lessons/160/git-infrastructure-modules/vpc/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "this" {
2 | cidr_block = var.vpc_cidr_block
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "${var.env}-main"
9 | }
10 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/160/infrastructure-live-v1/dev/vpc/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "dev-main"
9 | }
10 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/160/infrastructure-live-v1/staging/vpc/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "staging-main"
9 | }
10 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: module.vpc.aws_vpc.this
File: /lessons/160/infrastructure-modules/vpc/1-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "this" {
2 | cidr_block = var.vpc_cidr_block
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "${var.env}-main"
9 | }
10 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/161/0-intro/declarative.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "staging-main"
6 | }
7 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/161/1-loop/1-count/vpc.tf:1-3
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/161/1-loop/2-for_each/vpc.tf:1-3
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/161/2-conditionals/2-if-else/vpc.tf:1-3
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: module.vpcs.aws_vpc.main
File: /lessons/161/modules/vpc/main.tf:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | tags = {
5 | Name = "main"
6 | }
7 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: module.vpcs.aws_vpc.database[0]
File: /lessons/161/modules/vpc/main.tf:9-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
9 | resource "aws_vpc" "database" {
10 | count = var.enable_database_vpc ? 1 : 0
11 |
12 | cidr_block = "10.1.0.0/16"
13 |
14 | tags = {
15 | Name = "database"
16 | }
17 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /lessons/175/terraform/2-vpc.tf:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
1 | resource "aws_vpc" "main" {
2 | cidr_block = "10.0.0.0/16"
3 |
4 | enable_dns_support = true
5 | enable_dns_hostnames = true
6 |
7 | tags = {
8 | Name = "${local.env}-main"
9 | }
10 | }
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: aws_route53_zone.devops
File: /lessons/020/main.tf:163-166
163 | resource "aws_route53_zone" "devops" {
164 | name = "devopsbyexample.io"
165 | comment = ""
166 | }
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: aws_route53_zone.antonputra
File: /lessons/144/terraform/14.dns.tf:6-12
6 | resource "aws_route53_zone" "antonputra" {
7 | name = "antonputra.pvt"
8 |
9 | vpc {
10 | vpc_id = aws_vpc.main.id
11 | }
12 | }
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: aws_route53_zone.private
File: /lessons/145/terraform/13-private-dns.tf:6-12
6 | resource "aws_route53_zone" "private" {
7 | name = local.private_route53_zone
8 |
9 | vpc {
10 | vpc_id = aws_vpc.main.id
11 | }
12 | }
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: aws_route53_zone.antonputra_pvt
File: /lessons/146/terraform/14.dns.tf:2-8
2 | resource "aws_route53_zone" "antonputra_pvt" {
3 | name = "antonputra.pvt"
4 |
5 | vpc {
6 | vpc_id = aws_vpc.main.id
7 | }
8 | }
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: aws_route53_zone.private
File: /lessons/147/terraform/13-private-dns.tf:8-14
8 | resource "aws_route53_zone" "private" {
9 | name = local.private_route53_zone
10 |
11 | vpc {
12 | vpc_id = aws_vpc.main.id
13 | }
14 | }
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: aws_route53_zone.private
File: /lessons/149/terraform/13-private-dns.tf:6-12
6 | resource "aws_route53_zone" "private" {
7 | name = local.private_route53_zone
8 |
9 | vpc {
10 | vpc_id = aws_vpc.main.id
11 | }
12 | }
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: aws_route53_zone.private
File: /lessons/150/terraform/13-private-dns.tf:7-13
7 | resource "aws_route53_zone" "private" {
8 | name = local.private_route53_zone
9 |
10 | vpc {
11 | vpc_id = aws_vpc.main.id
12 | }
13 | }
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: aws_route53_zone.antonputra
File: /lessons/151/terraform/13.dns.tf:6-12
6 | resource "aws_route53_zone" "antonputra" {
7 | name = "antonputra.pvt"
8 |
9 | vpc {
10 | vpc_id = aws_vpc.main.id
11 | }
12 | }
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: aws_route53_zone.antonputra
File: /lessons/153/terraform/13.dns.tf:6-12
6 | resource "aws_route53_zone" "antonputra" {
7 | name = "antonputra.pvt"
8 |
9 | vpc {
10 | vpc_id = aws_vpc.main.id
11 | }
12 | }
cloudformation scan results:
Passed checks: 12, Failed checks: 18, Skipped checks: 0, Parsing errors: 2
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: AWS::Serverless::Function.APIFunction
File: /lessons/075/sam/template.yaml:10-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
10 | APIFunction:
11 | Type: AWS::Serverless::Function
12 | Properties:
13 | Runtime: nodejs14.x
14 | Handler: function.lambdaHandler
15 | CodeUri: api/
16 | Timeout: 3
17 | Events:
18 | Hello:
19 | Type: Api
20 | Properties:
21 | Path: /hello
22 | Method: POST
23 | RestApiId:
24 | Ref: HelloAPI
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: AWS::Serverless::Function.APIFunction
File: /lessons/075/sam/template.yaml:10-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
10 | APIFunction:
11 | Type: AWS::Serverless::Function
12 | Properties:
13 | Runtime: nodejs14.x
14 | Handler: function.lambdaHandler
15 | CodeUri: api/
16 | Timeout: 3
17 | Events:
18 | Hello:
19 | Type: Api
20 | Properties:
21 | Path: /hello
22 | Method: POST
23 | RestApiId:
24 | Ref: HelloAPI
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: AWS::Serverless::Function.APIFunction
File: /lessons/075/sam/template.yaml:10-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
10 | APIFunction:
11 | Type: AWS::Serverless::Function
12 | Properties:
13 | Runtime: nodejs14.x
14 | Handler: function.lambdaHandler
15 | CodeUri: api/
16 | Timeout: 3
17 | Events:
18 | Hello:
19 | Type: Api
20 | Properties:
21 | Path: /hello
22 | Method: POST
23 | RestApiId:
24 | Ref: HelloAPI
Check: CKV_AWS_120: "Ensure API Gateway caching is enabled"
FAILED for resource: AWS::Serverless::Api.HelloAPI
File: /lessons/075/sam/template.yaml:26-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-api-gateway-caching-is-enabled.html
26 | HelloAPI:
27 | Type: AWS::Serverless::Api
28 | Properties:
29 | StageName: staging
30 | OpenApiVersion: 3.0.3
Check: CKV_AWS_73: "Ensure API Gateway has X-Ray Tracing enabled"
FAILED for resource: AWS::Serverless::Api.HelloAPI
File: /lessons/075/sam/template.yaml:26-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-15.html
26 | HelloAPI:
27 | Type: AWS::Serverless::Api
28 | Properties:
29 | StageName: staging
30 | OpenApiVersion: 3.0.3
Check: CKV_AWS_76: "Ensure API Gateway has Access Logging enabled"
FAILED for resource: AWS::Serverless::Api.HelloAPI
File: /lessons/075/sam/template.yaml:26-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-17.html
26 | HelloAPI:
27 | Type: AWS::Serverless::Api
28 | Properties:
29 | StageName: staging
30 | OpenApiVersion: 3.0.3
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: AWS::Serverless::Function.S3Function
File: /lessons/075/sam/template.yaml:32-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
32 | S3Function:
33 | Type: AWS::Serverless::Function
34 | Properties:
35 | Runtime: nodejs14.x
36 | Handler: function.lambdaHandler
37 | CodeUri: s3/
38 | Timeout: 60
39 | Policies: AWSLambdaExecute
40 | Events:
41 | PrintEvent:
42 | Type: S3
43 | Properties:
44 | Bucket: !Ref ExampleBucket
45 | Events: s3:ObjectCreated:*
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: AWS::Serverless::Function.S3Function
File: /lessons/075/sam/template.yaml:32-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
32 | S3Function:
33 | Type: AWS::Serverless::Function
34 | Properties:
35 | Runtime: nodejs14.x
36 | Handler: function.lambdaHandler
37 | CodeUri: s3/
38 | Timeout: 60
39 | Policies: AWSLambdaExecute
40 | Events:
41 | PrintEvent:
42 | Type: S3
43 | Properties:
44 | Bucket: !Ref ExampleBucket
45 | Events: s3:ObjectCreated:*
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: AWS::Serverless::Function.S3Function
File: /lessons/075/sam/template.yaml:32-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
32 | S3Function:
33 | Type: AWS::Serverless::Function
34 | Properties:
35 | Runtime: nodejs14.x
36 | Handler: function.lambdaHandler
37 | CodeUri: s3/
38 | Timeout: 60
39 | Policies: AWSLambdaExecute
40 | Events:
41 | PrintEvent:
42 | Type: S3
43 | Properties:
44 | Bucket: !Ref ExampleBucket
45 | Events: s3:ObjectCreated:*
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: AWS::S3::Bucket.ExampleBucket
File: /lessons/075/sam/template.yaml:47-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
47 | ExampleBucket:
48 | Type: AWS::S3::Bucket
49 | Properties:
50 | BucketName: test-antonputra
Check: CKV_AWS_53: "Ensure S3 bucket has block public ACLS enabled"
FAILED for resource: AWS::S3::Bucket.ExampleBucket
File: /lessons/075/sam/template.yaml:47-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/bc-aws-s3-19.html
47 | ExampleBucket:
48 | Type: AWS::S3::Bucket
49 | Properties:
50 | BucketName: test-antonputra
Check: CKV_AWS_56: "Ensure S3 bucket has 'restrict_public_bucket' enabled"
FAILED for resource: AWS::S3::Bucket.ExampleBucket
File: /lessons/075/sam/template.yaml:47-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/bc-aws-s3-22.html
47 | ExampleBucket:
48 | Type: AWS::S3::Bucket
49 | Properties:
50 | BucketName: test-antonputra
Check: CKV_AWS_55: "Ensure S3 bucket has ignore public ACLs enabled"
FAILED for resource: AWS::S3::Bucket.ExampleBucket
File: /lessons/075/sam/template.yaml:47-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/bc-aws-s3-21.html
47 | ExampleBucket:
48 | Type: AWS::S3::Bucket
49 | Properties:
50 | BucketName: test-antonputra
Check: CKV_AWS_21: "Ensure the S3 bucket has versioning enabled"
FAILED for resource: AWS::S3::Bucket.ExampleBucket
File: /lessons/075/sam/template.yaml:47-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
47 | ExampleBucket:
48 | Type: AWS::S3::Bucket
49 | Properties:
50 | BucketName: test-antonputra
Check: CKV_AWS_54: "Ensure S3 bucket has block public policy enabled"
FAILED for resource: AWS::S3::Bucket.ExampleBucket
File: /lessons/075/sam/template.yaml:47-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/bc-aws-s3-20.html
47 | ExampleBucket:
48 | Type: AWS::S3::Bucket
49 | Properties:
50 | BucketName: test-antonputra
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: AWS::Serverless::Function.SNSFunction
File: /lessons/075/sam/template.yaml:52-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
52 | SNSFunction:
53 | Type: AWS::Serverless::Function
54 | Properties:
55 | PackageType: Image
56 | CodeUri: sns/
57 | Events:
58 | HelloWorld:
59 | Type: SNS
60 | Properties:
61 | Topic: arn:aws:sns:us-east-1:424432388155:sns-topic-for-lambda
62 | Metadata:
63 | Dockerfile: Dockerfile
64 | DockerContext: ./sns
65 | DockerTag: python3.8-v1
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: AWS::Serverless::Function.SNSFunction
File: /lessons/075/sam/template.yaml:52-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
52 | SNSFunction:
53 | Type: AWS::Serverless::Function
54 | Properties:
55 | PackageType: Image
56 | CodeUri: sns/
57 | Events:
58 | HelloWorld:
59 | Type: SNS
60 | Properties:
61 | Topic: arn:aws:sns:us-east-1:424432388155:sns-topic-for-lambda
62 | Metadata:
63 | Dockerfile: Dockerfile
64 | DockerContext: ./sns
65 | DockerTag: python3.8-v1
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: AWS::Serverless::Function.SNSFunction
File: /lessons/075/sam/template.yaml:52-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
52 | SNSFunction:
53 | Type: AWS::Serverless::Function
54 | Properties:
55 | PackageType: Image
56 | CodeUri: sns/
57 | Events:
58 | HelloWorld:
59 | Type: SNS
60 | Properties:
61 | Topic: arn:aws:sns:us-east-1:424432388155:sns-topic-for-lambda
62 | Metadata:
63 | Dockerfile: Dockerfile
64 | DockerContext: ./sns
65 | DockerTag: python3.8-v1
kubernetes scan results:
Passed checks: 26184, Failed checks: 4597, Skipped checks: 0
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: DaemonSet.default.local-volume-provisioner
File: /lessons/099/provisioner/daemonset.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: local-volume-provisioner
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: local-volume-provisioner
11 | template:
12 | metadata:
13 | labels:
14 | app: local-volume-provisioner
15 | spec:
16 | serviceAccountName: local-storage-admin
17 | containers:
18 | - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
19 | name: provisioner
20 | securityContext:
21 | privileged: true
22 | env:
23 | - name: MY_NODE_NAME
24 | valueFrom:
25 | fieldRef:
26 | fieldPath: spec.nodeName
27 | volumeMounts:
28 | - mountPath: /etc/provisioner/config
29 | name: provisioner-config
30 | readOnly: true
31 | - mountPath: /mnt/ssd-disks
32 | name: ssd-disks
33 | mountPropagation: HostToContainer
34 | volumes:
35 | - name: provisioner-config
36 | configMap:
37 | name: local-provisioner-config
38 | - name: ssd-disks
39 | hostPath:
40 | path: /mnt/ssd-disks
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: DaemonSet.default.local-volume-provisioner
File: /lessons/099/provisioner/daemonset.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: local-volume-provisioner
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: local-volume-provisioner
11 | template:
12 | metadata:
13 | labels:
14 | app: local-volume-provisioner
15 | spec:
16 | serviceAccountName: local-storage-admin
17 | containers:
18 | - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
19 | name: provisioner
20 | securityContext:
21 | privileged: true
22 | env:
23 | - name: MY_NODE_NAME
24 | valueFrom:
25 | fieldRef:
26 | fieldPath: spec.nodeName
27 | volumeMounts:
28 | - mountPath: /etc/provisioner/config
29 | name: provisioner-config
30 | readOnly: true
31 | - mountPath: /mnt/ssd-disks
32 | name: ssd-disks
33 | mountPropagation: HostToContainer
34 | volumes:
35 | - name: provisioner-config
36 | configMap:
37 | name: local-provisioner-config
38 | - name: ssd-disks
39 | hostPath:
40 | path: /mnt/ssd-disks
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: DaemonSet.default.local-volume-provisioner
File: /lessons/099/provisioner/daemonset.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: local-volume-provisioner
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: local-volume-provisioner
11 | template:
12 | metadata:
13 | labels:
14 | app: local-volume-provisioner
15 | spec:
16 | serviceAccountName: local-storage-admin
17 | containers:
18 | - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
19 | name: provisioner
20 | securityContext:
21 | privileged: true
22 | env:
23 | - name: MY_NODE_NAME
24 | valueFrom:
25 | fieldRef:
26 | fieldPath: spec.nodeName
27 | volumeMounts:
28 | - mountPath: /etc/provisioner/config
29 | name: provisioner-config
30 | readOnly: true
31 | - mountPath: /mnt/ssd-disks
32 | name: ssd-disks
33 | mountPropagation: HostToContainer
34 | volumes:
35 | - name: provisioner-config
36 | configMap:
37 | name: local-provisioner-config
38 | - name: ssd-disks
39 | hostPath:
40 | path: /mnt/ssd-disks
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: DaemonSet.default.local-volume-provisioner
File: /lessons/099/provisioner/daemonset.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: local-volume-provisioner
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: local-volume-provisioner
11 | template:
12 | metadata:
13 | labels:
14 | app: local-volume-provisioner
15 | spec:
16 | serviceAccountName: local-storage-admin
17 | containers:
18 | - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
19 | name: provisioner
20 | securityContext:
21 | privileged: true
22 | env:
23 | - name: MY_NODE_NAME
24 | valueFrom:
25 | fieldRef:
26 | fieldPath: spec.nodeName
27 | volumeMounts:
28 | - mountPath: /etc/provisioner/config
29 | name: provisioner-config
30 | readOnly: true
31 | - mountPath: /mnt/ssd-disks
32 | name: ssd-disks
33 | mountPropagation: HostToContainer
34 | volumes:
35 | - name: provisioner-config
36 | configMap:
37 | name: local-provisioner-config
38 | - name: ssd-disks
39 | hostPath:
40 | path: /mnt/ssd-disks
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: DaemonSet.default.local-volume-provisioner
File: /lessons/099/provisioner/daemonset.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: local-volume-provisioner
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: local-volume-provisioner
11 | template:
12 | metadata:
13 | labels:
14 | app: local-volume-provisioner
15 | spec:
16 | serviceAccountName: local-storage-admin
17 | containers:
18 | - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
19 | name: provisioner
20 | securityContext:
21 | privileged: true
22 | env:
23 | - name: MY_NODE_NAME
24 | valueFrom:
25 | fieldRef:
26 | fieldPath: spec.nodeName
27 | volumeMounts:
28 | - mountPath: /etc/provisioner/config
29 | name: provisioner-config
30 | readOnly: true
31 | - mountPath: /mnt/ssd-disks
32 | name: ssd-disks
33 | mountPropagation: HostToContainer
34 | volumes:
35 | - name: provisioner-config
36 | configMap:
37 | name: local-provisioner-config
38 | - name: ssd-disks
39 | hostPath:
40 | path: /mnt/ssd-disks
Check: CKV_K8S_16: "Container should not be privileged"
FAILED for resource: DaemonSet.default.local-volume-provisioner
File: /lessons/099/provisioner/daemonset.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-15.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: local-volume-provisioner
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: local-volume-provisioner
11 | template:
12 | metadata:
13 | labels:
14 | app: local-volume-provisioner
15 | spec:
16 | serviceAccountName: local-storage-admin
17 | containers:
18 | - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
19 | name: provisioner
20 | securityContext:
21 | privileged: true
22 | env:
23 | - name: MY_NODE_NAME
24 | valueFrom:
25 | fieldRef:
26 | fieldPath: spec.nodeName
27 | volumeMounts:
28 | - mountPath: /etc/provisioner/config
29 | name: provisioner-config
30 | readOnly: true
31 | - mountPath: /mnt/ssd-disks
32 | name: ssd-disks
33 | mountPropagation: HostToContainer
34 | volumes:
35 | - name: provisioner-config
36 | configMap:
37 | name: local-provisioner-config
38 | - name: ssd-disks
39 | hostPath:
40 | path: /mnt/ssd-disks
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: DaemonSet.default.local-volume-provisioner
File: /lessons/099/provisioner/daemonset.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: local-volume-provisioner
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: local-volume-provisioner
11 | template:
12 | metadata:
13 | labels:
14 | app: local-volume-provisioner
15 | spec:
16 | serviceAccountName: local-storage-admin
17 | containers:
18 | - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
19 | name: provisioner
20 | securityContext:
21 | privileged: true
22 | env:
23 | - name: MY_NODE_NAME
24 | valueFrom:
25 | fieldRef:
26 | fieldPath: spec.nodeName
27 | volumeMounts:
28 | - mountPath: /etc/provisioner/config
29 | name: provisioner-config
30 | readOnly: true
31 | - mountPath: /mnt/ssd-disks
32 | name: ssd-disks
33 | mountPropagation: HostToContainer
34 | volumes:
35 | - name: provisioner-config
36 | configMap:
37 | name: local-provisioner-config
38 | - name: ssd-disks
39 | hostPath:
40 | path: /mnt/ssd-disks
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: DaemonSet.default.local-volume-provisioner
File: /lessons/099/provisioner/daemonset.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: local-volume-provisioner
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: local-volume-provisioner
11 | template:
12 | metadata:
13 | labels:
14 | app: local-volume-provisioner
15 | spec:
16 | serviceAccountName: local-storage-admin
17 | containers:
18 | - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
19 | name: provisioner
20 | securityContext:
21 | privileged: true
22 | env:
23 | - name: MY_NODE_NAME
24 | valueFrom:
25 | fieldRef:
26 | fieldPath: spec.nodeName
27 | volumeMounts:
28 | - mountPath: /etc/provisioner/config
29 | name: provisioner-config
30 | readOnly: true
31 | - mountPath: /mnt/ssd-disks
32 | name: ssd-disks
33 | mountPropagation: HostToContainer
34 | volumes:
35 | - name: provisioner-config
36 | configMap:
37 | name: local-provisioner-config
38 | - name: ssd-disks
39 | hostPath:
40 | path: /mnt/ssd-disks
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: DaemonSet.default.local-volume-provisioner
File: /lessons/099/provisioner/daemonset.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: local-volume-provisioner
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: local-volume-provisioner
11 | template:
12 | metadata:
13 | labels:
14 | app: local-volume-provisioner
15 | spec:
16 | serviceAccountName: local-storage-admin
17 | containers:
18 | - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
19 | name: provisioner
20 | securityContext:
21 | privileged: true
22 | env:
23 | - name: MY_NODE_NAME
24 | valueFrom:
25 | fieldRef:
26 | fieldPath: spec.nodeName
27 | volumeMounts:
28 | - mountPath: /etc/provisioner/config
29 | name: provisioner-config
30 | readOnly: true
31 | - mountPath: /mnt/ssd-disks
32 | name: ssd-disks
33 | mountPropagation: HostToContainer
34 | volumes:
35 | - name: provisioner-config
36 | configMap:
37 | name: local-provisioner-config
38 | - name: ssd-disks
39 | hostPath:
40 | path: /mnt/ssd-disks
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: DaemonSet.default.local-volume-provisioner
File: /lessons/099/provisioner/daemonset.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: local-volume-provisioner
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: local-volume-provisioner
11 | template:
12 | metadata:
13 | labels:
14 | app: local-volume-provisioner
15 | spec:
16 | serviceAccountName: local-storage-admin
17 | containers:
18 | - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
19 | name: provisioner
20 | securityContext:
21 | privileged: true
22 | env:
23 | - name: MY_NODE_NAME
24 | valueFrom:
25 | fieldRef:
26 | fieldPath: spec.nodeName
27 | volumeMounts:
28 | - mountPath: /etc/provisioner/config
29 | name: provisioner-config
30 | readOnly: true
31 | - mountPath: /mnt/ssd-disks
32 | name: ssd-disks
33 | mountPropagation: HostToContainer
34 | volumes:
35 | - name: provisioner-config
36 | configMap:
37 | name: local-provisioner-config
38 | - name: ssd-disks
39 | hostPath:
40 | path: /mnt/ssd-disks
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: DaemonSet.default.local-volume-provisioner
File: /lessons/099/provisioner/daemonset.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: local-volume-provisioner
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: local-volume-provisioner
11 | template:
12 | metadata:
13 | labels:
14 | app: local-volume-provisioner
15 | spec:
16 | serviceAccountName: local-storage-admin
17 | containers:
18 | - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
19 | name: provisioner
20 | securityContext:
21 | privileged: true
22 | env:
23 | - name: MY_NODE_NAME
24 | valueFrom:
25 | fieldRef:
26 | fieldPath: spec.nodeName
27 | volumeMounts:
28 | - mountPath: /etc/provisioner/config
29 | name: provisioner-config
30 | readOnly: true
31 | - mountPath: /mnt/ssd-disks
32 | name: ssd-disks
33 | mountPropagation: HostToContainer
34 | volumes:
35 | - name: provisioner-config
36 | configMap:
37 | name: local-provisioner-config
38 | - name: ssd-disks
39 | hostPath:
40 | path: /mnt/ssd-disks
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: DaemonSet.default.local-volume-provisioner
File: /lessons/099/provisioner/daemonset.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: local-volume-provisioner
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: local-volume-provisioner
11 | template:
12 | metadata:
13 | labels:
14 | app: local-volume-provisioner
15 | spec:
16 | serviceAccountName: local-storage-admin
17 | containers:
18 | - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
19 | name: provisioner
20 | securityContext:
21 | privileged: true
22 | env:
23 | - name: MY_NODE_NAME
24 | valueFrom:
25 | fieldRef:
26 | fieldPath: spec.nodeName
27 | volumeMounts:
28 | - mountPath: /etc/provisioner/config
29 | name: provisioner-config
30 | readOnly: true
31 | - mountPath: /mnt/ssd-disks
32 | name: ssd-disks
33 | mountPropagation: HostToContainer
34 | volumes:
35 | - name: provisioner-config
36 | configMap:
37 | name: local-provisioner-config
38 | - name: ssd-disks
39 | hostPath:
40 | path: /mnt/ssd-disks
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: DaemonSet.default.local-volume-provisioner
File: /lessons/099/provisioner/daemonset.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: local-volume-provisioner
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: local-volume-provisioner
11 | template:
12 | metadata:
13 | labels:
14 | app: local-volume-provisioner
15 | spec:
16 | serviceAccountName: local-storage-admin
17 | containers:
18 | - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
19 | name: provisioner
20 | securityContext:
21 | privileged: true
22 | env:
23 | - name: MY_NODE_NAME
24 | valueFrom:
25 | fieldRef:
26 | fieldPath: spec.nodeName
27 | volumeMounts:
28 | - mountPath: /etc/provisioner/config
29 | name: provisioner-config
30 | readOnly: true
31 | - mountPath: /mnt/ssd-disks
32 | name: ssd-disks
33 | mountPropagation: HostToContainer
34 | volumes:
35 | - name: provisioner-config
36 | configMap:
37 | name: local-provisioner-config
38 | - name: ssd-disks
39 | hostPath:
40 | path: /mnt/ssd-disks
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: DaemonSet.default.local-volume-provisioner
File: /lessons/099/provisioner/daemonset.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: local-volume-provisioner
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: local-volume-provisioner
11 | template:
12 | metadata:
13 | labels:
14 | app: local-volume-provisioner
15 | spec:
16 | serviceAccountName: local-storage-admin
17 | containers:
18 | - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
19 | name: provisioner
20 | securityContext:
21 | privileged: true
22 | env:
23 | - name: MY_NODE_NAME
24 | valueFrom:
25 | fieldRef:
26 | fieldPath: spec.nodeName
27 | volumeMounts:
28 | - mountPath: /etc/provisioner/config
29 | name: provisioner-config
30 | readOnly: true
31 | - mountPath: /mnt/ssd-disks
32 | name: ssd-disks
33 | mountPropagation: HostToContainer
34 | volumes:
35 | - name: provisioner-config
36 | configMap:
37 | name: local-provisioner-config
38 | - name: ssd-disks
39 | hostPath:
40 | path: /mnt/ssd-disks
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: DaemonSet.default.local-volume-provisioner
File: /lessons/099/provisioner/daemonset.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: local-volume-provisioner
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: local-volume-provisioner
11 | template:
12 | metadata:
13 | labels:
14 | app: local-volume-provisioner
15 | spec:
16 | serviceAccountName: local-storage-admin
17 | containers:
18 | - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
19 | name: provisioner
20 | securityContext:
21 | privileged: true
22 | env:
23 | - name: MY_NODE_NAME
24 | valueFrom:
25 | fieldRef:
26 | fieldPath: spec.nodeName
27 | volumeMounts:
28 | - mountPath: /etc/provisioner/config
29 | name: provisioner-config
30 | readOnly: true
31 | - mountPath: /mnt/ssd-disks
32 | name: ssd-disks
33 | mountPropagation: HostToContainer
34 | volumes:
35 | - name: provisioner-config
36 | configMap:
37 | name: local-provisioner-config
38 | - name: ssd-disks
39 | hostPath:
40 | path: /mnt/ssd-disks
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: DaemonSet.default.local-volume-provisioner
File: /lessons/099/provisioner/daemonset.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: local-volume-provisioner
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: local-volume-provisioner
11 | template:
12 | metadata:
13 | labels:
14 | app: local-volume-provisioner
15 | spec:
16 | serviceAccountName: local-storage-admin
17 | containers:
18 | - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
19 | name: provisioner
20 | securityContext:
21 | privileged: true
22 | env:
23 | - name: MY_NODE_NAME
24 | valueFrom:
25 | fieldRef:
26 | fieldPath: spec.nodeName
27 | volumeMounts:
28 | - mountPath: /etc/provisioner/config
29 | name: provisioner-config
30 | readOnly: true
31 | - mountPath: /mnt/ssd-disks
32 | name: ssd-disks
33 | mountPropagation: HostToContainer
34 | volumes:
35 | - name: provisioner-config
36 | configMap:
37 | name: local-provisioner-config
38 | - name: ssd-disks
39 | hostPath:
40 | path: /mnt/ssd-disks
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: DaemonSet.default.local-volume-provisioner
File: /lessons/099/provisioner/daemonset.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: local-volume-provisioner
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: local-volume-provisioner
11 | template:
12 | metadata:
13 | labels:
14 | app: local-volume-provisioner
15 | spec:
16 | serviceAccountName: local-storage-admin
17 | containers:
18 | - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
19 | name: provisioner
20 | securityContext:
21 | privileged: true
22 | env:
23 | - name: MY_NODE_NAME
24 | valueFrom:
25 | fieldRef:
26 | fieldPath: spec.nodeName
27 | volumeMounts:
28 | - mountPath: /etc/provisioner/config
29 | name: provisioner-config
30 | readOnly: true
31 | - mountPath: /mnt/ssd-disks
32 | name: ssd-disks
33 | mountPropagation: HostToContainer
34 | volumes:
35 | - name: provisioner-config
36 | configMap:
37 | name: local-provisioner-config
38 | - name: ssd-disks
39 | hostPath:
40 | path: /mnt/ssd-disks
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: DaemonSet.default.local-volume-provisioner
File: /lessons/099/provisioner/daemonset.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: local-volume-provisioner
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: local-volume-provisioner
11 | template:
12 | metadata:
13 | labels:
14 | app: local-volume-provisioner
15 | spec:
16 | serviceAccountName: local-storage-admin
17 | containers:
18 | - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
19 | name: provisioner
20 | securityContext:
21 | privileged: true
22 | env:
23 | - name: MY_NODE_NAME
24 | valueFrom:
25 | fieldRef:
26 | fieldPath: spec.nodeName
27 | volumeMounts:
28 | - mountPath: /etc/provisioner/config
29 | name: provisioner-config
30 | readOnly: true
31 | - mountPath: /mnt/ssd-disks
32 | name: ssd-disks
33 | mountPropagation: HostToContainer
34 | volumes:
35 | - name: provisioner-config
36 | configMap:
37 | name: local-provisioner-config
38 | - name: ssd-disks
39 | hostPath:
40 | path: /mnt/ssd-disks
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: DaemonSet.default.local-volume-provisioner
File: /lessons/099/provisioner/daemonset.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: local-volume-provisioner
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: local-volume-provisioner
11 | template:
12 | metadata:
13 | labels:
14 | app: local-volume-provisioner
15 | spec:
16 | serviceAccountName: local-storage-admin
17 | containers:
18 | - image: "k8s.gcr.io/sig-storage/local-volume-provisioner:v2.4.0"
19 | name: provisioner
20 | securityContext:
21 | privileged: true
22 | env:
23 | - name: MY_NODE_NAME
24 | valueFrom:
25 | fieldRef:
26 | fieldPath: spec.nodeName
27 | volumeMounts:
28 | - mountPath: /etc/provisioner/config
29 | name: provisioner-config
30 | readOnly: true
31 | - mountPath: /mnt/ssd-disks
32 | name: ssd-disks
33 | mountPropagation: HostToContainer
34 | volumes:
35 | - name: provisioner-config
36 | configMap:
37 | name: local-provisioner-config
38 | - name: ssd-disks
39 | hostPath:
40 | path: /mnt/ssd-disks
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ServiceAccount.default.local-storage-admin
File: /lessons/099/provisioner/rbac.yaml:2-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: ServiceAccount
4 | metadata:
5 | name: local-storage-admin
6 | namespace: default
7 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.local-provisioner-config
File: /lessons/099/provisioner/configmap.yaml:2-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: local-provisioner-config
6 | namespace: default
7 | data:
8 | storageClassMap: |
9 | ssd-disks:
10 | hostDir: /mnt/ssd-disks
11 | mountDir: /mnt/ssd-disks
12 | blockCleanerCommand:
13 | - "/scripts/shred.sh"
14 | - "2"
15 | volumeMode: Filesystem
16 | fsType: xfs
17 | namePattern: "*"
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/1-example.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: database-postgresql
6 | spec:
7 | serviceName: postgresql
8 | selector:
9 | matchLabels:
10 | app.kubernetes.io/name: postgresql
11 | template:
12 | metadata:
13 | name: database-postgresql
14 | labels:
15 | app.kubernetes.io/name: postgresql
16 | spec:
17 | containers:
18 | - name: database-postgresql
19 | image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
20 | securityContext:
21 | runAsUser: 0
22 | env:
23 | - name: POSTGRESQL_VOLUME_DIR
24 | value: /bitnami/postgresql
25 | - name: PGDATA
26 | value: /bitnami/postgresql/data
27 | - name: POSTGRES_USER
28 | value: postgres
29 | - name: POSTGRES_PASSWORD
30 | value: secret123
31 | ports:
32 | - name: tcp-postgresql
33 | containerPort: 5432
34 | volumeMounts:
35 | - name: dshm
36 | mountPath: /dev/shm
37 | - name: local-disk
38 | mountPath: /bitnami/postgresql
39 | subPath:
40 | volumes:
41 | - name: dshm
42 | emptyDir:
43 | medium: Memory
44 | - name: local-disk
45 | hostPath:
46 | path: /opt/postgresql-data
47 | type: DirectoryOrCreate
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/1-example.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: database-postgresql
6 | spec:
7 | serviceName: postgresql
8 | selector:
9 | matchLabels:
10 | app.kubernetes.io/name: postgresql
11 | template:
12 | metadata:
13 | name: database-postgresql
14 | labels:
15 | app.kubernetes.io/name: postgresql
16 | spec:
17 | containers:
18 | - name: database-postgresql
19 | image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
20 | securityContext:
21 | runAsUser: 0
22 | env:
23 | - name: POSTGRESQL_VOLUME_DIR
24 | value: /bitnami/postgresql
25 | - name: PGDATA
26 | value: /bitnami/postgresql/data
27 | - name: POSTGRES_USER
28 | value: postgres
29 | - name: POSTGRES_PASSWORD
30 | value: secret123
31 | ports:
32 | - name: tcp-postgresql
33 | containerPort: 5432
34 | volumeMounts:
35 | - name: dshm
36 | mountPath: /dev/shm
37 | - name: local-disk
38 | mountPath: /bitnami/postgresql
39 | subPath:
40 | volumes:
41 | - name: dshm
42 | emptyDir:
43 | medium: Memory
44 | - name: local-disk
45 | hostPath:
46 | path: /opt/postgresql-data
47 | type: DirectoryOrCreate
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/1-example.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: database-postgresql
6 | spec:
7 | serviceName: postgresql
8 | selector:
9 | matchLabels:
10 | app.kubernetes.io/name: postgresql
11 | template:
12 | metadata:
13 | name: database-postgresql
14 | labels:
15 | app.kubernetes.io/name: postgresql
16 | spec:
17 | containers:
18 | - name: database-postgresql
19 | image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
20 | securityContext:
21 | runAsUser: 0
22 | env:
23 | - name: POSTGRESQL_VOLUME_DIR
24 | value: /bitnami/postgresql
25 | - name: PGDATA
26 | value: /bitnami/postgresql/data
27 | - name: POSTGRES_USER
28 | value: postgres
29 | - name: POSTGRES_PASSWORD
30 | value: secret123
31 | ports:
32 | - name: tcp-postgresql
33 | containerPort: 5432
34 | volumeMounts:
35 | - name: dshm
36 | mountPath: /dev/shm
37 | - name: local-disk
38 | mountPath: /bitnami/postgresql
39 | subPath:
40 | volumes:
41 | - name: dshm
42 | emptyDir:
43 | medium: Memory
44 | - name: local-disk
45 | hostPath:
46 | path: /opt/postgresql-data
47 | type: DirectoryOrCreate
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/1-example.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: database-postgresql
6 | spec:
7 | serviceName: postgresql
8 | selector:
9 | matchLabels:
10 | app.kubernetes.io/name: postgresql
11 | template:
12 | metadata:
13 | name: database-postgresql
14 | labels:
15 | app.kubernetes.io/name: postgresql
16 | spec:
17 | containers:
18 | - name: database-postgresql
19 | image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
20 | securityContext:
21 | runAsUser: 0
22 | env:
23 | - name: POSTGRESQL_VOLUME_DIR
24 | value: /bitnami/postgresql
25 | - name: PGDATA
26 | value: /bitnami/postgresql/data
27 | - name: POSTGRES_USER
28 | value: postgres
29 | - name: POSTGRES_PASSWORD
30 | value: secret123
31 | ports:
32 | - name: tcp-postgresql
33 | containerPort: 5432
34 | volumeMounts:
35 | - name: dshm
36 | mountPath: /dev/shm
37 | - name: local-disk
38 | mountPath: /bitnami/postgresql
39 | subPath:
40 | volumes:
41 | - name: dshm
42 | emptyDir:
43 | medium: Memory
44 | - name: local-disk
45 | hostPath:
46 | path: /opt/postgresql-data
47 | type: DirectoryOrCreate
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/1-example.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: database-postgresql
6 | spec:
7 | serviceName: postgresql
8 | selector:
9 | matchLabels:
10 | app.kubernetes.io/name: postgresql
11 | template:
12 | metadata:
13 | name: database-postgresql
14 | labels:
15 | app.kubernetes.io/name: postgresql
16 | spec:
17 | containers:
18 | - name: database-postgresql
19 | image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
20 | securityContext:
21 | runAsUser: 0
22 | env:
23 | - name: POSTGRESQL_VOLUME_DIR
24 | value: /bitnami/postgresql
25 | - name: PGDATA
26 | value: /bitnami/postgresql/data
27 | - name: POSTGRES_USER
28 | value: postgres
29 | - name: POSTGRES_PASSWORD
30 | value: secret123
31 | ports:
32 | - name: tcp-postgresql
33 | containerPort: 5432
34 | volumeMounts:
35 | - name: dshm
36 | mountPath: /dev/shm
37 | - name: local-disk
38 | mountPath: /bitnami/postgresql
39 | subPath:
40 | volumes:
41 | - name: dshm
42 | emptyDir:
43 | medium: Memory
44 | - name: local-disk
45 | hostPath:
46 | path: /opt/postgresql-data
47 | type: DirectoryOrCreate
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/1-example.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: database-postgresql
6 | spec:
7 | serviceName: postgresql
8 | selector:
9 | matchLabels:
10 | app.kubernetes.io/name: postgresql
11 | template:
12 | metadata:
13 | name: database-postgresql
14 | labels:
15 | app.kubernetes.io/name: postgresql
16 | spec:
17 | containers:
18 | - name: database-postgresql
19 | image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
20 | securityContext:
21 | runAsUser: 0
22 | env:
23 | - name: POSTGRESQL_VOLUME_DIR
24 | value: /bitnami/postgresql
25 | - name: PGDATA
26 | value: /bitnami/postgresql/data
27 | - name: POSTGRES_USER
28 | value: postgres
29 | - name: POSTGRES_PASSWORD
30 | value: secret123
31 | ports:
32 | - name: tcp-postgresql
33 | containerPort: 5432
34 | volumeMounts:
35 | - name: dshm
36 | mountPath: /dev/shm
37 | - name: local-disk
38 | mountPath: /bitnami/postgresql
39 | subPath:
40 | volumes:
41 | - name: dshm
42 | emptyDir:
43 | medium: Memory
44 | - name: local-disk
45 | hostPath:
46 | path: /opt/postgresql-data
47 | type: DirectoryOrCreate
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/1-example.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: database-postgresql
6 | spec:
7 | serviceName: postgresql
8 | selector:
9 | matchLabels:
10 | app.kubernetes.io/name: postgresql
11 | template:
12 | metadata:
13 | name: database-postgresql
14 | labels:
15 | app.kubernetes.io/name: postgresql
16 | spec:
17 | containers:
18 | - name: database-postgresql
19 | image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
20 | securityContext:
21 | runAsUser: 0
22 | env:
23 | - name: POSTGRESQL_VOLUME_DIR
24 | value: /bitnami/postgresql
25 | - name: PGDATA
26 | value: /bitnami/postgresql/data
27 | - name: POSTGRES_USER
28 | value: postgres
29 | - name: POSTGRES_PASSWORD
30 | value: secret123
31 | ports:
32 | - name: tcp-postgresql
33 | containerPort: 5432
34 | volumeMounts:
35 | - name: dshm
36 | mountPath: /dev/shm
37 | - name: local-disk
38 | mountPath: /bitnami/postgresql
39 | subPath:
40 | volumes:
41 | - name: dshm
42 | emptyDir:
43 | medium: Memory
44 | - name: local-disk
45 | hostPath:
46 | path: /opt/postgresql-data
47 | type: DirectoryOrCreate
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/1-example.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: database-postgresql
6 | spec:
7 | serviceName: postgresql
8 | selector:
9 | matchLabels:
10 | app.kubernetes.io/name: postgresql
11 | template:
12 | metadata:
13 | name: database-postgresql
14 | labels:
15 | app.kubernetes.io/name: postgresql
16 | spec:
17 | containers:
18 | - name: database-postgresql
19 | image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
20 | securityContext:
21 | runAsUser: 0
22 | env:
23 | - name: POSTGRESQL_VOLUME_DIR
24 | value: /bitnami/postgresql
25 | - name: PGDATA
26 | value: /bitnami/postgresql/data
27 | - name: POSTGRES_USER
28 | value: postgres
29 | - name: POSTGRES_PASSWORD
30 | value: secret123
31 | ports:
32 | - name: tcp-postgresql
33 | containerPort: 5432
34 | volumeMounts:
35 | - name: dshm
36 | mountPath: /dev/shm
37 | - name: local-disk
38 | mountPath: /bitnami/postgresql
39 | subPath:
40 | volumes:
41 | - name: dshm
42 | emptyDir:
43 | medium: Memory
44 | - name: local-disk
45 | hostPath:
46 | path: /opt/postgresql-data
47 | type: DirectoryOrCreate
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/1-example.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: database-postgresql
6 | spec:
7 | serviceName: postgresql
8 | selector:
9 | matchLabels:
10 | app.kubernetes.io/name: postgresql
11 | template:
12 | metadata:
13 | name: database-postgresql
14 | labels:
15 | app.kubernetes.io/name: postgresql
16 | spec:
17 | containers:
18 | - name: database-postgresql
19 | image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
20 | securityContext:
21 | runAsUser: 0
22 | env:
23 | - name: POSTGRESQL_VOLUME_DIR
24 | value: /bitnami/postgresql
25 | - name: PGDATA
26 | value: /bitnami/postgresql/data
27 | - name: POSTGRES_USER
28 | value: postgres
29 | - name: POSTGRES_PASSWORD
30 | value: secret123
31 | ports:
32 | - name: tcp-postgresql
33 | containerPort: 5432
34 | volumeMounts:
35 | - name: dshm
36 | mountPath: /dev/shm
37 | - name: local-disk
38 | mountPath: /bitnami/postgresql
39 | subPath:
40 | volumes:
41 | - name: dshm
42 | emptyDir:
43 | medium: Memory
44 | - name: local-disk
45 | hostPath:
46 | path: /opt/postgresql-data
47 | type: DirectoryOrCreate
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/1-example.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: database-postgresql
6 | spec:
7 | serviceName: postgresql
8 | selector:
9 | matchLabels:
10 | app.kubernetes.io/name: postgresql
11 | template:
12 | metadata:
13 | name: database-postgresql
14 | labels:
15 | app.kubernetes.io/name: postgresql
16 | spec:
17 | containers:
18 | - name: database-postgresql
19 | image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
20 | securityContext:
21 | runAsUser: 0
22 | env:
23 | - name: POSTGRESQL_VOLUME_DIR
24 | value: /bitnami/postgresql
25 | - name: PGDATA
26 | value: /bitnami/postgresql/data
27 | - name: POSTGRES_USER
28 | value: postgres
29 | - name: POSTGRES_PASSWORD
30 | value: secret123
31 | ports:
32 | - name: tcp-postgresql
33 | containerPort: 5432
34 | volumeMounts:
35 | - name: dshm
36 | mountPath: /dev/shm
37 | - name: local-disk
38 | mountPath: /bitnami/postgresql
39 | subPath:
40 | volumes:
41 | - name: dshm
42 | emptyDir:
43 | medium: Memory
44 | - name: local-disk
45 | hostPath:
46 | path: /opt/postgresql-data
47 | type: DirectoryOrCreate
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/1-example.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: database-postgresql
6 | spec:
7 | serviceName: postgresql
8 | selector:
9 | matchLabels:
10 | app.kubernetes.io/name: postgresql
11 | template:
12 | metadata:
13 | name: database-postgresql
14 | labels:
15 | app.kubernetes.io/name: postgresql
16 | spec:
17 | containers:
18 | - name: database-postgresql
19 | image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
20 | securityContext:
21 | runAsUser: 0
22 | env:
23 | - name: POSTGRESQL_VOLUME_DIR
24 | value: /bitnami/postgresql
25 | - name: PGDATA
26 | value: /bitnami/postgresql/data
27 | - name: POSTGRES_USER
28 | value: postgres
29 | - name: POSTGRES_PASSWORD
30 | value: secret123
31 | ports:
32 | - name: tcp-postgresql
33 | containerPort: 5432
34 | volumeMounts:
35 | - name: dshm
36 | mountPath: /dev/shm
37 | - name: local-disk
38 | mountPath: /bitnami/postgresql
39 | subPath:
40 | volumes:
41 | - name: dshm
42 | emptyDir:
43 | medium: Memory
44 | - name: local-disk
45 | hostPath:
46 | path: /opt/postgresql-data
47 | type: DirectoryOrCreate
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/1-example.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: database-postgresql
6 | spec:
7 | serviceName: postgresql
8 | selector:
9 | matchLabels:
10 | app.kubernetes.io/name: postgresql
11 | template:
12 | metadata:
13 | name: database-postgresql
14 | labels:
15 | app.kubernetes.io/name: postgresql
16 | spec:
17 | containers:
18 | - name: database-postgresql
19 | image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
20 | securityContext:
21 | runAsUser: 0
22 | env:
23 | - name: POSTGRESQL_VOLUME_DIR
24 | value: /bitnami/postgresql
25 | - name: PGDATA
26 | value: /bitnami/postgresql/data
27 | - name: POSTGRES_USER
28 | value: postgres
29 | - name: POSTGRES_PASSWORD
30 | value: secret123
31 | ports:
32 | - name: tcp-postgresql
33 | containerPort: 5432
34 | volumeMounts:
35 | - name: dshm
36 | mountPath: /dev/shm
37 | - name: local-disk
38 | mountPath: /bitnami/postgresql
39 | subPath:
40 | volumes:
41 | - name: dshm
42 | emptyDir:
43 | medium: Memory
44 | - name: local-disk
45 | hostPath:
46 | path: /opt/postgresql-data
47 | type: DirectoryOrCreate
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/1-example.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: database-postgresql
6 | spec:
7 | serviceName: postgresql
8 | selector:
9 | matchLabels:
10 | app.kubernetes.io/name: postgresql
11 | template:
12 | metadata:
13 | name: database-postgresql
14 | labels:
15 | app.kubernetes.io/name: postgresql
16 | spec:
17 | containers:
18 | - name: database-postgresql
19 | image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
20 | securityContext:
21 | runAsUser: 0
22 | env:
23 | - name: POSTGRESQL_VOLUME_DIR
24 | value: /bitnami/postgresql
25 | - name: PGDATA
26 | value: /bitnami/postgresql/data
27 | - name: POSTGRES_USER
28 | value: postgres
29 | - name: POSTGRES_PASSWORD
30 | value: secret123
31 | ports:
32 | - name: tcp-postgresql
33 | containerPort: 5432
34 | volumeMounts:
35 | - name: dshm
36 | mountPath: /dev/shm
37 | - name: local-disk
38 | mountPath: /bitnami/postgresql
39 | subPath:
40 | volumes:
41 | - name: dshm
42 | emptyDir:
43 | medium: Memory
44 | - name: local-disk
45 | hostPath:
46 | path: /opt/postgresql-data
47 | type: DirectoryOrCreate
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/1-example.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: database-postgresql
6 | spec:
7 | serviceName: postgresql
8 | selector:
9 | matchLabels:
10 | app.kubernetes.io/name: postgresql
11 | template:
12 | metadata:
13 | name: database-postgresql
14 | labels:
15 | app.kubernetes.io/name: postgresql
16 | spec:
17 | containers:
18 | - name: database-postgresql
19 | image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
20 | securityContext:
21 | runAsUser: 0
22 | env:
23 | - name: POSTGRESQL_VOLUME_DIR
24 | value: /bitnami/postgresql
25 | - name: PGDATA
26 | value: /bitnami/postgresql/data
27 | - name: POSTGRES_USER
28 | value: postgres
29 | - name: POSTGRES_PASSWORD
30 | value: secret123
31 | ports:
32 | - name: tcp-postgresql
33 | containerPort: 5432
34 | volumeMounts:
35 | - name: dshm
36 | mountPath: /dev/shm
37 | - name: local-disk
38 | mountPath: /bitnami/postgresql
39 | subPath:
40 | volumes:
41 | - name: dshm
42 | emptyDir:
43 | medium: Memory
44 | - name: local-disk
45 | hostPath:
46 | path: /opt/postgresql-data
47 | type: DirectoryOrCreate
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/1-example.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: database-postgresql
6 | spec:
7 | serviceName: postgresql
8 | selector:
9 | matchLabels:
10 | app.kubernetes.io/name: postgresql
11 | template:
12 | metadata:
13 | name: database-postgresql
14 | labels:
15 | app.kubernetes.io/name: postgresql
16 | spec:
17 | containers:
18 | - name: database-postgresql
19 | image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
20 | securityContext:
21 | runAsUser: 0
22 | env:
23 | - name: POSTGRESQL_VOLUME_DIR
24 | value: /bitnami/postgresql
25 | - name: PGDATA
26 | value: /bitnami/postgresql/data
27 | - name: POSTGRES_USER
28 | value: postgres
29 | - name: POSTGRES_PASSWORD
30 | value: secret123
31 | ports:
32 | - name: tcp-postgresql
33 | containerPort: 5432
34 | volumeMounts:
35 | - name: dshm
36 | mountPath: /dev/shm
37 | - name: local-disk
38 | mountPath: /bitnami/postgresql
39 | subPath:
40 | volumes:
41 | - name: dshm
42 | emptyDir:
43 | medium: Memory
44 | - name: local-disk
45 | hostPath:
46 | path: /opt/postgresql-data
47 | type: DirectoryOrCreate
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/1-example.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: database-postgresql
6 | spec:
7 | serviceName: postgresql
8 | selector:
9 | matchLabels:
10 | app.kubernetes.io/name: postgresql
11 | template:
12 | metadata:
13 | name: database-postgresql
14 | labels:
15 | app.kubernetes.io/name: postgresql
16 | spec:
17 | containers:
18 | - name: database-postgresql
19 | image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
20 | securityContext:
21 | runAsUser: 0
22 | env:
23 | - name: POSTGRESQL_VOLUME_DIR
24 | value: /bitnami/postgresql
25 | - name: PGDATA
26 | value: /bitnami/postgresql/data
27 | - name: POSTGRES_USER
28 | value: postgres
29 | - name: POSTGRES_PASSWORD
30 | value: secret123
31 | ports:
32 | - name: tcp-postgresql
33 | containerPort: 5432
34 | volumeMounts:
35 | - name: dshm
36 | mountPath: /dev/shm
37 | - name: local-disk
38 | mountPath: /bitnami/postgresql
39 | subPath:
40 | volumes:
41 | - name: dshm
42 | emptyDir:
43 | medium: Memory
44 | - name: local-disk
45 | hostPath:
46 | path: /opt/postgresql-data
47 | type: DirectoryOrCreate
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/1-example.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: database-postgresql
6 | spec:
7 | serviceName: postgresql
8 | selector:
9 | matchLabels:
10 | app.kubernetes.io/name: postgresql
11 | template:
12 | metadata:
13 | name: database-postgresql
14 | labels:
15 | app.kubernetes.io/name: postgresql
16 | spec:
17 | containers:
18 | - name: database-postgresql
19 | image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
20 | securityContext:
21 | runAsUser: 0
22 | env:
23 | - name: POSTGRESQL_VOLUME_DIR
24 | value: /bitnami/postgresql
25 | - name: PGDATA
26 | value: /bitnami/postgresql/data
27 | - name: POSTGRES_USER
28 | value: postgres
29 | - name: POSTGRES_PASSWORD
30 | value: secret123
31 | ports:
32 | - name: tcp-postgresql
33 | containerPort: 5432
34 | volumeMounts:
35 | - name: dshm
36 | mountPath: /dev/shm
37 | - name: local-disk
38 | mountPath: /bitnami/postgresql
39 | subPath:
40 | volumes:
41 | - name: dshm
42 | emptyDir:
43 | medium: Memory
44 | - name: local-disk
45 | hostPath:
46 | path: /opt/postgresql-data
47 | type: DirectoryOrCreate
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/1-example.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: database-postgresql
6 | spec:
7 | serviceName: postgresql
8 | selector:
9 | matchLabels:
10 | app.kubernetes.io/name: postgresql
11 | template:
12 | metadata:
13 | name: database-postgresql
14 | labels:
15 | app.kubernetes.io/name: postgresql
16 | spec:
17 | containers:
18 | - name: database-postgresql
19 | image: docker.io/bitnami/postgresql:11.14.0-debian-10-r17
20 | securityContext:
21 | runAsUser: 0
22 | env:
23 | - name: POSTGRESQL_VOLUME_DIR
24 | value: /bitnami/postgresql
25 | - name: PGDATA
26 | value: /bitnami/postgresql/data
27 | - name: POSTGRES_USER
28 | value: postgres
29 | - name: POSTGRES_PASSWORD
30 | value: secret123
31 | ports:
32 | - name: tcp-postgresql
33 | containerPort: 5432
34 | volumeMounts:
35 | - name: dshm
36 | mountPath: /dev/shm
37 | - name: local-disk
38 | mountPath: /bitnami/postgresql
39 | subPath:
40 | volumes:
41 | - name: dshm
42 | emptyDir:
43 | medium: Memory
44 | - name: local-disk
45 | hostPath:
46 | path: /opt/postgresql-data
47 | type: DirectoryOrCreate
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/2-example.yaml:2-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/2-example.yaml:2-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/2-example.yaml:2-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/2-example.yaml:2-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/2-example.yaml:2-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/2-example.yaml:2-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/2-example.yaml:2-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/2-example.yaml:2-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/2-example.yaml:2-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/2-example.yaml:2-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/2-example.yaml:2-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/2-example.yaml:2-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/2-example.yaml:2-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/2-example.yaml:2-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/2-example.yaml:2-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/2-example.yaml:2-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/2-example.yaml:2-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: StatefulSet.default.database-postgresql
File: /lessons/099/examples/2-example.yaml:2-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/156/fargate-example/1-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/156/fargate-example/1-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/156/fargate-example/1-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/156/fargate-example/1-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/156/fargate-example/1-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/156/fargate-example/1-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/156/fargate-example/1-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/156/fargate-example/1-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/156/fargate-example/1-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/156/fargate-example/1-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/156/fargate-example/1-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/156/fargate-example/1-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/156/fargate-example/1-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/156/fargate-example/1-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/156/fargate-example/1-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/156/fargate-example/1-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/156/fargate-example/1-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/156/fargate-example/1-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.default.app-2
File: /lessons/156/efs-example/2-pod-2.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-2
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-2
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.default.app-2
File: /lessons/156/efs-example/2-pod-2.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-2
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-2
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Pod.default.app-2
File: /lessons/156/efs-example/2-pod-2.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-2
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-2
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Pod.default.app-2
File: /lessons/156/efs-example/2-pod-2.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-2
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-2
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.default.app-2
File: /lessons/156/efs-example/2-pod-2.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-2
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-2
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.default.app-2
File: /lessons/156/efs-example/2-pod-2.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-2
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-2
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.default.app-2
File: /lessons/156/efs-example/2-pod-2.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-2
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-2
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.default.app-2
File: /lessons/156/efs-example/2-pod-2.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-2
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-2
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.default.app-2
File: /lessons/156/efs-example/2-pod-2.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-2
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-2
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.default.app-2
File: /lessons/156/efs-example/2-pod-2.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-2
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-2
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.default.app-2
File: /lessons/156/efs-example/2-pod-2.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-2
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-2
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.default.app-2
File: /lessons/156/efs-example/2-pod-2.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-2
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-2
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.default.app-2
File: /lessons/156/efs-example/2-pod-2.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-2
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-2
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.default.app-2
File: /lessons/156/efs-example/2-pod-2.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-2
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-2
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.default.app-2
File: /lessons/156/efs-example/2-pod-2.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-2
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-2
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.default.app-2
File: /lessons/156/efs-example/2-pod-2.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-2
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-2
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Pod.default.app-2
File: /lessons/156/efs-example/2-pod-2.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-2
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-2
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.default.app-2
File: /lessons/156/efs-example/2-pod-2.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-2
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-2
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.default.app-2
File: /lessons/156/efs-example/2-pod-2.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-2
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-2
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.default.app-1
File: /lessons/156/efs-example/1-pod-1.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-1
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-1
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.default.app-1
File: /lessons/156/efs-example/1-pod-1.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-1
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-1
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Pod.default.app-1
File: /lessons/156/efs-example/1-pod-1.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-1
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-1
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Pod.default.app-1
File: /lessons/156/efs-example/1-pod-1.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-1
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-1
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.default.app-1
File: /lessons/156/efs-example/1-pod-1.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-1
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-1
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.default.app-1
File: /lessons/156/efs-example/1-pod-1.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-1
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-1
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.default.app-1
File: /lessons/156/efs-example/1-pod-1.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-1
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-1
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.default.app-1
File: /lessons/156/efs-example/1-pod-1.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-1
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-1
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.default.app-1
File: /lessons/156/efs-example/1-pod-1.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-1
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-1
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.default.app-1
File: /lessons/156/efs-example/1-pod-1.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-1
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-1
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.default.app-1
File: /lessons/156/efs-example/1-pod-1.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-1
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-1
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.default.app-1
File: /lessons/156/efs-example/1-pod-1.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-1
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-1
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.default.app-1
File: /lessons/156/efs-example/1-pod-1.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-1
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-1
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.default.app-1
File: /lessons/156/efs-example/1-pod-1.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-1
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-1
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.default.app-1
File: /lessons/156/efs-example/1-pod-1.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-1
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-1
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.default.app-1
File: /lessons/156/efs-example/1-pod-1.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-1
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-1
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Pod.default.app-1
File: /lessons/156/efs-example/1-pod-1.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-1
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-1
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.default.app-1
File: /lessons/156/efs-example/1-pod-1.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-1
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-1
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.default.app-1
File: /lessons/156/efs-example/1-pod-1.yaml:2-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: app-1
6 | namespace: default
7 | spec:
8 | containers:
9 | - name: app-1
10 | image: busybox
11 | command: ["/bin/sh"]
12 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
13 | volumeMounts:
14 | - name: persistent-storage
15 | mountPath: /data
16 | volumes:
17 | - name: persistent-storage
18 | persistentVolumeClaim:
19 | claimName: app
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: StatefulSet.default.web
File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | serviceName: nginx
12 | replicas: 1
13 | minReadySeconds: 10
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: registry.k8s.io/nginx-slim:0.8
22 | ports:
23 | - containerPort: 80
24 | name: web
25 | volumeMounts:
26 | - name: www
27 | mountPath: /usr/share/nginx/html
28 | volumeClaimTemplates:
29 | - metadata:
30 | name: www
31 | spec:
32 | accessModes: ["ReadWriteOnce"]
33 | storageClassName: "gp2"
34 | resources:
35 | requests:
36 | storage: 10Gi
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: StatefulSet.default.web
File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | serviceName: nginx
12 | replicas: 1
13 | minReadySeconds: 10
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: registry.k8s.io/nginx-slim:0.8
22 | ports:
23 | - containerPort: 80
24 | name: web
25 | volumeMounts:
26 | - name: www
27 | mountPath: /usr/share/nginx/html
28 | volumeClaimTemplates:
29 | - metadata:
30 | name: www
31 | spec:
32 | accessModes: ["ReadWriteOnce"]
33 | storageClassName: "gp2"
34 | resources:
35 | requests:
36 | storage: 10Gi
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: StatefulSet.default.web
File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | serviceName: nginx
12 | replicas: 1
13 | minReadySeconds: 10
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: registry.k8s.io/nginx-slim:0.8
22 | ports:
23 | - containerPort: 80
24 | name: web
25 | volumeMounts:
26 | - name: www
27 | mountPath: /usr/share/nginx/html
28 | volumeClaimTemplates:
29 | - metadata:
30 | name: www
31 | spec:
32 | accessModes: ["ReadWriteOnce"]
33 | storageClassName: "gp2"
34 | resources:
35 | requests:
36 | storage: 10Gi
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: StatefulSet.default.web
File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | serviceName: nginx
12 | replicas: 1
13 | minReadySeconds: 10
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: registry.k8s.io/nginx-slim:0.8
22 | ports:
23 | - containerPort: 80
24 | name: web
25 | volumeMounts:
26 | - name: www
27 | mountPath: /usr/share/nginx/html
28 | volumeClaimTemplates:
29 | - metadata:
30 | name: www
31 | spec:
32 | accessModes: ["ReadWriteOnce"]
33 | storageClassName: "gp2"
34 | resources:
35 | requests:
36 | storage: 10Gi
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: StatefulSet.default.web
File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | serviceName: nginx
12 | replicas: 1
13 | minReadySeconds: 10
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: registry.k8s.io/nginx-slim:0.8
22 | ports:
23 | - containerPort: 80
24 | name: web
25 | volumeMounts:
26 | - name: www
27 | mountPath: /usr/share/nginx/html
28 | volumeClaimTemplates:
29 | - metadata:
30 | name: www
31 | spec:
32 | accessModes: ["ReadWriteOnce"]
33 | storageClassName: "gp2"
34 | resources:
35 | requests:
36 | storage: 10Gi
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: StatefulSet.default.web
File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | serviceName: nginx
12 | replicas: 1
13 | minReadySeconds: 10
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: registry.k8s.io/nginx-slim:0.8
22 | ports:
23 | - containerPort: 80
24 | name: web
25 | volumeMounts:
26 | - name: www
27 | mountPath: /usr/share/nginx/html
28 | volumeClaimTemplates:
29 | - metadata:
30 | name: www
31 | spec:
32 | accessModes: ["ReadWriteOnce"]
33 | storageClassName: "gp2"
34 | resources:
35 | requests:
36 | storage: 10Gi
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: StatefulSet.default.web
File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | serviceName: nginx
12 | replicas: 1
13 | minReadySeconds: 10
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: registry.k8s.io/nginx-slim:0.8
22 | ports:
23 | - containerPort: 80
24 | name: web
25 | volumeMounts:
26 | - name: www
27 | mountPath: /usr/share/nginx/html
28 | volumeClaimTemplates:
29 | - metadata:
30 | name: www
31 | spec:
32 | accessModes: ["ReadWriteOnce"]
33 | storageClassName: "gp2"
34 | resources:
35 | requests:
36 | storage: 10Gi
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: StatefulSet.default.web
File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | serviceName: nginx
12 | replicas: 1
13 | minReadySeconds: 10
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: registry.k8s.io/nginx-slim:0.8
22 | ports:
23 | - containerPort: 80
24 | name: web
25 | volumeMounts:
26 | - name: www
27 | mountPath: /usr/share/nginx/html
28 | volumeClaimTemplates:
29 | - metadata:
30 | name: www
31 | spec:
32 | accessModes: ["ReadWriteOnce"]
33 | storageClassName: "gp2"
34 | resources:
35 | requests:
36 | storage: 10Gi
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: StatefulSet.default.web
File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | serviceName: nginx
12 | replicas: 1
13 | minReadySeconds: 10
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: registry.k8s.io/nginx-slim:0.8
22 | ports:
23 | - containerPort: 80
24 | name: web
25 | volumeMounts:
26 | - name: www
27 | mountPath: /usr/share/nginx/html
28 | volumeClaimTemplates:
29 | - metadata:
30 | name: www
31 | spec:
32 | accessModes: ["ReadWriteOnce"]
33 | storageClassName: "gp2"
34 | resources:
35 | requests:
36 | storage: 10Gi
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: StatefulSet.default.web
File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | serviceName: nginx
12 | replicas: 1
13 | minReadySeconds: 10
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: registry.k8s.io/nginx-slim:0.8
22 | ports:
23 | - containerPort: 80
24 | name: web
25 | volumeMounts:
26 | - name: www
27 | mountPath: /usr/share/nginx/html
28 | volumeClaimTemplates:
29 | - metadata:
30 | name: www
31 | spec:
32 | accessModes: ["ReadWriteOnce"]
33 | storageClassName: "gp2"
34 | resources:
35 | requests:
36 | storage: 10Gi
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: StatefulSet.default.web
File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | serviceName: nginx
12 | replicas: 1
13 | minReadySeconds: 10
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: registry.k8s.io/nginx-slim:0.8
22 | ports:
23 | - containerPort: 80
24 | name: web
25 | volumeMounts:
26 | - name: www
27 | mountPath: /usr/share/nginx/html
28 | volumeClaimTemplates:
29 | - metadata:
30 | name: www
31 | spec:
32 | accessModes: ["ReadWriteOnce"]
33 | storageClassName: "gp2"
34 | resources:
35 | requests:
36 | storage: 10Gi
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: StatefulSet.default.web
File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | serviceName: nginx
12 | replicas: 1
13 | minReadySeconds: 10
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: registry.k8s.io/nginx-slim:0.8
22 | ports:
23 | - containerPort: 80
24 | name: web
25 | volumeMounts:
26 | - name: www
27 | mountPath: /usr/share/nginx/html
28 | volumeClaimTemplates:
29 | - metadata:
30 | name: www
31 | spec:
32 | accessModes: ["ReadWriteOnce"]
33 | storageClassName: "gp2"
34 | resources:
35 | requests:
36 | storage: 10Gi
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: StatefulSet.default.web
File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | serviceName: nginx
12 | replicas: 1
13 | minReadySeconds: 10
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: registry.k8s.io/nginx-slim:0.8
22 | ports:
23 | - containerPort: 80
24 | name: web
25 | volumeMounts:
26 | - name: www
27 | mountPath: /usr/share/nginx/html
28 | volumeClaimTemplates:
29 | - metadata:
30 | name: www
31 | spec:
32 | accessModes: ["ReadWriteOnce"]
33 | storageClassName: "gp2"
34 | resources:
35 | requests:
36 | storage: 10Gi
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: StatefulSet.default.web
File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | serviceName: nginx
12 | replicas: 1
13 | minReadySeconds: 10
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: registry.k8s.io/nginx-slim:0.8
22 | ports:
23 | - containerPort: 80
24 | name: web
25 | volumeMounts:
26 | - name: www
27 | mountPath: /usr/share/nginx/html
28 | volumeClaimTemplates:
29 | - metadata:
30 | name: www
31 | spec:
32 | accessModes: ["ReadWriteOnce"]
33 | storageClassName: "gp2"
34 | resources:
35 | requests:
36 | storage: 10Gi
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: StatefulSet.default.web
File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | serviceName: nginx
12 | replicas: 1
13 | minReadySeconds: 10
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: registry.k8s.io/nginx-slim:0.8
22 | ports:
23 | - containerPort: 80
24 | name: web
25 | volumeMounts:
26 | - name: www
27 | mountPath: /usr/share/nginx/html
28 | volumeClaimTemplates:
29 | - metadata:
30 | name: www
31 | spec:
32 | accessModes: ["ReadWriteOnce"]
33 | storageClassName: "gp2"
34 | resources:
35 | requests:
36 | storage: 10Gi
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: StatefulSet.default.web
File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | serviceName: nginx
12 | replicas: 1
13 | minReadySeconds: 10
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: registry.k8s.io/nginx-slim:0.8
22 | ports:
23 | - containerPort: 80
24 | name: web
25 | volumeMounts:
26 | - name: www
27 | mountPath: /usr/share/nginx/html
28 | volumeClaimTemplates:
29 | - metadata:
30 | name: www
31 | spec:
32 | accessModes: ["ReadWriteOnce"]
33 | storageClassName: "gp2"
34 | resources:
35 | requests:
36 | storage: 10Gi
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: StatefulSet.default.web
File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | serviceName: nginx
12 | replicas: 1
13 | minReadySeconds: 10
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: registry.k8s.io/nginx-slim:0.8
22 | ports:
23 | - containerPort: 80
24 | name: web
25 | volumeMounts:
26 | - name: www
27 | mountPath: /usr/share/nginx/html
28 | volumeClaimTemplates:
29 | - metadata:
30 | name: www
31 | spec:
32 | accessModes: ["ReadWriteOnce"]
33 | storageClassName: "gp2"
34 | resources:
35 | requests:
36 | storage: 10Gi
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: StatefulSet.default.web
File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | serviceName: nginx
12 | replicas: 1
13 | minReadySeconds: 10
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: registry.k8s.io/nginx-slim:0.8
22 | ports:
23 | - containerPort: 80
24 | name: web
25 | volumeMounts:
26 | - name: www
27 | mountPath: /usr/share/nginx/html
28 | volumeClaimTemplates:
29 | - metadata:
30 | name: www
31 | spec:
32 | accessModes: ["ReadWriteOnce"]
33 | storageClassName: "gp2"
34 | resources:
35 | requests:
36 | storage: 10Gi
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: StatefulSet.default.web
File: /lessons/156/ebs-example/0-statefulset.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | serviceName: nginx
12 | replicas: 1
13 | minReadySeconds: 10
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: registry.k8s.io/nginx-slim:0.8
22 | ports:
23 | - containerPort: 80
24 | name: web
25 | volumeMounts:
26 | - name: www
27 | mountPath: /usr/share/nginx/html
28 | volumeClaimTemplates:
29 | - metadata:
30 | name: www
31 | spec:
32 | accessModes: ["ReadWriteOnce"]
33 | storageClassName: "gp2"
34 | resources:
35 | requests:
36 | storage: 10Gi
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/156/autoscale-example/0-deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | resources:
22 | requests:
23 | cpu: "2"
24 | memory: 4Gi
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/156/autoscale-example/0-deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | resources:
22 | requests:
23 | cpu: "2"
24 | memory: 4Gi
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/156/autoscale-example/0-deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | resources:
22 | requests:
23 | cpu: "2"
24 | memory: 4Gi
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/156/autoscale-example/0-deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | resources:
22 | requests:
23 | cpu: "2"
24 | memory: 4Gi
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/156/autoscale-example/0-deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | resources:
22 | requests:
23 | cpu: "2"
24 | memory: 4Gi
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/156/autoscale-example/0-deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | resources:
22 | requests:
23 | cpu: "2"
24 | memory: 4Gi
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/156/autoscale-example/0-deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | resources:
22 | requests:
23 | cpu: "2"
24 | memory: 4Gi
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/156/autoscale-example/0-deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | resources:
22 | requests:
23 | cpu: "2"
24 | memory: 4Gi
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/156/autoscale-example/0-deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | resources:
22 | requests:
23 | cpu: "2"
24 | memory: 4Gi
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/156/autoscale-example/0-deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | resources:
22 | requests:
23 | cpu: "2"
24 | memory: 4Gi
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/156/autoscale-example/0-deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | resources:
22 | requests:
23 | cpu: "2"
24 | memory: 4Gi
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/156/autoscale-example/0-deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | resources:
22 | requests:
23 | cpu: "2"
24 | memory: 4Gi
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/156/autoscale-example/0-deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | resources:
22 | requests:
23 | cpu: "2"
24 | memory: 4Gi
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/156/autoscale-example/0-deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | resources:
22 | requests:
23 | cpu: "2"
24 | memory: 4Gi
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/156/autoscale-example/0-deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | resources:
22 | requests:
23 | cpu: "2"
24 | memory: 4Gi
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/156/autoscale-example/0-deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | resources:
22 | requests:
23 | cpu: "2"
24 | memory: 4Gi
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/156/autoscale-example/0-deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | resources:
22 | requests:
23 | cpu: "2"
24 | memory: 4Gi
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.echoserver
File: /lessons/156/alb-example/0-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.echoserver
File: /lessons/156/alb-example/0-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.echoserver
File: /lessons/156/alb-example/0-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.echoserver
File: /lessons/156/alb-example/0-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.echoserver
File: /lessons/156/alb-example/0-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.echoserver
File: /lessons/156/alb-example/0-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.echoserver
File: /lessons/156/alb-example/0-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.echoserver
File: /lessons/156/alb-example/0-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.echoserver
File: /lessons/156/alb-example/0-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.echoserver
File: /lessons/156/alb-example/0-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.echoserver
File: /lessons/156/alb-example/0-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.echoserver
File: /lessons/156/alb-example/0-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.echoserver
File: /lessons/156/alb-example/0-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.echoserver
File: /lessons/156/alb-example/0-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.echoserver
File: /lessons/156/alb-example/0-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.echoserver
File: /lessons/156/alb-example/0-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.echoserver
File: /lessons/156/alb-example/0-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.echoserver
File: /lessons/156/alb-example/0-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.echoserver
File: /lessons/156/alb-example/0-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.echoserver
File: /lessons/156/alb-example/2-ingress.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: networking.k8s.io/v1
3 | kind: Ingress
4 | metadata:
5 | name: echoserver
6 | namespace: default
7 | annotations:
8 | alb.ingress.kubernetes.io/scheme: internet-facing
9 | alb.ingress.kubernetes.io/target-type: ip
10 | spec:
11 | ingressClassName: alb
12 | rules:
13 | - host: api.antonputra.com
14 | http:
15 | paths:
16 | - path: /
17 | pathType: Exact
18 | backend:
19 | service:
20 | name: echoserver
21 | port:
22 | number: 8080
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.echoserver
File: /lessons/156/alb-example/1-service.yaml:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: Service
4 | metadata:
5 | name: echoserver
6 | namespace: default
7 | spec:
8 | ports:
9 | - port: 8080
10 | protocol: TCP
11 | type: ClusterIP
12 | selector:
13 | app: echoserver
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.service-b.service-b
File: /lessons/175/k8s/service-b/3-pod.yaml:2-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: service-b
6 | namespace: service-b
7 | labels:
8 | app: service-b
9 | spec:
10 | serviceAccountName: service-b
11 | containers:
12 | - name: ubuntu
13 | image: alpine/curl:8.2.1
14 | command: ["/bin/sh", "-c", "--"]
15 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.service-b.service-b
File: /lessons/175/k8s/service-b/3-pod.yaml:2-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: service-b
6 | namespace: service-b
7 | labels:
8 | app: service-b
9 | spec:
10 | serviceAccountName: service-b
11 | containers:
12 | - name: ubuntu
13 | image: alpine/curl:8.2.1
14 | command: ["/bin/sh", "-c", "--"]
15 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Pod.service-b.service-b
File: /lessons/175/k8s/service-b/3-pod.yaml:2-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: service-b
6 | namespace: service-b
7 | labels:
8 | app: service-b
9 | spec:
10 | serviceAccountName: service-b
11 | containers:
12 | - name: ubuntu
13 | image: alpine/curl:8.2.1
14 | command: ["/bin/sh", "-c", "--"]
15 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.service-b.service-b
File: /lessons/175/k8s/service-b/3-pod.yaml:2-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: service-b
6 | namespace: service-b
7 | labels:
8 | app: service-b
9 | spec:
10 | serviceAccountName: service-b
11 | containers:
12 | - name: ubuntu
13 | image: alpine/curl:8.2.1
14 | command: ["/bin/sh", "-c", "--"]
15 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.service-b.service-b
File: /lessons/175/k8s/service-b/3-pod.yaml:2-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: service-b
6 | namespace: service-b
7 | labels:
8 | app: service-b
9 | spec:
10 | serviceAccountName: service-b
11 | containers:
12 | - name: ubuntu
13 | image: alpine/curl:8.2.1
14 | command: ["/bin/sh", "-c", "--"]
15 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.service-b.service-b
File: /lessons/175/k8s/service-b/3-pod.yaml:2-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: service-b
6 | namespace: service-b
7 | labels:
8 | app: service-b
9 | spec:
10 | serviceAccountName: service-b
11 | containers:
12 | - name: ubuntu
13 | image: alpine/curl:8.2.1
14 | command: ["/bin/sh", "-c", "--"]
15 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.service-b.service-b
File: /lessons/175/k8s/service-b/3-pod.yaml:2-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: service-b
6 | namespace: service-b
7 | labels:
8 | app: service-b
9 | spec:
10 | serviceAccountName: service-b
11 | containers:
12 | - name: ubuntu
13 | image: alpine/curl:8.2.1
14 | command: ["/bin/sh", "-c", "--"]
15 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.service-b.service-b
File: /lessons/175/k8s/service-b/3-pod.yaml:2-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: service-b
6 | namespace: service-b
7 | labels:
8 | app: service-b
9 | spec:
10 | serviceAccountName: service-b
11 | containers:
12 | - name: ubuntu
13 | image: alpine/curl:8.2.1
14 | command: ["/bin/sh", "-c", "--"]
15 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.service-b.service-b
File: /lessons/175/k8s/service-b/3-pod.yaml:2-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: service-b
6 | namespace: service-b
7 | labels:
8 | app: service-b
9 | spec:
10 | serviceAccountName: service-b
11 | containers:
12 | - name: ubuntu
13 | image: alpine/curl:8.2.1
14 | command: ["/bin/sh", "-c", "--"]
15 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.service-b.service-b
File: /lessons/175/k8s/service-b/3-pod.yaml:2-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: service-b
6 | namespace: service-b
7 | labels:
8 | app: service-b
9 | spec:
10 | serviceAccountName: service-b
11 | containers:
12 | - name: ubuntu
13 | image: alpine/curl:8.2.1
14 | command: ["/bin/sh", "-c", "--"]
15 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.service-b.service-b
File: /lessons/175/k8s/service-b/3-pod.yaml:2-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: service-b
6 | namespace: service-b
7 | labels:
8 | app: service-b
9 | spec:
10 | serviceAccountName: service-b
11 | containers:
12 | - name: ubuntu
13 | image: alpine/curl:8.2.1
14 | command: ["/bin/sh", "-c", "--"]
15 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.service-b.service-b
File: /lessons/175/k8s/service-b/3-pod.yaml:2-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: service-b
6 | namespace: service-b
7 | labels:
8 | app: service-b
9 | spec:
10 | serviceAccountName: service-b
11 | containers:
12 | - name: ubuntu
13 | image: alpine/curl:8.2.1
14 | command: ["/bin/sh", "-c", "--"]
15 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.service-b.service-b
File: /lessons/175/k8s/service-b/3-pod.yaml:2-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: service-b
6 | namespace: service-b
7 | labels:
8 | app: service-b
9 | spec:
10 | serviceAccountName: service-b
11 | containers:
12 | - name: ubuntu
13 | image: alpine/curl:8.2.1
14 | command: ["/bin/sh", "-c", "--"]
15 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.service-b.service-b
File: /lessons/175/k8s/service-b/3-pod.yaml:2-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: service-b
6 | namespace: service-b
7 | labels:
8 | app: service-b
9 | spec:
10 | serviceAccountName: service-b
11 | containers:
12 | - name: ubuntu
13 | image: alpine/curl:8.2.1
14 | command: ["/bin/sh", "-c", "--"]
15 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.service-b.service-b
File: /lessons/175/k8s/service-b/3-pod.yaml:2-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: service-b
6 | namespace: service-b
7 | labels:
8 | app: service-b
9 | spec:
10 | serviceAccountName: service-b
11 | containers:
12 | - name: ubuntu
13 | image: alpine/curl:8.2.1
14 | command: ["/bin/sh", "-c", "--"]
15 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Pod.service-b.service-b
File: /lessons/175/k8s/service-b/3-pod.yaml:2-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: service-b
6 | namespace: service-b
7 | labels:
8 | app: service-b
9 | spec:
10 | serviceAccountName: service-b
11 | containers:
12 | - name: ubuntu
13 | image: alpine/curl:8.2.1
14 | command: ["/bin/sh", "-c", "--"]
15 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Pod.service-b.service-b
File: /lessons/175/k8s/service-b/3-pod.yaml:2-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: service-b
6 | namespace: service-b
7 | labels:
8 | app: service-b
9 | spec:
10 | serviceAccountName: service-b
11 | containers:
12 | - name: ubuntu
13 | image: alpine/curl:8.2.1
14 | command: ["/bin/sh", "-c", "--"]
15 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.service-b.service-b
File: /lessons/175/k8s/service-b/3-pod.yaml:2-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: service-b
6 | namespace: service-b
7 | labels:
8 | app: service-b
9 | spec:
10 | serviceAccountName: service-b
11 | containers:
12 | - name: ubuntu
13 | image: alpine/curl:8.2.1
14 | command: ["/bin/sh", "-c", "--"]
15 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.service-a.service-a
File: /lessons/175/k8s/service-a/6-service-a-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: service-a
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a
16 | spec:
17 | serviceAccountName: service-a
18 | containers:
19 | - name: service-a
20 | image: aputra/myapp-175:v1
21 | imagePullPolicy: Always
22 | ports:
23 | - name: http
24 | containerPort: 8080
25 | startupProbe:
26 | tcpSocket:
27 | port: http
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.service-a.service-a
File: /lessons/175/k8s/service-a/6-service-a-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: service-a
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a
16 | spec:
17 | serviceAccountName: service-a
18 | containers:
19 | - name: service-a
20 | image: aputra/myapp-175:v1
21 | imagePullPolicy: Always
22 | ports:
23 | - name: http
24 | containerPort: 8080
25 | startupProbe:
26 | tcpSocket:
27 | port: http
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.service-a.service-a
File: /lessons/175/k8s/service-a/6-service-a-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: service-a
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a
16 | spec:
17 | serviceAccountName: service-a
18 | containers:
19 | - name: service-a
20 | image: aputra/myapp-175:v1
21 | imagePullPolicy: Always
22 | ports:
23 | - name: http
24 | containerPort: 8080
25 | startupProbe:
26 | tcpSocket:
27 | port: http
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.service-a.service-a
File: /lessons/175/k8s/service-a/6-service-a-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: service-a
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a
16 | spec:
17 | serviceAccountName: service-a
18 | containers:
19 | - name: service-a
20 | image: aputra/myapp-175:v1
21 | imagePullPolicy: Always
22 | ports:
23 | - name: http
24 | containerPort: 8080
25 | startupProbe:
26 | tcpSocket:
27 | port: http
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.service-a.service-a
File: /lessons/175/k8s/service-a/6-service-a-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: service-a
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a
16 | spec:
17 | serviceAccountName: service-a
18 | containers:
19 | - name: service-a
20 | image: aputra/myapp-175:v1
21 | imagePullPolicy: Always
22 | ports:
23 | - name: http
24 | containerPort: 8080
25 | startupProbe:
26 | tcpSocket:
27 | port: http
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.service-a.service-a
File: /lessons/175/k8s/service-a/6-service-a-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: service-a
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a
16 | spec:
17 | serviceAccountName: service-a
18 | containers:
19 | - name: service-a
20 | image: aputra/myapp-175:v1
21 | imagePullPolicy: Always
22 | ports:
23 | - name: http
24 | containerPort: 8080
25 | startupProbe:
26 | tcpSocket:
27 | port: http
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.service-a.service-a
File: /lessons/175/k8s/service-a/6-service-a-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: service-a
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a
16 | spec:
17 | serviceAccountName: service-a
18 | containers:
19 | - name: service-a
20 | image: aputra/myapp-175:v1
21 | imagePullPolicy: Always
22 | ports:
23 | - name: http
24 | containerPort: 8080
25 | startupProbe:
26 | tcpSocket:
27 | port: http
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.service-a.service-a
File: /lessons/175/k8s/service-a/6-service-a-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: service-a
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a
16 | spec:
17 | serviceAccountName: service-a
18 | containers:
19 | - name: service-a
20 | image: aputra/myapp-175:v1
21 | imagePullPolicy: Always
22 | ports:
23 | - name: http
24 | containerPort: 8080
25 | startupProbe:
26 | tcpSocket:
27 | port: http
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.service-a.service-a
File: /lessons/175/k8s/service-a/6-service-a-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: service-a
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a
16 | spec:
17 | serviceAccountName: service-a
18 | containers:
19 | - name: service-a
20 | image: aputra/myapp-175:v1
21 | imagePullPolicy: Always
22 | ports:
23 | - name: http
24 | containerPort: 8080
25 | startupProbe:
26 | tcpSocket:
27 | port: http
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.service-a.service-a
File: /lessons/175/k8s/service-a/6-service-a-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: service-a
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a
16 | spec:
17 | serviceAccountName: service-a
18 | containers:
19 | - name: service-a
20 | image: aputra/myapp-175:v1
21 | imagePullPolicy: Always
22 | ports:
23 | - name: http
24 | containerPort: 8080
25 | startupProbe:
26 | tcpSocket:
27 | port: http
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.service-a.service-a
File: /lessons/175/k8s/service-a/6-service-a-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: service-a
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a
16 | spec:
17 | serviceAccountName: service-a
18 | containers:
19 | - name: service-a
20 | image: aputra/myapp-175:v1
21 | imagePullPolicy: Always
22 | ports:
23 | - name: http
24 | containerPort: 8080
25 | startupProbe:
26 | tcpSocket:
27 | port: http
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.service-a.service-a
File: /lessons/175/k8s/service-a/6-service-a-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: service-a
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a
16 | spec:
17 | serviceAccountName: service-a
18 | containers:
19 | - name: service-a
20 | image: aputra/myapp-175:v1
21 | imagePullPolicy: Always
22 | ports:
23 | - name: http
24 | containerPort: 8080
25 | startupProbe:
26 | tcpSocket:
27 | port: http
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.service-a.service-a
File: /lessons/175/k8s/service-a/6-service-a-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: service-a
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a
16 | spec:
17 | serviceAccountName: service-a
18 | containers:
19 | - name: service-a
20 | image: aputra/myapp-175:v1
21 | imagePullPolicy: Always
22 | ports:
23 | - name: http
24 | containerPort: 8080
25 | startupProbe:
26 | tcpSocket:
27 | port: http
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.service-a.service-a
File: /lessons/175/k8s/service-a/6-service-a-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: service-a
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a
16 | spec:
17 | serviceAccountName: service-a
18 | containers:
19 | - name: service-a
20 | image: aputra/myapp-175:v1
21 | imagePullPolicy: Always
22 | ports:
23 | - name: http
24 | containerPort: 8080
25 | startupProbe:
26 | tcpSocket:
27 | port: http
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.service-a.service-a
File: /lessons/175/k8s/service-a/6-service-a-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: service-a
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a
16 | spec:
17 | serviceAccountName: service-a
18 | containers:
19 | - name: service-a
20 | image: aputra/myapp-175:v1
21 | imagePullPolicy: Always
22 | ports:
23 | - name: http
24 | containerPort: 8080
25 | startupProbe:
26 | tcpSocket:
27 | port: http
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.service-a.service-a
File: /lessons/175/k8s/service-a/6-service-a-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: service-a
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a
16 | spec:
17 | serviceAccountName: service-a
18 | containers:
19 | - name: service-a
20 | image: aputra/myapp-175:v1
21 | imagePullPolicy: Always
22 | ports:
23 | - name: http
24 | containerPort: 8080
25 | startupProbe:
26 | tcpSocket:
27 | port: http
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.service-a.service-a
File: /lessons/175/k8s/service-a/6-service-a-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: service-a
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a
16 | spec:
17 | serviceAccountName: service-a
18 | containers:
19 | - name: service-a
20 | image: aputra/myapp-175:v1
21 | imagePullPolicy: Always
22 | ports:
23 | - name: http
24 | containerPort: 8080
25 | startupProbe:
26 | tcpSocket:
27 | port: http
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/172/monitoring/cadvisor/daemonset.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/172/monitoring/cadvisor/daemonset.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/172/monitoring/cadvisor/daemonset.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/172/monitoring/cadvisor/daemonset.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/172/monitoring/cadvisor/daemonset.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/172/monitoring/cadvisor/daemonset.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/172/monitoring/cadvisor/daemonset.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/172/monitoring/cadvisor/daemonset.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/172/monitoring/cadvisor/daemonset.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/172/monitoring/cadvisor/daemonset.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/172/monitoring/cadvisor/daemonset.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/172/monitoring/cadvisor/daemonset.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/172/monitoring/cadvisor/daemonset.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/172/monitoring/grafana/deployment.yaml:2-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/172/monitoring/grafana/deployment.yaml:2-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/172/monitoring/grafana/deployment.yaml:2-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/172/monitoring/grafana/deployment.yaml:2-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/172/monitoring/grafana/deployment.yaml:2-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/172/monitoring/grafana/deployment.yaml:2-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/172/monitoring/grafana/deployment.yaml:2-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/172/monitoring/grafana/deployment.yaml:2-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/172/monitoring/grafana/deployment.yaml:2-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/172/monitoring/grafana/deployment.yaml:2-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/172/monitoring/grafana/deployment.yaml:2-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: ClusterRole.default.prometheus-operator
File: /lessons/172/monitoring/prometheus-operator/deployment/cluster-role.yaml:2-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/172/monitoring/prometheus-operator/deployment/deployment.yaml:2-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/172/monitoring/prometheus-operator/deployment/deployment.yaml:2-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/172/monitoring/prometheus-operator/deployment/deployment.yaml:2-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/172/monitoring/prometheus-operator/deployment/deployment.yaml:2-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/172/monitoring/prometheus-operator/deployment/deployment.yaml:2-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/172/monitoring/kube-state-metrics/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/172/monitoring/kube-state-metrics/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/172/monitoring/kube-state-metrics/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/172/monitoring/kube-state-metrics/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/172/monitoring/kube-state-metrics/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Job.default.linkerd-client
File: /lessons/172/1-test/jobs/0-linkerd-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: linkerd-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: linkerd-client
12 | annotations:
13 | linkerd.io/inject: enabled
14 | config.linkerd.io/proxy-cpu-limit: 500m
15 | config.linkerd.io/proxy-cpu-request: 500m
16 | config.linkerd.io/proxy-memory-limit: 256Mi
17 | config.linkerd.io/proxy-memory-request: 256Mi
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: linkerd-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "1000", "-scaleInterval", "1000", "-target1", "http://myapp-linkerd.default:8181/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Job.default.linkerd-client
File: /lessons/172/1-test/jobs/0-linkerd-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: linkerd-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: linkerd-client
12 | annotations:
13 | linkerd.io/inject: enabled
14 | config.linkerd.io/proxy-cpu-limit: 500m
15 | config.linkerd.io/proxy-cpu-request: 500m
16 | config.linkerd.io/proxy-memory-limit: 256Mi
17 | config.linkerd.io/proxy-memory-request: 256Mi
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: linkerd-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "1000", "-scaleInterval", "1000", "-target1", "http://myapp-linkerd.default:8181/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Job.default.linkerd-client
File: /lessons/172/1-test/jobs/0-linkerd-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: linkerd-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: linkerd-client
12 | annotations:
13 | linkerd.io/inject: enabled
14 | config.linkerd.io/proxy-cpu-limit: 500m
15 | config.linkerd.io/proxy-cpu-request: 500m
16 | config.linkerd.io/proxy-memory-limit: 256Mi
17 | config.linkerd.io/proxy-memory-request: 256Mi
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: linkerd-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "1000", "-scaleInterval", "1000", "-target1", "http://myapp-linkerd.default:8181/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Job.default.linkerd-client
File: /lessons/172/1-test/jobs/0-linkerd-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: linkerd-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: linkerd-client
12 | annotations:
13 | linkerd.io/inject: enabled
14 | config.linkerd.io/proxy-cpu-limit: 500m
15 | config.linkerd.io/proxy-cpu-request: 500m
16 | config.linkerd.io/proxy-memory-limit: 256Mi
17 | config.linkerd.io/proxy-memory-request: 256Mi
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: linkerd-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "1000", "-scaleInterval", "1000", "-target1", "http://myapp-linkerd.default:8181/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Job.default.linkerd-client
File: /lessons/172/1-test/jobs/0-linkerd-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: linkerd-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: linkerd-client
12 | annotations:
13 | linkerd.io/inject: enabled
14 | config.linkerd.io/proxy-cpu-limit: 500m
15 | config.linkerd.io/proxy-cpu-request: 500m
16 | config.linkerd.io/proxy-memory-limit: 256Mi
17 | config.linkerd.io/proxy-memory-request: 256Mi
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: linkerd-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "1000", "-scaleInterval", "1000", "-target1", "http://myapp-linkerd.default:8181/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Job.default.linkerd-client
File: /lessons/172/1-test/jobs/0-linkerd-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: linkerd-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: linkerd-client
12 | annotations:
13 | linkerd.io/inject: enabled
14 | config.linkerd.io/proxy-cpu-limit: 500m
15 | config.linkerd.io/proxy-cpu-request: 500m
16 | config.linkerd.io/proxy-memory-limit: 256Mi
17 | config.linkerd.io/proxy-memory-request: 256Mi
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: linkerd-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "1000", "-scaleInterval", "1000", "-target1", "http://myapp-linkerd.default:8181/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Job.default.linkerd-client
File: /lessons/172/1-test/jobs/0-linkerd-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: linkerd-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: linkerd-client
12 | annotations:
13 | linkerd.io/inject: enabled
14 | config.linkerd.io/proxy-cpu-limit: 500m
15 | config.linkerd.io/proxy-cpu-request: 500m
16 | config.linkerd.io/proxy-memory-limit: 256Mi
17 | config.linkerd.io/proxy-memory-request: 256Mi
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: linkerd-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "1000", "-scaleInterval", "1000", "-target1", "http://myapp-linkerd.default:8181/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Job.default.linkerd-client
File: /lessons/172/1-test/jobs/0-linkerd-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: linkerd-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: linkerd-client
12 | annotations:
13 | linkerd.io/inject: enabled
14 | config.linkerd.io/proxy-cpu-limit: 500m
15 | config.linkerd.io/proxy-cpu-request: 500m
16 | config.linkerd.io/proxy-memory-limit: 256Mi
17 | config.linkerd.io/proxy-memory-request: 256Mi
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: linkerd-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "1000", "-scaleInterval", "1000", "-target1", "http://myapp-linkerd.default:8181/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Job.default.linkerd-client
File: /lessons/172/1-test/jobs/0-linkerd-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: linkerd-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: linkerd-client
12 | annotations:
13 | linkerd.io/inject: enabled
14 | config.linkerd.io/proxy-cpu-limit: 500m
15 | config.linkerd.io/proxy-cpu-request: 500m
16 | config.linkerd.io/proxy-memory-limit: 256Mi
17 | config.linkerd.io/proxy-memory-request: 256Mi
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: linkerd-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "1000", "-scaleInterval", "1000", "-target1", "http://myapp-linkerd.default:8181/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Job.default.linkerd-client
File: /lessons/172/1-test/jobs/0-linkerd-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: linkerd-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: linkerd-client
12 | annotations:
13 | linkerd.io/inject: enabled
14 | config.linkerd.io/proxy-cpu-limit: 500m
15 | config.linkerd.io/proxy-cpu-request: 500m
16 | config.linkerd.io/proxy-memory-limit: 256Mi
17 | config.linkerd.io/proxy-memory-request: 256Mi
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: linkerd-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "1000", "-scaleInterval", "1000", "-target1", "http://myapp-linkerd.default:8181/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Job.default.linkerd-client
File: /lessons/172/1-test/jobs/0-linkerd-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: linkerd-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: linkerd-client
12 | annotations:
13 | linkerd.io/inject: enabled
14 | config.linkerd.io/proxy-cpu-limit: 500m
15 | config.linkerd.io/proxy-cpu-request: 500m
16 | config.linkerd.io/proxy-memory-limit: 256Mi
17 | config.linkerd.io/proxy-memory-request: 256Mi
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: linkerd-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "1000", "-scaleInterval", "1000", "-target1", "http://myapp-linkerd.default:8181/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Job.default.linkerd-client
File: /lessons/172/1-test/jobs/0-linkerd-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: linkerd-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: linkerd-client
12 | annotations:
13 | linkerd.io/inject: enabled
14 | config.linkerd.io/proxy-cpu-limit: 500m
15 | config.linkerd.io/proxy-cpu-request: 500m
16 | config.linkerd.io/proxy-memory-limit: 256Mi
17 | config.linkerd.io/proxy-memory-request: 256Mi
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: linkerd-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "1000", "-scaleInterval", "1000", "-target1", "http://myapp-linkerd.default:8181/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Job.default.linkerd-client
File: /lessons/172/1-test/jobs/0-linkerd-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: linkerd-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: linkerd-client
12 | annotations:
13 | linkerd.io/inject: enabled
14 | config.linkerd.io/proxy-cpu-limit: 500m
15 | config.linkerd.io/proxy-cpu-request: 500m
16 | config.linkerd.io/proxy-memory-limit: 256Mi
17 | config.linkerd.io/proxy-memory-request: 256Mi
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: linkerd-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "1000", "-scaleInterval", "1000", "-target1", "http://myapp-linkerd.default:8181/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Job.default.linkerd-client
File: /lessons/172/1-test/jobs/0-linkerd-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: linkerd-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: linkerd-client
12 | annotations:
13 | linkerd.io/inject: enabled
14 | config.linkerd.io/proxy-cpu-limit: 500m
15 | config.linkerd.io/proxy-cpu-request: 500m
16 | config.linkerd.io/proxy-memory-limit: 256Mi
17 | config.linkerd.io/proxy-memory-request: 256Mi
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: linkerd-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "1000", "-scaleInterval", "1000", "-target1", "http://myapp-linkerd.default:8181/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Job.default.linkerd-client
File: /lessons/172/1-test/jobs/0-linkerd-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: linkerd-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: linkerd-client
12 | annotations:
13 | linkerd.io/inject: enabled
14 | config.linkerd.io/proxy-cpu-limit: 500m
15 | config.linkerd.io/proxy-cpu-request: 500m
16 | config.linkerd.io/proxy-memory-limit: 256Mi
17 | config.linkerd.io/proxy-memory-request: 256Mi
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: linkerd-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "1000", "-scaleInterval", "1000", "-target1", "http://myapp-linkerd.default:8181/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Job.default.linkerd-client
File: /lessons/172/1-test/jobs/0-linkerd-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: linkerd-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: linkerd-client
12 | annotations:
13 | linkerd.io/inject: enabled
14 | config.linkerd.io/proxy-cpu-limit: 500m
15 | config.linkerd.io/proxy-cpu-request: 500m
16 | config.linkerd.io/proxy-memory-limit: 256Mi
17 | config.linkerd.io/proxy-memory-request: 256Mi
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: linkerd-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "1000", "-scaleInterval", "1000", "-target1", "http://myapp-linkerd.default:8181/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Job.default.linkerd-client
File: /lessons/172/1-test/jobs/0-linkerd-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: linkerd-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: linkerd-client
12 | annotations:
13 | linkerd.io/inject: enabled
14 | config.linkerd.io/proxy-cpu-limit: 500m
15 | config.linkerd.io/proxy-cpu-request: 500m
16 | config.linkerd.io/proxy-memory-limit: 256Mi
17 | config.linkerd.io/proxy-memory-request: 256Mi
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: linkerd-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "1000", "-scaleInterval", "1000", "-target1", "http://myapp-linkerd.default:8181/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Job.default.istio-client
File: /lessons/172/1-test/jobs/1-istio-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: istio-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: client-istio
12 | sidecar.istio.io/inject: "true"
13 | annotations:
14 | sidecar.istio.io/proxyCPU: "500m"
15 | sidecar.istio.io/proxyCPULimit: "500m"
16 | sidecar.istio.io/proxyMemory: "256Mi"
17 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: istio-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "1000", "-scaleInterval", "1000", "-target1", "http://myapp-istio.default:8181/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Job.default.istio-client
File: /lessons/172/1-test/jobs/1-istio-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: istio-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: client-istio
12 | sidecar.istio.io/inject: "true"
13 | annotations:
14 | sidecar.istio.io/proxyCPU: "500m"
15 | sidecar.istio.io/proxyCPULimit: "500m"
16 | sidecar.istio.io/proxyMemory: "256Mi"
17 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: istio-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "1000", "-scaleInterval", "1000", "-target1", "http://myapp-istio.default:8181/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Job.default.istio-client
File: /lessons/172/1-test/jobs/1-istio-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: istio-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: client-istio
12 | sidecar.istio.io/inject: "true"
13 | annotations:
14 | sidecar.istio.io/proxyCPU: "500m"
15 | sidecar.istio.io/proxyCPULimit: "500m"
16 | sidecar.istio.io/proxyMemory: "256Mi"
17 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: istio-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "1000", "-scaleInterval", "1000", "-target1", "http://myapp-istio.default:8181/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Job.default.istio-client
File: /lessons/172/1-test/jobs/1-istio-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: istio-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: client-istio
12 | sidecar.istio.io/inject: "true"
13 | annotations:
14 | sidecar.istio.io/proxyCPU: "500m"
15 | sidecar.istio.io/proxyCPULimit: "500m"
16 | sidecar.istio.io/proxyMemory: "256Mi"
17 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: istio-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "1000", "-scaleInterval", "1000", "-target1", "http://myapp-istio.default:8181/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Job.default.istio-client
File: /lessons/172/1-test/jobs/1-istio-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: istio-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: client-istio
12 | sidecar.istio.io/inject: "true"
13 | annotations:
14 | sidecar.istio.io/proxyCPU: "500m"
15 | sidecar.istio.io/proxyCPULimit: "500m"
16 | sidecar.istio.io/proxyMemory: "256Mi"
17 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: istio-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "1000", "-scaleInterval", "1000", "-target1", "http://myapp-istio.default:8181/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Job.default.istio-client
File: /lessons/172/1-test/jobs/1-istio-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: istio-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: client-istio
12 | sidecar.istio.io/inject: "true"
13 | annotations:
14 | sidecar.istio.io/proxyCPU: "500m"
15 | sidecar.istio.io/proxyCPULimit: "500m"
16 | sidecar.istio.io/proxyMemory: "256Mi"
17 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: istio-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "1000", "-scaleInterval", "1000", "-target1", "http://myapp-istio.default:8181/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Job.default.istio-client
File: /lessons/172/1-test/jobs/1-istio-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: istio-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: client-istio
12 | sidecar.istio.io/inject: "true"
13 | annotations:
14 | sidecar.istio.io/proxyCPU: "500m"
15 | sidecar.istio.io/proxyCPULimit: "500m"
16 | sidecar.istio.io/proxyMemory: "256Mi"
17 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: istio-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "1000", "-scaleInterval", "1000", "-target1", "http://myapp-istio.default:8181/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Job.default.istio-client
File: /lessons/172/1-test/jobs/1-istio-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: istio-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: client-istio
12 | sidecar.istio.io/inject: "true"
13 | annotations:
14 | sidecar.istio.io/proxyCPU: "500m"
15 | sidecar.istio.io/proxyCPULimit: "500m"
16 | sidecar.istio.io/proxyMemory: "256Mi"
17 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: istio-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "1000", "-scaleInterval", "1000", "-target1", "http://myapp-istio.default:8181/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Job.default.istio-client
File: /lessons/172/1-test/jobs/1-istio-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: istio-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: client-istio
12 | sidecar.istio.io/inject: "true"
13 | annotations:
14 | sidecar.istio.io/proxyCPU: "500m"
15 | sidecar.istio.io/proxyCPULimit: "500m"
16 | sidecar.istio.io/proxyMemory: "256Mi"
17 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: istio-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "1000", "-scaleInterval", "1000", "-target1", "http://myapp-istio.default:8181/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Job.default.istio-client
File: /lessons/172/1-test/jobs/1-istio-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: istio-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: client-istio
12 | sidecar.istio.io/inject: "true"
13 | annotations:
14 | sidecar.istio.io/proxyCPU: "500m"
15 | sidecar.istio.io/proxyCPULimit: "500m"
16 | sidecar.istio.io/proxyMemory: "256Mi"
17 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: istio-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "1000", "-scaleInterval", "1000", "-target1", "http://myapp-istio.default:8181/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Job.default.istio-client
File: /lessons/172/1-test/jobs/1-istio-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: istio-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: client-istio
12 | sidecar.istio.io/inject: "true"
13 | annotations:
14 | sidecar.istio.io/proxyCPU: "500m"
15 | sidecar.istio.io/proxyCPULimit: "500m"
16 | sidecar.istio.io/proxyMemory: "256Mi"
17 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: istio-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "1000", "-scaleInterval", "1000", "-target1", "http://myapp-istio.default:8181/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Job.default.istio-client
File: /lessons/172/1-test/jobs/1-istio-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: istio-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: client-istio
12 | sidecar.istio.io/inject: "true"
13 | annotations:
14 | sidecar.istio.io/proxyCPU: "500m"
15 | sidecar.istio.io/proxyCPULimit: "500m"
16 | sidecar.istio.io/proxyMemory: "256Mi"
17 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: istio-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "1000", "-scaleInterval", "1000", "-target1", "http://myapp-istio.default:8181/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Job.default.istio-client
File: /lessons/172/1-test/jobs/1-istio-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: istio-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: client-istio
12 | sidecar.istio.io/inject: "true"
13 | annotations:
14 | sidecar.istio.io/proxyCPU: "500m"
15 | sidecar.istio.io/proxyCPULimit: "500m"
16 | sidecar.istio.io/proxyMemory: "256Mi"
17 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: istio-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "1000", "-scaleInterval", "1000", "-target1", "http://myapp-istio.default:8181/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Job.default.istio-client
File: /lessons/172/1-test/jobs/1-istio-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: istio-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: client-istio
12 | sidecar.istio.io/inject: "true"
13 | annotations:
14 | sidecar.istio.io/proxyCPU: "500m"
15 | sidecar.istio.io/proxyCPULimit: "500m"
16 | sidecar.istio.io/proxyMemory: "256Mi"
17 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: istio-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "1000", "-scaleInterval", "1000", "-target1", "http://myapp-istio.default:8181/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Job.default.istio-client
File: /lessons/172/1-test/jobs/1-istio-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: istio-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: client-istio
12 | sidecar.istio.io/inject: "true"
13 | annotations:
14 | sidecar.istio.io/proxyCPU: "500m"
15 | sidecar.istio.io/proxyCPULimit: "500m"
16 | sidecar.istio.io/proxyMemory: "256Mi"
17 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: istio-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "1000", "-scaleInterval", "1000", "-target1", "http://myapp-istio.default:8181/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Job.default.istio-client
File: /lessons/172/1-test/jobs/1-istio-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: istio-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: client-istio
12 | sidecar.istio.io/inject: "true"
13 | annotations:
14 | sidecar.istio.io/proxyCPU: "500m"
15 | sidecar.istio.io/proxyCPULimit: "500m"
16 | sidecar.istio.io/proxyMemory: "256Mi"
17 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: istio-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "1000", "-scaleInterval", "1000", "-target1", "http://myapp-istio.default:8181/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Job.default.istio-client
File: /lessons/172/1-test/jobs/1-istio-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: istio-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: client-istio
12 | sidecar.istio.io/inject: "true"
13 | annotations:
14 | sidecar.istio.io/proxyCPU: "500m"
15 | sidecar.istio.io/proxyCPULimit: "500m"
16 | sidecar.istio.io/proxyMemory: "256Mi"
17 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: istio-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "1000", "-scaleInterval", "1000", "-target1", "http://myapp-istio.default:8181/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.myapp-istio
File: /lessons/172/1-test/deployments/3-istio-service.yaml:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: Service
4 | metadata:
5 | name: myapp-istio
6 | namespace: default
7 | spec:
8 | selector:
9 | app: myapp-istio
10 | ports:
11 | - protocol: TCP
12 | port: 8181
13 | targetPort: http
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.myapp-linkerd
File: /lessons/172/1-test/deployments/2-linkerd-service.yaml:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: Service
4 | metadata:
5 | name: myapp-linkerd
6 | namespace: default
7 | spec:
8 | selector:
9 | app: myapp-linkerd
10 | ports:
11 | - protocol: TCP
12 | port: 8181
13 | targetPort: http
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.myapp-istio
File: /lessons/172/1-test/deployments/1-istio-deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: myapp-istio
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: istio
38 | tolerations:
39 | - key: service
40 | value: istio
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.myapp-istio
File: /lessons/172/1-test/deployments/1-istio-deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: myapp-istio
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: istio
38 | tolerations:
39 | - key: service
40 | value: istio
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.myapp-istio
File: /lessons/172/1-test/deployments/1-istio-deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: myapp-istio
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: istio
38 | tolerations:
39 | - key: service
40 | value: istio
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.myapp-istio
File: /lessons/172/1-test/deployments/1-istio-deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: myapp-istio
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: istio
38 | tolerations:
39 | - key: service
40 | value: istio
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.myapp-istio
File: /lessons/172/1-test/deployments/1-istio-deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: myapp-istio
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: istio
38 | tolerations:
39 | - key: service
40 | value: istio
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.myapp-istio
File: /lessons/172/1-test/deployments/1-istio-deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: myapp-istio
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: istio
38 | tolerations:
39 | - key: service
40 | value: istio
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.myapp-istio
File: /lessons/172/1-test/deployments/1-istio-deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: myapp-istio
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: istio
38 | tolerations:
39 | - key: service
40 | value: istio
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.myapp-istio
File: /lessons/172/1-test/deployments/1-istio-deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: myapp-istio
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: istio
38 | tolerations:
39 | - key: service
40 | value: istio
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.myapp-istio
File: /lessons/172/1-test/deployments/1-istio-deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: myapp-istio
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: istio
38 | tolerations:
39 | - key: service
40 | value: istio
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.myapp-istio
File: /lessons/172/1-test/deployments/1-istio-deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: myapp-istio
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: istio
38 | tolerations:
39 | - key: service
40 | value: istio
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.myapp-istio
File: /lessons/172/1-test/deployments/1-istio-deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: myapp-istio
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: istio
38 | tolerations:
39 | - key: service
40 | value: istio
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.myapp-istio
File: /lessons/172/1-test/deployments/1-istio-deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: myapp-istio
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: istio
38 | tolerations:
39 | - key: service
40 | value: istio
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.myapp-istio
File: /lessons/172/1-test/deployments/1-istio-deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: myapp-istio
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: istio
38 | tolerations:
39 | - key: service
40 | value: istio
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.myapp-istio
File: /lessons/172/1-test/deployments/1-istio-deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: myapp-istio
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: istio
38 | tolerations:
39 | - key: service
40 | value: istio
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.myapp-istio
File: /lessons/172/1-test/deployments/1-istio-deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: myapp-istio
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: istio
38 | tolerations:
39 | - key: service
40 | value: istio
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.myapp-linkerd
File: /lessons/172/1-test/deployments/0-linkerd-deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: myapp-linkerd
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: linkerd
38 | tolerations:
39 | - key: service
40 | value: linkerd
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.myapp-linkerd
File: /lessons/172/1-test/deployments/0-linkerd-deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: myapp-linkerd
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: linkerd
38 | tolerations:
39 | - key: service
40 | value: linkerd
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.myapp-linkerd
File: /lessons/172/1-test/deployments/0-linkerd-deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: myapp-linkerd
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: linkerd
38 | tolerations:
39 | - key: service
40 | value: linkerd
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.myapp-linkerd
File: /lessons/172/1-test/deployments/0-linkerd-deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: myapp-linkerd
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: linkerd
38 | tolerations:
39 | - key: service
40 | value: linkerd
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.myapp-linkerd
File: /lessons/172/1-test/deployments/0-linkerd-deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: myapp-linkerd
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: linkerd
38 | tolerations:
39 | - key: service
40 | value: linkerd
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.myapp-linkerd
File: /lessons/172/1-test/deployments/0-linkerd-deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: myapp-linkerd
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: linkerd
38 | tolerations:
39 | - key: service
40 | value: linkerd
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.myapp-linkerd
File: /lessons/172/1-test/deployments/0-linkerd-deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: myapp-linkerd
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: linkerd
38 | tolerations:
39 | - key: service
40 | value: linkerd
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.myapp-linkerd
File: /lessons/172/1-test/deployments/0-linkerd-deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: myapp-linkerd
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: linkerd
38 | tolerations:
39 | - key: service
40 | value: linkerd
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.myapp-linkerd
File: /lessons/172/1-test/deployments/0-linkerd-deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: myapp-linkerd
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: linkerd
38 | tolerations:
39 | - key: service
40 | value: linkerd
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.myapp-linkerd
File: /lessons/172/1-test/deployments/0-linkerd-deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: myapp-linkerd
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: linkerd
38 | tolerations:
39 | - key: service
40 | value: linkerd
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.myapp-linkerd
File: /lessons/172/1-test/deployments/0-linkerd-deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: myapp-linkerd
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: linkerd
38 | tolerations:
39 | - key: service
40 | value: linkerd
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.myapp-linkerd
File: /lessons/172/1-test/deployments/0-linkerd-deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: myapp-linkerd
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: linkerd
38 | tolerations:
39 | - key: service
40 | value: linkerd
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.myapp-linkerd
File: /lessons/172/1-test/deployments/0-linkerd-deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: myapp-linkerd
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: linkerd
38 | tolerations:
39 | - key: service
40 | value: linkerd
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.myapp-linkerd
File: /lessons/172/1-test/deployments/0-linkerd-deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: myapp-linkerd
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: linkerd
38 | tolerations:
39 | - key: service
40 | value: linkerd
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.myapp-linkerd
File: /lessons/172/1-test/deployments/0-linkerd-deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: myapp-linkerd
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: linkerd
38 | tolerations:
39 | - key: service
40 | value: linkerd
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Job.default.linkerd-client
File: /lessons/172/2-test/jobs/0-linkerd-job.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: linkerd-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: linkerd-client
12 | annotations:
13 | linkerd.io/inject: enabled
14 | config.linkerd.io/proxy-cpu-limit: 500m
15 | config.linkerd.io/proxy-cpu-request: 500m
16 | config.linkerd.io/proxy-memory-limit: 256Mi
17 | config.linkerd.io/proxy-memory-request: 256Mi
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: linkerd-client
22 | image: aputra/client-172:v2
23 | command:
24 | ["/main", "-maxClients", "500", "-scaleInterval", "1000", "-target1", "http://service-a-linkerd.default:8282/api/devices"]
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Job.default.linkerd-client
File: /lessons/172/2-test/jobs/0-linkerd-job.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: linkerd-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: linkerd-client
12 | annotations:
13 | linkerd.io/inject: enabled
14 | config.linkerd.io/proxy-cpu-limit: 500m
15 | config.linkerd.io/proxy-cpu-request: 500m
16 | config.linkerd.io/proxy-memory-limit: 256Mi
17 | config.linkerd.io/proxy-memory-request: 256Mi
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: linkerd-client
22 | image: aputra/client-172:v2
23 | command:
24 | ["/main", "-maxClients", "500", "-scaleInterval", "1000", "-target1", "http://service-a-linkerd.default:8282/api/devices"]
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Job.default.linkerd-client
File: /lessons/172/2-test/jobs/0-linkerd-job.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: linkerd-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: linkerd-client
12 | annotations:
13 | linkerd.io/inject: enabled
14 | config.linkerd.io/proxy-cpu-limit: 500m
15 | config.linkerd.io/proxy-cpu-request: 500m
16 | config.linkerd.io/proxy-memory-limit: 256Mi
17 | config.linkerd.io/proxy-memory-request: 256Mi
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: linkerd-client
22 | image: aputra/client-172:v2
23 | command:
24 | ["/main", "-maxClients", "500", "-scaleInterval", "1000", "-target1", "http://service-a-linkerd.default:8282/api/devices"]
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Job.default.linkerd-client
File: /lessons/172/2-test/jobs/0-linkerd-job.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: linkerd-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: linkerd-client
12 | annotations:
13 | linkerd.io/inject: enabled
14 | config.linkerd.io/proxy-cpu-limit: 500m
15 | config.linkerd.io/proxy-cpu-request: 500m
16 | config.linkerd.io/proxy-memory-limit: 256Mi
17 | config.linkerd.io/proxy-memory-request: 256Mi
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: linkerd-client
22 | image: aputra/client-172:v2
23 | command:
24 | ["/main", "-maxClients", "500", "-scaleInterval", "1000", "-target1", "http://service-a-linkerd.default:8282/api/devices"]
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Job.default.linkerd-client
File: /lessons/172/2-test/jobs/0-linkerd-job.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: linkerd-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: linkerd-client
12 | annotations:
13 | linkerd.io/inject: enabled
14 | config.linkerd.io/proxy-cpu-limit: 500m
15 | config.linkerd.io/proxy-cpu-request: 500m
16 | config.linkerd.io/proxy-memory-limit: 256Mi
17 | config.linkerd.io/proxy-memory-request: 256Mi
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: linkerd-client
22 | image: aputra/client-172:v2
23 | command:
24 | ["/main", "-maxClients", "500", "-scaleInterval", "1000", "-target1", "http://service-a-linkerd.default:8282/api/devices"]
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Job.default.linkerd-client
File: /lessons/172/2-test/jobs/0-linkerd-job.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: linkerd-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: linkerd-client
12 | annotations:
13 | linkerd.io/inject: enabled
14 | config.linkerd.io/proxy-cpu-limit: 500m
15 | config.linkerd.io/proxy-cpu-request: 500m
16 | config.linkerd.io/proxy-memory-limit: 256Mi
17 | config.linkerd.io/proxy-memory-request: 256Mi
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: linkerd-client
22 | image: aputra/client-172:v2
23 | command:
24 | ["/main", "-maxClients", "500", "-scaleInterval", "1000", "-target1", "http://service-a-linkerd.default:8282/api/devices"]
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Job.default.linkerd-client
File: /lessons/172/2-test/jobs/0-linkerd-job.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: linkerd-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: linkerd-client
12 | annotations:
13 | linkerd.io/inject: enabled
14 | config.linkerd.io/proxy-cpu-limit: 500m
15 | config.linkerd.io/proxy-cpu-request: 500m
16 | config.linkerd.io/proxy-memory-limit: 256Mi
17 | config.linkerd.io/proxy-memory-request: 256Mi
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: linkerd-client
22 | image: aputra/client-172:v2
23 | command:
24 | ["/main", "-maxClients", "500", "-scaleInterval", "1000", "-target1", "http://service-a-linkerd.default:8282/api/devices"]
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Job.default.linkerd-client
File: /lessons/172/2-test/jobs/0-linkerd-job.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: linkerd-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: linkerd-client
12 | annotations:
13 | linkerd.io/inject: enabled
14 | config.linkerd.io/proxy-cpu-limit: 500m
15 | config.linkerd.io/proxy-cpu-request: 500m
16 | config.linkerd.io/proxy-memory-limit: 256Mi
17 | config.linkerd.io/proxy-memory-request: 256Mi
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: linkerd-client
22 | image: aputra/client-172:v2
23 | command:
24 | ["/main", "-maxClients", "500", "-scaleInterval", "1000", "-target1", "http://service-a-linkerd.default:8282/api/devices"]
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Job.default.linkerd-client
File: /lessons/172/2-test/jobs/0-linkerd-job.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: linkerd-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: linkerd-client
12 | annotations:
13 | linkerd.io/inject: enabled
14 | config.linkerd.io/proxy-cpu-limit: 500m
15 | config.linkerd.io/proxy-cpu-request: 500m
16 | config.linkerd.io/proxy-memory-limit: 256Mi
17 | config.linkerd.io/proxy-memory-request: 256Mi
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: linkerd-client
22 | image: aputra/client-172:v2
23 | command:
24 | ["/main", "-maxClients", "500", "-scaleInterval", "1000", "-target1", "http://service-a-linkerd.default:8282/api/devices"]
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Job.default.linkerd-client
File: /lessons/172/2-test/jobs/0-linkerd-job.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: linkerd-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: linkerd-client
12 | annotations:
13 | linkerd.io/inject: enabled
14 | config.linkerd.io/proxy-cpu-limit: 500m
15 | config.linkerd.io/proxy-cpu-request: 500m
16 | config.linkerd.io/proxy-memory-limit: 256Mi
17 | config.linkerd.io/proxy-memory-request: 256Mi
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: linkerd-client
22 | image: aputra/client-172:v2
23 | command:
24 | ["/main", "-maxClients", "500", "-scaleInterval", "1000", "-target1", "http://service-a-linkerd.default:8282/api/devices"]
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Job.default.linkerd-client
File: /lessons/172/2-test/jobs/0-linkerd-job.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: linkerd-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: linkerd-client
12 | annotations:
13 | linkerd.io/inject: enabled
14 | config.linkerd.io/proxy-cpu-limit: 500m
15 | config.linkerd.io/proxy-cpu-request: 500m
16 | config.linkerd.io/proxy-memory-limit: 256Mi
17 | config.linkerd.io/proxy-memory-request: 256Mi
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: linkerd-client
22 | image: aputra/client-172:v2
23 | command:
24 | ["/main", "-maxClients", "500", "-scaleInterval", "1000", "-target1", "http://service-a-linkerd.default:8282/api/devices"]
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Job.default.linkerd-client
File: /lessons/172/2-test/jobs/0-linkerd-job.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: linkerd-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: linkerd-client
12 | annotations:
13 | linkerd.io/inject: enabled
14 | config.linkerd.io/proxy-cpu-limit: 500m
15 | config.linkerd.io/proxy-cpu-request: 500m
16 | config.linkerd.io/proxy-memory-limit: 256Mi
17 | config.linkerd.io/proxy-memory-request: 256Mi
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: linkerd-client
22 | image: aputra/client-172:v2
23 | command:
24 | ["/main", "-maxClients", "500", "-scaleInterval", "1000", "-target1", "http://service-a-linkerd.default:8282/api/devices"]
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Job.default.linkerd-client
File: /lessons/172/2-test/jobs/0-linkerd-job.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: linkerd-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: linkerd-client
12 | annotations:
13 | linkerd.io/inject: enabled
14 | config.linkerd.io/proxy-cpu-limit: 500m
15 | config.linkerd.io/proxy-cpu-request: 500m
16 | config.linkerd.io/proxy-memory-limit: 256Mi
17 | config.linkerd.io/proxy-memory-request: 256Mi
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: linkerd-client
22 | image: aputra/client-172:v2
23 | command:
24 | ["/main", "-maxClients", "500", "-scaleInterval", "1000", "-target1", "http://service-a-linkerd.default:8282/api/devices"]
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Job.default.linkerd-client
File: /lessons/172/2-test/jobs/0-linkerd-job.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: linkerd-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: linkerd-client
12 | annotations:
13 | linkerd.io/inject: enabled
14 | config.linkerd.io/proxy-cpu-limit: 500m
15 | config.linkerd.io/proxy-cpu-request: 500m
16 | config.linkerd.io/proxy-memory-limit: 256Mi
17 | config.linkerd.io/proxy-memory-request: 256Mi
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: linkerd-client
22 | image: aputra/client-172:v2
23 | command:
24 | ["/main", "-maxClients", "500", "-scaleInterval", "1000", "-target1", "http://service-a-linkerd.default:8282/api/devices"]
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Job.default.linkerd-client
File: /lessons/172/2-test/jobs/0-linkerd-job.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: linkerd-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: linkerd-client
12 | annotations:
13 | linkerd.io/inject: enabled
14 | config.linkerd.io/proxy-cpu-limit: 500m
15 | config.linkerd.io/proxy-cpu-request: 500m
16 | config.linkerd.io/proxy-memory-limit: 256Mi
17 | config.linkerd.io/proxy-memory-request: 256Mi
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: linkerd-client
22 | image: aputra/client-172:v2
23 | command:
24 | ["/main", "-maxClients", "500", "-scaleInterval", "1000", "-target1", "http://service-a-linkerd.default:8282/api/devices"]
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Job.default.linkerd-client
File: /lessons/172/2-test/jobs/0-linkerd-job.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: linkerd-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: linkerd-client
12 | annotations:
13 | linkerd.io/inject: enabled
14 | config.linkerd.io/proxy-cpu-limit: 500m
15 | config.linkerd.io/proxy-cpu-request: 500m
16 | config.linkerd.io/proxy-memory-limit: 256Mi
17 | config.linkerd.io/proxy-memory-request: 256Mi
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: linkerd-client
22 | image: aputra/client-172:v2
23 | command:
24 | ["/main", "-maxClients", "500", "-scaleInterval", "1000", "-target1", "http://service-a-linkerd.default:8282/api/devices"]
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Job.default.linkerd-client
File: /lessons/172/2-test/jobs/0-linkerd-job.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: linkerd-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: linkerd-client
12 | annotations:
13 | linkerd.io/inject: enabled
14 | config.linkerd.io/proxy-cpu-limit: 500m
15 | config.linkerd.io/proxy-cpu-request: 500m
16 | config.linkerd.io/proxy-memory-limit: 256Mi
17 | config.linkerd.io/proxy-memory-request: 256Mi
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: linkerd-client
22 | image: aputra/client-172:v2
23 | command:
24 | ["/main", "-maxClients", "500", "-scaleInterval", "1000", "-target1", "http://service-a-linkerd.default:8282/api/devices"]
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Job.default.istio-client
File: /lessons/172/2-test/jobs/1-istio-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: istio-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: istio-client
12 | sidecar.istio.io/inject: "true"
13 | annotations:
14 | sidecar.istio.io/proxyCPU: "500m"
15 | sidecar.istio.io/proxyCPULimit: "500m"
16 | sidecar.istio.io/proxyMemory: "256Mi"
17 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: istio-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "500", "-scaleInterval", "1000", "-target1", "http://service-a-istio.default:8282/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Job.default.istio-client
File: /lessons/172/2-test/jobs/1-istio-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: istio-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: istio-client
12 | sidecar.istio.io/inject: "true"
13 | annotations:
14 | sidecar.istio.io/proxyCPU: "500m"
15 | sidecar.istio.io/proxyCPULimit: "500m"
16 | sidecar.istio.io/proxyMemory: "256Mi"
17 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: istio-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "500", "-scaleInterval", "1000", "-target1", "http://service-a-istio.default:8282/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Job.default.istio-client
File: /lessons/172/2-test/jobs/1-istio-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: istio-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: istio-client
12 | sidecar.istio.io/inject: "true"
13 | annotations:
14 | sidecar.istio.io/proxyCPU: "500m"
15 | sidecar.istio.io/proxyCPULimit: "500m"
16 | sidecar.istio.io/proxyMemory: "256Mi"
17 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: istio-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "500", "-scaleInterval", "1000", "-target1", "http://service-a-istio.default:8282/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Job.default.istio-client
File: /lessons/172/2-test/jobs/1-istio-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: istio-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: istio-client
12 | sidecar.istio.io/inject: "true"
13 | annotations:
14 | sidecar.istio.io/proxyCPU: "500m"
15 | sidecar.istio.io/proxyCPULimit: "500m"
16 | sidecar.istio.io/proxyMemory: "256Mi"
17 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: istio-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "500", "-scaleInterval", "1000", "-target1", "http://service-a-istio.default:8282/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Job.default.istio-client
File: /lessons/172/2-test/jobs/1-istio-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: istio-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: istio-client
12 | sidecar.istio.io/inject: "true"
13 | annotations:
14 | sidecar.istio.io/proxyCPU: "500m"
15 | sidecar.istio.io/proxyCPULimit: "500m"
16 | sidecar.istio.io/proxyMemory: "256Mi"
17 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: istio-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "500", "-scaleInterval", "1000", "-target1", "http://service-a-istio.default:8282/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Job.default.istio-client
File: /lessons/172/2-test/jobs/1-istio-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: istio-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: istio-client
12 | sidecar.istio.io/inject: "true"
13 | annotations:
14 | sidecar.istio.io/proxyCPU: "500m"
15 | sidecar.istio.io/proxyCPULimit: "500m"
16 | sidecar.istio.io/proxyMemory: "256Mi"
17 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: istio-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "500", "-scaleInterval", "1000", "-target1", "http://service-a-istio.default:8282/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Job.default.istio-client
File: /lessons/172/2-test/jobs/1-istio-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: istio-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: istio-client
12 | sidecar.istio.io/inject: "true"
13 | annotations:
14 | sidecar.istio.io/proxyCPU: "500m"
15 | sidecar.istio.io/proxyCPULimit: "500m"
16 | sidecar.istio.io/proxyMemory: "256Mi"
17 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: istio-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "500", "-scaleInterval", "1000", "-target1", "http://service-a-istio.default:8282/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Job.default.istio-client
File: /lessons/172/2-test/jobs/1-istio-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: istio-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: istio-client
12 | sidecar.istio.io/inject: "true"
13 | annotations:
14 | sidecar.istio.io/proxyCPU: "500m"
15 | sidecar.istio.io/proxyCPULimit: "500m"
16 | sidecar.istio.io/proxyMemory: "256Mi"
17 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: istio-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "500", "-scaleInterval", "1000", "-target1", "http://service-a-istio.default:8282/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Job.default.istio-client
File: /lessons/172/2-test/jobs/1-istio-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: istio-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: istio-client
12 | sidecar.istio.io/inject: "true"
13 | annotations:
14 | sidecar.istio.io/proxyCPU: "500m"
15 | sidecar.istio.io/proxyCPULimit: "500m"
16 | sidecar.istio.io/proxyMemory: "256Mi"
17 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: istio-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "500", "-scaleInterval", "1000", "-target1", "http://service-a-istio.default:8282/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Job.default.istio-client
File: /lessons/172/2-test/jobs/1-istio-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: istio-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: istio-client
12 | sidecar.istio.io/inject: "true"
13 | annotations:
14 | sidecar.istio.io/proxyCPU: "500m"
15 | sidecar.istio.io/proxyCPULimit: "500m"
16 | sidecar.istio.io/proxyMemory: "256Mi"
17 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: istio-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "500", "-scaleInterval", "1000", "-target1", "http://service-a-istio.default:8282/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Job.default.istio-client
File: /lessons/172/2-test/jobs/1-istio-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: istio-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: istio-client
12 | sidecar.istio.io/inject: "true"
13 | annotations:
14 | sidecar.istio.io/proxyCPU: "500m"
15 | sidecar.istio.io/proxyCPULimit: "500m"
16 | sidecar.istio.io/proxyMemory: "256Mi"
17 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: istio-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "500", "-scaleInterval", "1000", "-target1", "http://service-a-istio.default:8282/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Job.default.istio-client
File: /lessons/172/2-test/jobs/1-istio-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: istio-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: istio-client
12 | sidecar.istio.io/inject: "true"
13 | annotations:
14 | sidecar.istio.io/proxyCPU: "500m"
15 | sidecar.istio.io/proxyCPULimit: "500m"
16 | sidecar.istio.io/proxyMemory: "256Mi"
17 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: istio-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "500", "-scaleInterval", "1000", "-target1", "http://service-a-istio.default:8282/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Job.default.istio-client
File: /lessons/172/2-test/jobs/1-istio-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: istio-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: istio-client
12 | sidecar.istio.io/inject: "true"
13 | annotations:
14 | sidecar.istio.io/proxyCPU: "500m"
15 | sidecar.istio.io/proxyCPULimit: "500m"
16 | sidecar.istio.io/proxyMemory: "256Mi"
17 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: istio-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "500", "-scaleInterval", "1000", "-target1", "http://service-a-istio.default:8282/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Job.default.istio-client
File: /lessons/172/2-test/jobs/1-istio-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: istio-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: istio-client
12 | sidecar.istio.io/inject: "true"
13 | annotations:
14 | sidecar.istio.io/proxyCPU: "500m"
15 | sidecar.istio.io/proxyCPULimit: "500m"
16 | sidecar.istio.io/proxyMemory: "256Mi"
17 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: istio-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "500", "-scaleInterval", "1000", "-target1", "http://service-a-istio.default:8282/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Job.default.istio-client
File: /lessons/172/2-test/jobs/1-istio-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: istio-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: istio-client
12 | sidecar.istio.io/inject: "true"
13 | annotations:
14 | sidecar.istio.io/proxyCPU: "500m"
15 | sidecar.istio.io/proxyCPULimit: "500m"
16 | sidecar.istio.io/proxyMemory: "256Mi"
17 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: istio-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "500", "-scaleInterval", "1000", "-target1", "http://service-a-istio.default:8282/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Job.default.istio-client
File: /lessons/172/2-test/jobs/1-istio-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: istio-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: istio-client
12 | sidecar.istio.io/inject: "true"
13 | annotations:
14 | sidecar.istio.io/proxyCPU: "500m"
15 | sidecar.istio.io/proxyCPULimit: "500m"
16 | sidecar.istio.io/proxyMemory: "256Mi"
17 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: istio-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "500", "-scaleInterval", "1000", "-target1", "http://service-a-istio.default:8282/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Job.default.istio-client
File: /lessons/172/2-test/jobs/1-istio-job.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: istio-client
6 | namespace: default
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: istio-client
12 | sidecar.istio.io/inject: "true"
13 | annotations:
14 | sidecar.istio.io/proxyCPU: "500m"
15 | sidecar.istio.io/proxyCPULimit: "500m"
16 | sidecar.istio.io/proxyMemory: "256Mi"
17 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
18 | spec:
19 | restartPolicy: Never
20 | containers:
21 | - name: istio-client
22 | image: aputra/client-172:v2
23 | command: ["/main", "-maxClients", "500", "-scaleInterval", "1000", "-target1", "http://service-a-istio.default:8282/api/devices"]
24 | ports:
25 | - name: metrics
26 | containerPort: 8081
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.service-a-istio
File: /lessons/172/2-test/deployments/6-service-a-istio.yaml:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: Service
4 | metadata:
5 | name: service-a-istio
6 | namespace: default
7 | spec:
8 | selector:
9 | app: service-a-istio
10 | ports:
11 | - protocol: TCP
12 | port: 8282
13 | targetPort: http
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.service-b-istio
File: /lessons/172/2-test/deployments/7-service-b-istio.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: service-b-istio
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: istio
38 | tolerations:
39 | - key: service
40 | value: istio
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.service-b-istio
File: /lessons/172/2-test/deployments/7-service-b-istio.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: service-b-istio
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: istio
38 | tolerations:
39 | - key: service
40 | value: istio
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.service-b-istio
File: /lessons/172/2-test/deployments/7-service-b-istio.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: service-b-istio
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: istio
38 | tolerations:
39 | - key: service
40 | value: istio
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.service-b-istio
File: /lessons/172/2-test/deployments/7-service-b-istio.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: service-b-istio
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: istio
38 | tolerations:
39 | - key: service
40 | value: istio
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.service-b-istio
File: /lessons/172/2-test/deployments/7-service-b-istio.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: service-b-istio
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: istio
38 | tolerations:
39 | - key: service
40 | value: istio
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.service-b-istio
File: /lessons/172/2-test/deployments/7-service-b-istio.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: service-b-istio
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: istio
38 | tolerations:
39 | - key: service
40 | value: istio
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.service-b-istio
File: /lessons/172/2-test/deployments/7-service-b-istio.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: service-b-istio
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: istio
38 | tolerations:
39 | - key: service
40 | value: istio
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.service-b-istio
File: /lessons/172/2-test/deployments/7-service-b-istio.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: service-b-istio
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: istio
38 | tolerations:
39 | - key: service
40 | value: istio
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.service-b-istio
File: /lessons/172/2-test/deployments/7-service-b-istio.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: service-b-istio
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: istio
38 | tolerations:
39 | - key: service
40 | value: istio
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.service-b-istio
File: /lessons/172/2-test/deployments/7-service-b-istio.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: service-b-istio
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: istio
38 | tolerations:
39 | - key: service
40 | value: istio
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.service-b-istio
File: /lessons/172/2-test/deployments/7-service-b-istio.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: service-b-istio
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: istio
38 | tolerations:
39 | - key: service
40 | value: istio
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.service-b-istio
File: /lessons/172/2-test/deployments/7-service-b-istio.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: service-b-istio
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: istio
38 | tolerations:
39 | - key: service
40 | value: istio
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.service-b-istio
File: /lessons/172/2-test/deployments/7-service-b-istio.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: service-b-istio
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: istio
38 | tolerations:
39 | - key: service
40 | value: istio
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.service-b-istio
File: /lessons/172/2-test/deployments/7-service-b-istio.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: service-b-istio
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: istio
38 | tolerations:
39 | - key: service
40 | value: istio
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.service-b-istio
File: /lessons/172/2-test/deployments/7-service-b-istio.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: service-b-istio
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: istio
38 | tolerations:
39 | - key: service
40 | value: istio
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.service-b-linkerd
File: /lessons/172/2-test/deployments/2-service-b-linkerd.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: service-b-linkerd
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: linkerd
38 | tolerations:
39 | - key: service
40 | value: linkerd
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.service-b-linkerd
File: /lessons/172/2-test/deployments/2-service-b-linkerd.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: service-b-linkerd
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: linkerd
38 | tolerations:
39 | - key: service
40 | value: linkerd
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.service-b-linkerd
File: /lessons/172/2-test/deployments/2-service-b-linkerd.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: service-b-linkerd
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: linkerd
38 | tolerations:
39 | - key: service
40 | value: linkerd
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.service-b-linkerd
File: /lessons/172/2-test/deployments/2-service-b-linkerd.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: service-b-linkerd
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: linkerd
38 | tolerations:
39 | - key: service
40 | value: linkerd
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.service-b-linkerd
File: /lessons/172/2-test/deployments/2-service-b-linkerd.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: service-b-linkerd
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: linkerd
38 | tolerations:
39 | - key: service
40 | value: linkerd
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.service-b-linkerd
File: /lessons/172/2-test/deployments/2-service-b-linkerd.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: service-b-linkerd
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: linkerd
38 | tolerations:
39 | - key: service
40 | value: linkerd
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.service-b-linkerd
File: /lessons/172/2-test/deployments/2-service-b-linkerd.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: service-b-linkerd
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: linkerd
38 | tolerations:
39 | - key: service
40 | value: linkerd
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.service-b-linkerd
File: /lessons/172/2-test/deployments/2-service-b-linkerd.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: service-b-linkerd
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: linkerd
38 | tolerations:
39 | - key: service
40 | value: linkerd
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.service-b-linkerd
File: /lessons/172/2-test/deployments/2-service-b-linkerd.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: service-b-linkerd
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: linkerd
38 | tolerations:
39 | - key: service
40 | value: linkerd
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.service-b-linkerd
File: /lessons/172/2-test/deployments/2-service-b-linkerd.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: service-b-linkerd
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: linkerd
38 | tolerations:
39 | - key: service
40 | value: linkerd
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.service-b-linkerd
File: /lessons/172/2-test/deployments/2-service-b-linkerd.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: service-b-linkerd
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: linkerd
38 | tolerations:
39 | - key: service
40 | value: linkerd
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.service-b-linkerd
File: /lessons/172/2-test/deployments/2-service-b-linkerd.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: service-b-linkerd
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: linkerd
38 | tolerations:
39 | - key: service
40 | value: linkerd
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.service-b-linkerd
File: /lessons/172/2-test/deployments/2-service-b-linkerd.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: service-b-linkerd
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: linkerd
38 | tolerations:
39 | - key: service
40 | value: linkerd
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.service-b-linkerd
File: /lessons/172/2-test/deployments/2-service-b-linkerd.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: service-b-linkerd
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: linkerd
38 | tolerations:
39 | - key: service
40 | value: linkerd
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.service-b-linkerd
File: /lessons/172/2-test/deployments/2-service-b-linkerd.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: service-b-linkerd
25 | image: aputra/service-b-172:v4
26 | ports:
27 | - name: http
28 | containerPort: 8181
29 | resources:
30 | requests:
31 | memory: 2Gi
32 | cpu: "1"
33 | limits:
34 | memory: 2Gi
35 | cpu: "1"
36 | nodeSelector:
37 | service: linkerd
38 | tolerations:
39 | - key: service
40 | value: linkerd
41 | effect: NoSchedule
42 | operator: Equal
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.service-b-istio
File: /lessons/172/2-test/deployments/8-service-a-istio.yaml:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: Service
4 | metadata:
5 | name: service-b-istio
6 | namespace: default
7 | spec:
8 | selector:
9 | app: service-b-istio
10 | ports:
11 | - protocol: TCP
12 | port: 8181
13 | targetPort: http
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.service-a-linkerd
File: /lessons/172/2-test/deployments/1-service-a-linkerd.yaml:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: Service
4 | metadata:
5 | name: service-a-linkerd
6 | namespace: default
7 | spec:
8 | selector:
9 | app: service-a-linkerd
10 | ports:
11 | - protocol: TCP
12 | port: 8282
13 | targetPort: http
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.service-b-linkerd
File: /lessons/172/2-test/deployments/3-service-a-linkerd.yaml:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: Service
4 | metadata:
5 | name: service-b-linkerd
6 | namespace: default
7 | spec:
8 | selector:
9 | app: service-b-linkerd
10 | ports:
11 | - protocol: TCP
12 | port: 8181
13 | targetPort: http
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.service-a-istio
File: /lessons/172/2-test/deployments/5-service-a-istio.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: service-a-istio
25 | image: aputra/service-a-172:v4
26 | env:
27 | - name: TARGET
28 | value: "http://service-b-istio.default:8181"
29 | ports:
30 | - name: http
31 | containerPort: 8282
32 | resources:
33 | requests:
34 | memory: 2Gi
35 | cpu: "1"
36 | limits:
37 | memory: 2Gi
38 | cpu: "1"
39 | nodeSelector:
40 | service: istio
41 | tolerations:
42 | - key: service
43 | value: istio
44 | effect: NoSchedule
45 | operator: Equal
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.service-a-istio
File: /lessons/172/2-test/deployments/5-service-a-istio.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: service-a-istio
25 | image: aputra/service-a-172:v4
26 | env:
27 | - name: TARGET
28 | value: "http://service-b-istio.default:8181"
29 | ports:
30 | - name: http
31 | containerPort: 8282
32 | resources:
33 | requests:
34 | memory: 2Gi
35 | cpu: "1"
36 | limits:
37 | memory: 2Gi
38 | cpu: "1"
39 | nodeSelector:
40 | service: istio
41 | tolerations:
42 | - key: service
43 | value: istio
44 | effect: NoSchedule
45 | operator: Equal
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.service-a-istio
File: /lessons/172/2-test/deployments/5-service-a-istio.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: service-a-istio
25 | image: aputra/service-a-172:v4
26 | env:
27 | - name: TARGET
28 | value: "http://service-b-istio.default:8181"
29 | ports:
30 | - name: http
31 | containerPort: 8282
32 | resources:
33 | requests:
34 | memory: 2Gi
35 | cpu: "1"
36 | limits:
37 | memory: 2Gi
38 | cpu: "1"
39 | nodeSelector:
40 | service: istio
41 | tolerations:
42 | - key: service
43 | value: istio
44 | effect: NoSchedule
45 | operator: Equal
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.service-a-istio
File: /lessons/172/2-test/deployments/5-service-a-istio.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: service-a-istio
25 | image: aputra/service-a-172:v4
26 | env:
27 | - name: TARGET
28 | value: "http://service-b-istio.default:8181"
29 | ports:
30 | - name: http
31 | containerPort: 8282
32 | resources:
33 | requests:
34 | memory: 2Gi
35 | cpu: "1"
36 | limits:
37 | memory: 2Gi
38 | cpu: "1"
39 | nodeSelector:
40 | service: istio
41 | tolerations:
42 | - key: service
43 | value: istio
44 | effect: NoSchedule
45 | operator: Equal
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.service-a-istio
File: /lessons/172/2-test/deployments/5-service-a-istio.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: service-a-istio
25 | image: aputra/service-a-172:v4
26 | env:
27 | - name: TARGET
28 | value: "http://service-b-istio.default:8181"
29 | ports:
30 | - name: http
31 | containerPort: 8282
32 | resources:
33 | requests:
34 | memory: 2Gi
35 | cpu: "1"
36 | limits:
37 | memory: 2Gi
38 | cpu: "1"
39 | nodeSelector:
40 | service: istio
41 | tolerations:
42 | - key: service
43 | value: istio
44 | effect: NoSchedule
45 | operator: Equal
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.service-a-istio
File: /lessons/172/2-test/deployments/5-service-a-istio.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: service-a-istio
25 | image: aputra/service-a-172:v4
26 | env:
27 | - name: TARGET
28 | value: "http://service-b-istio.default:8181"
29 | ports:
30 | - name: http
31 | containerPort: 8282
32 | resources:
33 | requests:
34 | memory: 2Gi
35 | cpu: "1"
36 | limits:
37 | memory: 2Gi
38 | cpu: "1"
39 | nodeSelector:
40 | service: istio
41 | tolerations:
42 | - key: service
43 | value: istio
44 | effect: NoSchedule
45 | operator: Equal
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.service-a-istio
File: /lessons/172/2-test/deployments/5-service-a-istio.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: service-a-istio
25 | image: aputra/service-a-172:v4
26 | env:
27 | - name: TARGET
28 | value: "http://service-b-istio.default:8181"
29 | ports:
30 | - name: http
31 | containerPort: 8282
32 | resources:
33 | requests:
34 | memory: 2Gi
35 | cpu: "1"
36 | limits:
37 | memory: 2Gi
38 | cpu: "1"
39 | nodeSelector:
40 | service: istio
41 | tolerations:
42 | - key: service
43 | value: istio
44 | effect: NoSchedule
45 | operator: Equal
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.service-a-istio
File: /lessons/172/2-test/deployments/5-service-a-istio.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: service-a-istio
25 | image: aputra/service-a-172:v4
26 | env:
27 | - name: TARGET
28 | value: "http://service-b-istio.default:8181"
29 | ports:
30 | - name: http
31 | containerPort: 8282
32 | resources:
33 | requests:
34 | memory: 2Gi
35 | cpu: "1"
36 | limits:
37 | memory: 2Gi
38 | cpu: "1"
39 | nodeSelector:
40 | service: istio
41 | tolerations:
42 | - key: service
43 | value: istio
44 | effect: NoSchedule
45 | operator: Equal
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.service-a-istio
File: /lessons/172/2-test/deployments/5-service-a-istio.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: service-a-istio
25 | image: aputra/service-a-172:v4
26 | env:
27 | - name: TARGET
28 | value: "http://service-b-istio.default:8181"
29 | ports:
30 | - name: http
31 | containerPort: 8282
32 | resources:
33 | requests:
34 | memory: 2Gi
35 | cpu: "1"
36 | limits:
37 | memory: 2Gi
38 | cpu: "1"
39 | nodeSelector:
40 | service: istio
41 | tolerations:
42 | - key: service
43 | value: istio
44 | effect: NoSchedule
45 | operator: Equal
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.service-a-istio
File: /lessons/172/2-test/deployments/5-service-a-istio.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: service-a-istio
25 | image: aputra/service-a-172:v4
26 | env:
27 | - name: TARGET
28 | value: "http://service-b-istio.default:8181"
29 | ports:
30 | - name: http
31 | containerPort: 8282
32 | resources:
33 | requests:
34 | memory: 2Gi
35 | cpu: "1"
36 | limits:
37 | memory: 2Gi
38 | cpu: "1"
39 | nodeSelector:
40 | service: istio
41 | tolerations:
42 | - key: service
43 | value: istio
44 | effect: NoSchedule
45 | operator: Equal
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.service-a-istio
File: /lessons/172/2-test/deployments/5-service-a-istio.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: service-a-istio
25 | image: aputra/service-a-172:v4
26 | env:
27 | - name: TARGET
28 | value: "http://service-b-istio.default:8181"
29 | ports:
30 | - name: http
31 | containerPort: 8282
32 | resources:
33 | requests:
34 | memory: 2Gi
35 | cpu: "1"
36 | limits:
37 | memory: 2Gi
38 | cpu: "1"
39 | nodeSelector:
40 | service: istio
41 | tolerations:
42 | - key: service
43 | value: istio
44 | effect: NoSchedule
45 | operator: Equal
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.service-a-istio
File: /lessons/172/2-test/deployments/5-service-a-istio.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: service-a-istio
25 | image: aputra/service-a-172:v4
26 | env:
27 | - name: TARGET
28 | value: "http://service-b-istio.default:8181"
29 | ports:
30 | - name: http
31 | containerPort: 8282
32 | resources:
33 | requests:
34 | memory: 2Gi
35 | cpu: "1"
36 | limits:
37 | memory: 2Gi
38 | cpu: "1"
39 | nodeSelector:
40 | service: istio
41 | tolerations:
42 | - key: service
43 | value: istio
44 | effect: NoSchedule
45 | operator: Equal
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.service-a-istio
File: /lessons/172/2-test/deployments/5-service-a-istio.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: service-a-istio
25 | image: aputra/service-a-172:v4
26 | env:
27 | - name: TARGET
28 | value: "http://service-b-istio.default:8181"
29 | ports:
30 | - name: http
31 | containerPort: 8282
32 | resources:
33 | requests:
34 | memory: 2Gi
35 | cpu: "1"
36 | limits:
37 | memory: 2Gi
38 | cpu: "1"
39 | nodeSelector:
40 | service: istio
41 | tolerations:
42 | - key: service
43 | value: istio
44 | effect: NoSchedule
45 | operator: Equal
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.service-a-istio
File: /lessons/172/2-test/deployments/5-service-a-istio.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: service-a-istio
25 | image: aputra/service-a-172:v4
26 | env:
27 | - name: TARGET
28 | value: "http://service-b-istio.default:8181"
29 | ports:
30 | - name: http
31 | containerPort: 8282
32 | resources:
33 | requests:
34 | memory: 2Gi
35 | cpu: "1"
36 | limits:
37 | memory: 2Gi
38 | cpu: "1"
39 | nodeSelector:
40 | service: istio
41 | tolerations:
42 | - key: service
43 | value: istio
44 | effect: NoSchedule
45 | operator: Equal
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.service-a-istio
File: /lessons/172/2-test/deployments/5-service-a-istio.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a-istio
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a-istio
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a-istio
16 | sidecar.istio.io/inject: "true"
17 | annotations:
18 | sidecar.istio.io/proxyCPU: "500m"
19 | sidecar.istio.io/proxyCPULimit: "500m"
20 | sidecar.istio.io/proxyMemory: "256Mi"
21 | sidecar.istio.io/proxyMemoryLimit: "256Mi"
22 | spec:
23 | containers:
24 | - name: service-a-istio
25 | image: aputra/service-a-172:v4
26 | env:
27 | - name: TARGET
28 | value: "http://service-b-istio.default:8181"
29 | ports:
30 | - name: http
31 | containerPort: 8282
32 | resources:
33 | requests:
34 | memory: 2Gi
35 | cpu: "1"
36 | limits:
37 | memory: 2Gi
38 | cpu: "1"
39 | nodeSelector:
40 | service: istio
41 | tolerations:
42 | - key: service
43 | value: istio
44 | effect: NoSchedule
45 | operator: Equal
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.service-a-linkerd
File: /lessons/172/2-test/deployments/0-service-a-linkerd.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: service-a-linkerd
25 | image: aputra/service-a-172:v4
26 | env:
27 | - name: TARGET
28 | value: "http://service-b-linkerd.default:8181"
29 | ports:
30 | - name: http
31 | containerPort: 8282
32 | resources:
33 | requests:
34 | memory: 2Gi
35 | cpu: "1"
36 | limits:
37 | memory: 2Gi
38 | cpu: "1"
39 | nodeSelector:
40 | service: linkerd
41 | tolerations:
42 | - key: service
43 | value: linkerd
44 | effect: NoSchedule
45 | operator: Equal
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.service-a-linkerd
File: /lessons/172/2-test/deployments/0-service-a-linkerd.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: service-a-linkerd
25 | image: aputra/service-a-172:v4
26 | env:
27 | - name: TARGET
28 | value: "http://service-b-linkerd.default:8181"
29 | ports:
30 | - name: http
31 | containerPort: 8282
32 | resources:
33 | requests:
34 | memory: 2Gi
35 | cpu: "1"
36 | limits:
37 | memory: 2Gi
38 | cpu: "1"
39 | nodeSelector:
40 | service: linkerd
41 | tolerations:
42 | - key: service
43 | value: linkerd
44 | effect: NoSchedule
45 | operator: Equal
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.service-a-linkerd
File: /lessons/172/2-test/deployments/0-service-a-linkerd.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: service-a-linkerd
25 | image: aputra/service-a-172:v4
26 | env:
27 | - name: TARGET
28 | value: "http://service-b-linkerd.default:8181"
29 | ports:
30 | - name: http
31 | containerPort: 8282
32 | resources:
33 | requests:
34 | memory: 2Gi
35 | cpu: "1"
36 | limits:
37 | memory: 2Gi
38 | cpu: "1"
39 | nodeSelector:
40 | service: linkerd
41 | tolerations:
42 | - key: service
43 | value: linkerd
44 | effect: NoSchedule
45 | operator: Equal
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.service-a-linkerd
File: /lessons/172/2-test/deployments/0-service-a-linkerd.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: service-a-linkerd
25 | image: aputra/service-a-172:v4
26 | env:
27 | - name: TARGET
28 | value: "http://service-b-linkerd.default:8181"
29 | ports:
30 | - name: http
31 | containerPort: 8282
32 | resources:
33 | requests:
34 | memory: 2Gi
35 | cpu: "1"
36 | limits:
37 | memory: 2Gi
38 | cpu: "1"
39 | nodeSelector:
40 | service: linkerd
41 | tolerations:
42 | - key: service
43 | value: linkerd
44 | effect: NoSchedule
45 | operator: Equal
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.service-a-linkerd
File: /lessons/172/2-test/deployments/0-service-a-linkerd.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: service-a-linkerd
25 | image: aputra/service-a-172:v4
26 | env:
27 | - name: TARGET
28 | value: "http://service-b-linkerd.default:8181"
29 | ports:
30 | - name: http
31 | containerPort: 8282
32 | resources:
33 | requests:
34 | memory: 2Gi
35 | cpu: "1"
36 | limits:
37 | memory: 2Gi
38 | cpu: "1"
39 | nodeSelector:
40 | service: linkerd
41 | tolerations:
42 | - key: service
43 | value: linkerd
44 | effect: NoSchedule
45 | operator: Equal
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.service-a-linkerd
File: /lessons/172/2-test/deployments/0-service-a-linkerd.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: service-a-linkerd
25 | image: aputra/service-a-172:v4
26 | env:
27 | - name: TARGET
28 | value: "http://service-b-linkerd.default:8181"
29 | ports:
30 | - name: http
31 | containerPort: 8282
32 | resources:
33 | requests:
34 | memory: 2Gi
35 | cpu: "1"
36 | limits:
37 | memory: 2Gi
38 | cpu: "1"
39 | nodeSelector:
40 | service: linkerd
41 | tolerations:
42 | - key: service
43 | value: linkerd
44 | effect: NoSchedule
45 | operator: Equal
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.service-a-linkerd
File: /lessons/172/2-test/deployments/0-service-a-linkerd.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: service-a-linkerd
25 | image: aputra/service-a-172:v4
26 | env:
27 | - name: TARGET
28 | value: "http://service-b-linkerd.default:8181"
29 | ports:
30 | - name: http
31 | containerPort: 8282
32 | resources:
33 | requests:
34 | memory: 2Gi
35 | cpu: "1"
36 | limits:
37 | memory: 2Gi
38 | cpu: "1"
39 | nodeSelector:
40 | service: linkerd
41 | tolerations:
42 | - key: service
43 | value: linkerd
44 | effect: NoSchedule
45 | operator: Equal
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.service-a-linkerd
File: /lessons/172/2-test/deployments/0-service-a-linkerd.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: service-a-linkerd
25 | image: aputra/service-a-172:v4
26 | env:
27 | - name: TARGET
28 | value: "http://service-b-linkerd.default:8181"
29 | ports:
30 | - name: http
31 | containerPort: 8282
32 | resources:
33 | requests:
34 | memory: 2Gi
35 | cpu: "1"
36 | limits:
37 | memory: 2Gi
38 | cpu: "1"
39 | nodeSelector:
40 | service: linkerd
41 | tolerations:
42 | - key: service
43 | value: linkerd
44 | effect: NoSchedule
45 | operator: Equal
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.service-a-linkerd
File: /lessons/172/2-test/deployments/0-service-a-linkerd.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: service-a-linkerd
25 | image: aputra/service-a-172:v4
26 | env:
27 | - name: TARGET
28 | value: "http://service-b-linkerd.default:8181"
29 | ports:
30 | - name: http
31 | containerPort: 8282
32 | resources:
33 | requests:
34 | memory: 2Gi
35 | cpu: "1"
36 | limits:
37 | memory: 2Gi
38 | cpu: "1"
39 | nodeSelector:
40 | service: linkerd
41 | tolerations:
42 | - key: service
43 | value: linkerd
44 | effect: NoSchedule
45 | operator: Equal
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.service-a-linkerd
File: /lessons/172/2-test/deployments/0-service-a-linkerd.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: service-a-linkerd
25 | image: aputra/service-a-172:v4
26 | env:
27 | - name: TARGET
28 | value: "http://service-b-linkerd.default:8181"
29 | ports:
30 | - name: http
31 | containerPort: 8282
32 | resources:
33 | requests:
34 | memory: 2Gi
35 | cpu: "1"
36 | limits:
37 | memory: 2Gi
38 | cpu: "1"
39 | nodeSelector:
40 | service: linkerd
41 | tolerations:
42 | - key: service
43 | value: linkerd
44 | effect: NoSchedule
45 | operator: Equal
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.service-a-linkerd
File: /lessons/172/2-test/deployments/0-service-a-linkerd.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: service-a-linkerd
25 | image: aputra/service-a-172:v4
26 | env:
27 | - name: TARGET
28 | value: "http://service-b-linkerd.default:8181"
29 | ports:
30 | - name: http
31 | containerPort: 8282
32 | resources:
33 | requests:
34 | memory: 2Gi
35 | cpu: "1"
36 | limits:
37 | memory: 2Gi
38 | cpu: "1"
39 | nodeSelector:
40 | service: linkerd
41 | tolerations:
42 | - key: service
43 | value: linkerd
44 | effect: NoSchedule
45 | operator: Equal
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.service-a-linkerd
File: /lessons/172/2-test/deployments/0-service-a-linkerd.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: service-a-linkerd
25 | image: aputra/service-a-172:v4
26 | env:
27 | - name: TARGET
28 | value: "http://service-b-linkerd.default:8181"
29 | ports:
30 | - name: http
31 | containerPort: 8282
32 | resources:
33 | requests:
34 | memory: 2Gi
35 | cpu: "1"
36 | limits:
37 | memory: 2Gi
38 | cpu: "1"
39 | nodeSelector:
40 | service: linkerd
41 | tolerations:
42 | - key: service
43 | value: linkerd
44 | effect: NoSchedule
45 | operator: Equal
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.service-a-linkerd
File: /lessons/172/2-test/deployments/0-service-a-linkerd.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: service-a-linkerd
25 | image: aputra/service-a-172:v4
26 | env:
27 | - name: TARGET
28 | value: "http://service-b-linkerd.default:8181"
29 | ports:
30 | - name: http
31 | containerPort: 8282
32 | resources:
33 | requests:
34 | memory: 2Gi
35 | cpu: "1"
36 | limits:
37 | memory: 2Gi
38 | cpu: "1"
39 | nodeSelector:
40 | service: linkerd
41 | tolerations:
42 | - key: service
43 | value: linkerd
44 | effect: NoSchedule
45 | operator: Equal
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.service-a-linkerd
File: /lessons/172/2-test/deployments/0-service-a-linkerd.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: service-a-linkerd
25 | image: aputra/service-a-172:v4
26 | env:
27 | - name: TARGET
28 | value: "http://service-b-linkerd.default:8181"
29 | ports:
30 | - name: http
31 | containerPort: 8282
32 | resources:
33 | requests:
34 | memory: 2Gi
35 | cpu: "1"
36 | limits:
37 | memory: 2Gi
38 | cpu: "1"
39 | nodeSelector:
40 | service: linkerd
41 | tolerations:
42 | - key: service
43 | value: linkerd
44 | effect: NoSchedule
45 | operator: Equal
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.service-a-linkerd
File: /lessons/172/2-test/deployments/0-service-a-linkerd.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a-linkerd
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a-linkerd
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a-linkerd
16 | annotations:
17 | linkerd.io/inject: enabled
18 | config.linkerd.io/proxy-cpu-limit: 500m
19 | config.linkerd.io/proxy-cpu-request: 500m
20 | config.linkerd.io/proxy-memory-limit: 256Mi
21 | config.linkerd.io/proxy-memory-request: 256Mi
22 | spec:
23 | containers:
24 | - name: service-a-linkerd
25 | image: aputra/service-a-172:v4
26 | env:
27 | - name: TARGET
28 | value: "http://service-b-linkerd.default:8181"
29 | ports:
30 | - name: http
31 | containerPort: 8282
32 | resources:
33 | requests:
34 | memory: 2Gi
35 | cpu: "1"
36 | limits:
37 | memory: 2Gi
38 | cpu: "1"
39 | nodeSelector:
40 | service: linkerd
41 | tolerations:
42 | - key: service
43 | value: linkerd
44 | effect: NoSchedule
45 | operator: Equal
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.default.nginx
File: /lessons/095/examples/4-pod.yaml:2-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: nginx
6 | spec:
7 | containers:
8 | - name: nginx
9 | image: nginx
10 | imagePullPolicy: IfNotPresent
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.default.nginx
File: /lessons/095/examples/4-pod.yaml:2-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: nginx
6 | spec:
7 | containers:
8 | - name: nginx
9 | image: nginx
10 | imagePullPolicy: IfNotPresent
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Pod.default.nginx
File: /lessons/095/examples/4-pod.yaml:2-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: nginx
6 | spec:
7 | containers:
8 | - name: nginx
9 | image: nginx
10 | imagePullPolicy: IfNotPresent
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Pod.default.nginx
File: /lessons/095/examples/4-pod.yaml:2-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: nginx
6 | spec:
7 | containers:
8 | - name: nginx
9 | image: nginx
10 | imagePullPolicy: IfNotPresent
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.default.nginx
File: /lessons/095/examples/4-pod.yaml:2-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: nginx
6 | spec:
7 | containers:
8 | - name: nginx
9 | image: nginx
10 | imagePullPolicy: IfNotPresent
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.default.nginx
File: /lessons/095/examples/4-pod.yaml:2-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: nginx
6 | spec:
7 | containers:
8 | - name: nginx
9 | image: nginx
10 | imagePullPolicy: IfNotPresent
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.default.nginx
File: /lessons/095/examples/4-pod.yaml:2-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: nginx
6 | spec:
7 | containers:
8 | - name: nginx
9 | image: nginx
10 | imagePullPolicy: IfNotPresent
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.default.nginx
File: /lessons/095/examples/4-pod.yaml:2-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: nginx
6 | spec:
7 | containers:
8 | - name: nginx
9 | image: nginx
10 | imagePullPolicy: IfNotPresent
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.default.nginx
File: /lessons/095/examples/4-pod.yaml:2-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: nginx
6 | spec:
7 | containers:
8 | - name: nginx
9 | image: nginx
10 | imagePullPolicy: IfNotPresent
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.default.nginx
File: /lessons/095/examples/4-pod.yaml:2-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: nginx
6 | spec:
7 | containers:
8 | - name: nginx
9 | image: nginx
10 | imagePullPolicy: IfNotPresent
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.default.nginx
File: /lessons/095/examples/4-pod.yaml:2-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: nginx
6 | spec:
7 | containers:
8 | - name: nginx
9 | image: nginx
10 | imagePullPolicy: IfNotPresent
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.default.nginx
File: /lessons/095/examples/4-pod.yaml:2-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: nginx
6 | spec:
7 | containers:
8 | - name: nginx
9 | image: nginx
10 | imagePullPolicy: IfNotPresent
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.default.nginx
File: /lessons/095/examples/4-pod.yaml:2-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: nginx
6 | spec:
7 | containers:
8 | - name: nginx
9 | image: nginx
10 | imagePullPolicy: IfNotPresent
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.default.nginx
File: /lessons/095/examples/4-pod.yaml:2-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: nginx
6 | spec:
7 | containers:
8 | - name: nginx
9 | image: nginx
10 | imagePullPolicy: IfNotPresent
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.default.nginx
File: /lessons/095/examples/4-pod.yaml:2-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: nginx
6 | spec:
7 | containers:
8 | - name: nginx
9 | image: nginx
10 | imagePullPolicy: IfNotPresent
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.default.nginx
File: /lessons/095/examples/4-pod.yaml:2-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: nginx
6 | spec:
7 | containers:
8 | - name: nginx
9 | image: nginx
10 | imagePullPolicy: IfNotPresent
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Pod.default.nginx
File: /lessons/095/examples/4-pod.yaml:2-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: nginx
6 | spec:
7 | containers:
8 | - name: nginx
9 | image: nginx
10 | imagePullPolicy: IfNotPresent
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Pod.default.nginx
File: /lessons/095/examples/4-pod.yaml:2-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: nginx
6 | spec:
7 | containers:
8 | - name: nginx
9 | image: nginx
10 | imagePullPolicy: IfNotPresent
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.default.nginx
File: /lessons/095/examples/4-pod.yaml:2-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: nginx
6 | spec:
7 | containers:
8 | - name: nginx
9 | image: nginx
10 | imagePullPolicy: IfNotPresent
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.default.nginx
File: /lessons/095/examples/4-pod.yaml:2-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: nginx
6 | spec:
7 | containers:
8 | - name: nginx
9 | image: nginx
10 | imagePullPolicy: IfNotPresent
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.high-priority-deployment
File: /lessons/095/examples/3-high-priority-deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: high-priority-deployment
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | priorityClassName: high-priority
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | resources:
21 | requests:
22 | memory: 1Gi
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.high-priority-deployment
File: /lessons/095/examples/3-high-priority-deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: high-priority-deployment
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | priorityClassName: high-priority
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | resources:
21 | requests:
22 | memory: 1Gi
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.high-priority-deployment
File: /lessons/095/examples/3-high-priority-deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: high-priority-deployment
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | priorityClassName: high-priority
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | resources:
21 | requests:
22 | memory: 1Gi
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.high-priority-deployment
File: /lessons/095/examples/3-high-priority-deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: high-priority-deployment
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | priorityClassName: high-priority
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | resources:
21 | requests:
22 | memory: 1Gi
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.high-priority-deployment
File: /lessons/095/examples/3-high-priority-deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: high-priority-deployment
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | priorityClassName: high-priority
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | resources:
21 | requests:
22 | memory: 1Gi
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.high-priority-deployment
File: /lessons/095/examples/3-high-priority-deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: high-priority-deployment
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | priorityClassName: high-priority
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | resources:
21 | requests:
22 | memory: 1Gi
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.high-priority-deployment
File: /lessons/095/examples/3-high-priority-deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: high-priority-deployment
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | priorityClassName: high-priority
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | resources:
21 | requests:
22 | memory: 1Gi
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.high-priority-deployment
File: /lessons/095/examples/3-high-priority-deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: high-priority-deployment
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | priorityClassName: high-priority
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | resources:
21 | requests:
22 | memory: 1Gi
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.high-priority-deployment
File: /lessons/095/examples/3-high-priority-deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: high-priority-deployment
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | priorityClassName: high-priority
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | resources:
21 | requests:
22 | memory: 1Gi
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.high-priority-deployment
File: /lessons/095/examples/3-high-priority-deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: high-priority-deployment
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | priorityClassName: high-priority
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | resources:
21 | requests:
22 | memory: 1Gi
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.high-priority-deployment
File: /lessons/095/examples/3-high-priority-deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: high-priority-deployment
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | priorityClassName: high-priority
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | resources:
21 | requests:
22 | memory: 1Gi
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.high-priority-deployment
File: /lessons/095/examples/3-high-priority-deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: high-priority-deployment
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | priorityClassName: high-priority
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | resources:
21 | requests:
22 | memory: 1Gi
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.high-priority-deployment
File: /lessons/095/examples/3-high-priority-deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: high-priority-deployment
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | priorityClassName: high-priority
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | resources:
21 | requests:
22 | memory: 1Gi
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.high-priority-deployment
File: /lessons/095/examples/3-high-priority-deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: high-priority-deployment
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | priorityClassName: high-priority
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | resources:
21 | requests:
22 | memory: 1Gi
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.high-priority-deployment
File: /lessons/095/examples/3-high-priority-deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: high-priority-deployment
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | priorityClassName: high-priority
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | resources:
21 | requests:
22 | memory: 1Gi
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.high-priority-deployment
File: /lessons/095/examples/3-high-priority-deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: high-priority-deployment
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | priorityClassName: high-priority
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | resources:
21 | requests:
22 | memory: 1Gi
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.high-priority-deployment
File: /lessons/095/examples/3-high-priority-deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: high-priority-deployment
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | priorityClassName: high-priority
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | resources:
21 | requests:
22 | memory: 1Gi
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.high-priority-deployment
File: /lessons/095/examples/3-high-priority-deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: high-priority-deployment
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | priorityClassName: high-priority
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | resources:
21 | requests:
22 | memory: 1Gi
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.low-priority-deployment
File: /lessons/095/examples/2-low-priority-deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: low-priority-deployment
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | priorityClassName: low-priority
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | resources:
21 | requests:
22 | memory: 1Gi
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.low-priority-deployment
File: /lessons/095/examples/2-low-priority-deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: low-priority-deployment
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | priorityClassName: low-priority
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | resources:
21 | requests:
22 | memory: 1Gi
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.low-priority-deployment
File: /lessons/095/examples/2-low-priority-deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: low-priority-deployment
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | priorityClassName: low-priority
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | resources:
21 | requests:
22 | memory: 1Gi
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.low-priority-deployment
File: /lessons/095/examples/2-low-priority-deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: low-priority-deployment
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | priorityClassName: low-priority
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | resources:
21 | requests:
22 | memory: 1Gi
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.low-priority-deployment
File: /lessons/095/examples/2-low-priority-deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: low-priority-deployment
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | priorityClassName: low-priority
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | resources:
21 | requests:
22 | memory: 1Gi
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.low-priority-deployment
File: /lessons/095/examples/2-low-priority-deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: low-priority-deployment
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | priorityClassName: low-priority
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | resources:
21 | requests:
22 | memory: 1Gi
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.low-priority-deployment
File: /lessons/095/examples/2-low-priority-deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: low-priority-deployment
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | priorityClassName: low-priority
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | resources:
21 | requests:
22 | memory: 1Gi
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.low-priority-deployment
File: /lessons/095/examples/2-low-priority-deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: low-priority-deployment
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | priorityClassName: low-priority
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | resources:
21 | requests:
22 | memory: 1Gi
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.low-priority-deployment
File: /lessons/095/examples/2-low-priority-deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: low-priority-deployment
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | priorityClassName: low-priority
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | resources:
21 | requests:
22 | memory: 1Gi
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.low-priority-deployment
File: /lessons/095/examples/2-low-priority-deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: low-priority-deployment
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | priorityClassName: low-priority
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | resources:
21 | requests:
22 | memory: 1Gi
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.low-priority-deployment
File: /lessons/095/examples/2-low-priority-deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: low-priority-deployment
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | priorityClassName: low-priority
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | resources:
21 | requests:
22 | memory: 1Gi
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.low-priority-deployment
File: /lessons/095/examples/2-low-priority-deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: low-priority-deployment
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | priorityClassName: low-priority
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | resources:
21 | requests:
22 | memory: 1Gi
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.low-priority-deployment
File: /lessons/095/examples/2-low-priority-deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: low-priority-deployment
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | priorityClassName: low-priority
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | resources:
21 | requests:
22 | memory: 1Gi
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.low-priority-deployment
File: /lessons/095/examples/2-low-priority-deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: low-priority-deployment
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | priorityClassName: low-priority
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | resources:
21 | requests:
22 | memory: 1Gi
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.low-priority-deployment
File: /lessons/095/examples/2-low-priority-deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: low-priority-deployment
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | priorityClassName: low-priority
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | resources:
21 | requests:
22 | memory: 1Gi
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.low-priority-deployment
File: /lessons/095/examples/2-low-priority-deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: low-priority-deployment
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | priorityClassName: low-priority
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | resources:
21 | requests:
22 | memory: 1Gi
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.low-priority-deployment
File: /lessons/095/examples/2-low-priority-deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: low-priority-deployment
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | priorityClassName: low-priority
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | resources:
21 | requests:
22 | memory: 1Gi
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.low-priority-deployment
File: /lessons/095/examples/2-low-priority-deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: low-priority-deployment
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | priorityClassName: low-priority
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | resources:
21 | requests:
22 | memory: 1Gi
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.myapp
File: /lessons/154/myapp/deploy/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-lesson154:latest
20 | imagePullPolicy: Always
21 | ports:
22 | - name: http
23 | containerPort: 8080
24 | - name: http-metrics
25 | containerPort: 8081
26 | resources:
27 | requests:
28 | memory: 256Mi
29 | cpu: 200m
30 | limits:
31 | memory: 256Mi
32 | cpu: 200m
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.myapp
File: /lessons/154/myapp/deploy/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-lesson154:latest
20 | imagePullPolicy: Always
21 | ports:
22 | - name: http
23 | containerPort: 8080
24 | - name: http-metrics
25 | containerPort: 8081
26 | resources:
27 | requests:
28 | memory: 256Mi
29 | cpu: 200m
30 | limits:
31 | memory: 256Mi
32 | cpu: 200m
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.myapp
File: /lessons/154/myapp/deploy/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-lesson154:latest
20 | imagePullPolicy: Always
21 | ports:
22 | - name: http
23 | containerPort: 8080
24 | - name: http-metrics
25 | containerPort: 8081
26 | resources:
27 | requests:
28 | memory: 256Mi
29 | cpu: 200m
30 | limits:
31 | memory: 256Mi
32 | cpu: 200m
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.staging.myapp
File: /lessons/154/myapp/deploy/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-lesson154:latest
20 | imagePullPolicy: Always
21 | ports:
22 | - name: http
23 | containerPort: 8080
24 | - name: http-metrics
25 | containerPort: 8081
26 | resources:
27 | requests:
28 | memory: 256Mi
29 | cpu: 200m
30 | limits:
31 | memory: 256Mi
32 | cpu: 200m
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.myapp
File: /lessons/154/myapp/deploy/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-lesson154:latest
20 | imagePullPolicy: Always
21 | ports:
22 | - name: http
23 | containerPort: 8080
24 | - name: http-metrics
25 | containerPort: 8081
26 | resources:
27 | requests:
28 | memory: 256Mi
29 | cpu: 200m
30 | limits:
31 | memory: 256Mi
32 | cpu: 200m
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.myapp
File: /lessons/154/myapp/deploy/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-lesson154:latest
20 | imagePullPolicy: Always
21 | ports:
22 | - name: http
23 | containerPort: 8080
24 | - name: http-metrics
25 | containerPort: 8081
26 | resources:
27 | requests:
28 | memory: 256Mi
29 | cpu: 200m
30 | limits:
31 | memory: 256Mi
32 | cpu: 200m
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.myapp
File: /lessons/154/myapp/deploy/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-lesson154:latest
20 | imagePullPolicy: Always
21 | ports:
22 | - name: http
23 | containerPort: 8080
24 | - name: http-metrics
25 | containerPort: 8081
26 | resources:
27 | requests:
28 | memory: 256Mi
29 | cpu: 200m
30 | limits:
31 | memory: 256Mi
32 | cpu: 200m
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.staging.myapp
File: /lessons/154/myapp/deploy/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-lesson154:latest
20 | imagePullPolicy: Always
21 | ports:
22 | - name: http
23 | containerPort: 8080
24 | - name: http-metrics
25 | containerPort: 8081
26 | resources:
27 | requests:
28 | memory: 256Mi
29 | cpu: 200m
30 | limits:
31 | memory: 256Mi
32 | cpu: 200m
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.myapp
File: /lessons/154/myapp/deploy/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-lesson154:latest
20 | imagePullPolicy: Always
21 | ports:
22 | - name: http
23 | containerPort: 8080
24 | - name: http-metrics
25 | containerPort: 8081
26 | resources:
27 | requests:
28 | memory: 256Mi
29 | cpu: 200m
30 | limits:
31 | memory: 256Mi
32 | cpu: 200m
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.myapp
File: /lessons/154/myapp/deploy/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-lesson154:latest
20 | imagePullPolicy: Always
21 | ports:
22 | - name: http
23 | containerPort: 8080
24 | - name: http-metrics
25 | containerPort: 8081
26 | resources:
27 | requests:
28 | memory: 256Mi
29 | cpu: 200m
30 | limits:
31 | memory: 256Mi
32 | cpu: 200m
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.myapp
File: /lessons/154/myapp/deploy/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-lesson154:latest
20 | imagePullPolicy: Always
21 | ports:
22 | - name: http
23 | containerPort: 8080
24 | - name: http-metrics
25 | containerPort: 8081
26 | resources:
27 | requests:
28 | memory: 256Mi
29 | cpu: 200m
30 | limits:
31 | memory: 256Mi
32 | cpu: 200m
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.myapp
File: /lessons/154/myapp/deploy/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-lesson154:latest
20 | imagePullPolicy: Always
21 | ports:
22 | - name: http
23 | containerPort: 8080
24 | - name: http-metrics
25 | containerPort: 8081
26 | resources:
27 | requests:
28 | memory: 256Mi
29 | cpu: 200m
30 | limits:
31 | memory: 256Mi
32 | cpu: 200m
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.staging.myapp
File: /lessons/154/myapp/deploy/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-lesson154:latest
20 | imagePullPolicy: Always
21 | ports:
22 | - name: http
23 | containerPort: 8080
24 | - name: http-metrics
25 | containerPort: 8081
26 | resources:
27 | requests:
28 | memory: 256Mi
29 | cpu: 200m
30 | limits:
31 | memory: 256Mi
32 | cpu: 200m
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.myapp
File: /lessons/154/myapp/deploy/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-lesson154:latest
20 | imagePullPolicy: Always
21 | ports:
22 | - name: http
23 | containerPort: 8080
24 | - name: http-metrics
25 | containerPort: 8081
26 | resources:
27 | requests:
28 | memory: 256Mi
29 | cpu: 200m
30 | limits:
31 | memory: 256Mi
32 | cpu: 200m
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.blackbox-exporter
File: /lessons/154/blackbox-exporter/0-deployment.yaml:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: blackbox-exporter
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: blackbox-exporter
12 | template:
13 | metadata:
14 | labels:
15 | app: blackbox-exporter
16 | spec:
17 | containers:
18 | - name: blackbox-exporter
19 | image: quay.io/prometheus/blackbox-exporter:v0.23.0
20 | imagePullPolicy: Always
21 | ports:
22 | - name: http
23 | containerPort: 9115
24 | livenessProbe:
25 | httpGet:
26 | path: /health
27 | port: http
28 | readinessProbe:
29 | httpGet:
30 | path: /health
31 | port: http
32 | resources:
33 | requests:
34 | memory: 256Mi
35 | cpu: 200m
36 | limits:
37 | memory: 256Mi
38 | cpu: 200m
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.monitoring.blackbox-exporter
File: /lessons/154/blackbox-exporter/0-deployment.yaml:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: blackbox-exporter
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: blackbox-exporter
12 | template:
13 | metadata:
14 | labels:
15 | app: blackbox-exporter
16 | spec:
17 | containers:
18 | - name: blackbox-exporter
19 | image: quay.io/prometheus/blackbox-exporter:v0.23.0
20 | imagePullPolicy: Always
21 | ports:
22 | - name: http
23 | containerPort: 9115
24 | livenessProbe:
25 | httpGet:
26 | path: /health
27 | port: http
28 | readinessProbe:
29 | httpGet:
30 | path: /health
31 | port: http
32 | resources:
33 | requests:
34 | memory: 256Mi
35 | cpu: 200m
36 | limits:
37 | memory: 256Mi
38 | cpu: 200m
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.monitoring.blackbox-exporter
File: /lessons/154/blackbox-exporter/0-deployment.yaml:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: blackbox-exporter
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: blackbox-exporter
12 | template:
13 | metadata:
14 | labels:
15 | app: blackbox-exporter
16 | spec:
17 | containers:
18 | - name: blackbox-exporter
19 | image: quay.io/prometheus/blackbox-exporter:v0.23.0
20 | imagePullPolicy: Always
21 | ports:
22 | - name: http
23 | containerPort: 9115
24 | livenessProbe:
25 | httpGet:
26 | path: /health
27 | port: http
28 | readinessProbe:
29 | httpGet:
30 | path: /health
31 | port: http
32 | resources:
33 | requests:
34 | memory: 256Mi
35 | cpu: 200m
36 | limits:
37 | memory: 256Mi
38 | cpu: 200m
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.monitoring.blackbox-exporter
File: /lessons/154/blackbox-exporter/0-deployment.yaml:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: blackbox-exporter
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: blackbox-exporter
12 | template:
13 | metadata:
14 | labels:
15 | app: blackbox-exporter
16 | spec:
17 | containers:
18 | - name: blackbox-exporter
19 | image: quay.io/prometheus/blackbox-exporter:v0.23.0
20 | imagePullPolicy: Always
21 | ports:
22 | - name: http
23 | containerPort: 9115
24 | livenessProbe:
25 | httpGet:
26 | path: /health
27 | port: http
28 | readinessProbe:
29 | httpGet:
30 | path: /health
31 | port: http
32 | resources:
33 | requests:
34 | memory: 256Mi
35 | cpu: 200m
36 | limits:
37 | memory: 256Mi
38 | cpu: 200m
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.blackbox-exporter
File: /lessons/154/blackbox-exporter/0-deployment.yaml:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: blackbox-exporter
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: blackbox-exporter
12 | template:
13 | metadata:
14 | labels:
15 | app: blackbox-exporter
16 | spec:
17 | containers:
18 | - name: blackbox-exporter
19 | image: quay.io/prometheus/blackbox-exporter:v0.23.0
20 | imagePullPolicy: Always
21 | ports:
22 | - name: http
23 | containerPort: 9115
24 | livenessProbe:
25 | httpGet:
26 | path: /health
27 | port: http
28 | readinessProbe:
29 | httpGet:
30 | path: /health
31 | port: http
32 | resources:
33 | requests:
34 | memory: 256Mi
35 | cpu: 200m
36 | limits:
37 | memory: 256Mi
38 | cpu: 200m
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.monitoring.blackbox-exporter
File: /lessons/154/blackbox-exporter/0-deployment.yaml:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: blackbox-exporter
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: blackbox-exporter
12 | template:
13 | metadata:
14 | labels:
15 | app: blackbox-exporter
16 | spec:
17 | containers:
18 | - name: blackbox-exporter
19 | image: quay.io/prometheus/blackbox-exporter:v0.23.0
20 | imagePullPolicy: Always
21 | ports:
22 | - name: http
23 | containerPort: 9115
24 | livenessProbe:
25 | httpGet:
26 | path: /health
27 | port: http
28 | readinessProbe:
29 | httpGet:
30 | path: /health
31 | port: http
32 | resources:
33 | requests:
34 | memory: 256Mi
35 | cpu: 200m
36 | limits:
37 | memory: 256Mi
38 | cpu: 200m
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.monitoring.blackbox-exporter
File: /lessons/154/blackbox-exporter/0-deployment.yaml:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: blackbox-exporter
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: blackbox-exporter
12 | template:
13 | metadata:
14 | labels:
15 | app: blackbox-exporter
16 | spec:
17 | containers:
18 | - name: blackbox-exporter
19 | image: quay.io/prometheus/blackbox-exporter:v0.23.0
20 | imagePullPolicy: Always
21 | ports:
22 | - name: http
23 | containerPort: 9115
24 | livenessProbe:
25 | httpGet:
26 | path: /health
27 | port: http
28 | readinessProbe:
29 | httpGet:
30 | path: /health
31 | port: http
32 | resources:
33 | requests:
34 | memory: 256Mi
35 | cpu: 200m
36 | limits:
37 | memory: 256Mi
38 | cpu: 200m
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.monitoring.blackbox-exporter
File: /lessons/154/blackbox-exporter/0-deployment.yaml:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: blackbox-exporter
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: blackbox-exporter
12 | template:
13 | metadata:
14 | labels:
15 | app: blackbox-exporter
16 | spec:
17 | containers:
18 | - name: blackbox-exporter
19 | image: quay.io/prometheus/blackbox-exporter:v0.23.0
20 | imagePullPolicy: Always
21 | ports:
22 | - name: http
23 | containerPort: 9115
24 | livenessProbe:
25 | httpGet:
26 | path: /health
27 | port: http
28 | readinessProbe:
29 | httpGet:
30 | path: /health
31 | port: http
32 | resources:
33 | requests:
34 | memory: 256Mi
35 | cpu: 200m
36 | limits:
37 | memory: 256Mi
38 | cpu: 200m
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.monitoring.blackbox-exporter
File: /lessons/154/blackbox-exporter/0-deployment.yaml:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: blackbox-exporter
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: blackbox-exporter
12 | template:
13 | metadata:
14 | labels:
15 | app: blackbox-exporter
16 | spec:
17 | containers:
18 | - name: blackbox-exporter
19 | image: quay.io/prometheus/blackbox-exporter:v0.23.0
20 | imagePullPolicy: Always
21 | ports:
22 | - name: http
23 | containerPort: 9115
24 | livenessProbe:
25 | httpGet:
26 | path: /health
27 | port: http
28 | readinessProbe:
29 | httpGet:
30 | path: /health
31 | port: http
32 | resources:
33 | requests:
34 | memory: 256Mi
35 | cpu: 200m
36 | limits:
37 | memory: 256Mi
38 | cpu: 200m
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.monitoring.blackbox-exporter
File: /lessons/154/blackbox-exporter/0-deployment.yaml:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: blackbox-exporter
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: blackbox-exporter
12 | template:
13 | metadata:
14 | labels:
15 | app: blackbox-exporter
16 | spec:
17 | containers:
18 | - name: blackbox-exporter
19 | image: quay.io/prometheus/blackbox-exporter:v0.23.0
20 | imagePullPolicy: Always
21 | ports:
22 | - name: http
23 | containerPort: 9115
24 | livenessProbe:
25 | httpGet:
26 | path: /health
27 | port: http
28 | readinessProbe:
29 | httpGet:
30 | path: /health
31 | port: http
32 | resources:
33 | requests:
34 | memory: 256Mi
35 | cpu: 200m
36 | limits:
37 | memory: 256Mi
38 | cpu: 200m
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.blackbox-exporter
File: /lessons/154/blackbox-exporter/0-deployment.yaml:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: blackbox-exporter
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: blackbox-exporter
12 | template:
13 | metadata:
14 | labels:
15 | app: blackbox-exporter
16 | spec:
17 | containers:
18 | - name: blackbox-exporter
19 | image: quay.io/prometheus/blackbox-exporter:v0.23.0
20 | imagePullPolicy: Always
21 | ports:
22 | - name: http
23 | containerPort: 9115
24 | livenessProbe:
25 | httpGet:
26 | path: /health
27 | port: http
28 | readinessProbe:
29 | httpGet:
30 | path: /health
31 | port: http
32 | resources:
33 | requests:
34 | memory: 256Mi
35 | cpu: 200m
36 | limits:
37 | memory: 256Mi
38 | cpu: 200m
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/154/prometheus-operator/deployment/3-deployment.yaml:1-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/154/prometheus-operator/deployment/3-deployment.yaml:1-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/154/prometheus-operator/deployment/3-deployment.yaml:1-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/154/prometheus-operator/deployment/3-deployment.yaml:1-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/154/prometheus-operator/deployment/3-deployment.yaml:1-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/154/prometheus-operator/deployment/3-deployment.yaml:1-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: ClusterRole.default.prometheus-operator
File: /lessons/154/prometheus-operator/deployment/1-cluster-role.yaml:1-81
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: DaemonSet.default.example-2
File: /lessons/097/examples/1-daemon-set.yaml:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: example-2
6 | spec:
7 | selector:
8 | matchLabels:
9 | name: nginx
10 | template:
11 | metadata:
12 | labels:
13 | name: nginx
14 | spec:
15 | containers:
16 | - name: nginx
17 | image: nginx:1.14.2
18 | tolerations:
19 | - effect: NoSchedule
20 | operator: Exists
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: DaemonSet.default.example-2
File: /lessons/097/examples/1-daemon-set.yaml:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: example-2
6 | spec:
7 | selector:
8 | matchLabels:
9 | name: nginx
10 | template:
11 | metadata:
12 | labels:
13 | name: nginx
14 | spec:
15 | containers:
16 | - name: nginx
17 | image: nginx:1.14.2
18 | tolerations:
19 | - effect: NoSchedule
20 | operator: Exists
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: DaemonSet.default.example-2
File: /lessons/097/examples/1-daemon-set.yaml:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: example-2
6 | spec:
7 | selector:
8 | matchLabels:
9 | name: nginx
10 | template:
11 | metadata:
12 | labels:
13 | name: nginx
14 | spec:
15 | containers:
16 | - name: nginx
17 | image: nginx:1.14.2
18 | tolerations:
19 | - effect: NoSchedule
20 | operator: Exists
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: DaemonSet.default.example-2
File: /lessons/097/examples/1-daemon-set.yaml:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: example-2
6 | spec:
7 | selector:
8 | matchLabels:
9 | name: nginx
10 | template:
11 | metadata:
12 | labels:
13 | name: nginx
14 | spec:
15 | containers:
16 | - name: nginx
17 | image: nginx:1.14.2
18 | tolerations:
19 | - effect: NoSchedule
20 | operator: Exists
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: DaemonSet.default.example-2
File: /lessons/097/examples/1-daemon-set.yaml:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: example-2
6 | spec:
7 | selector:
8 | matchLabels:
9 | name: nginx
10 | template:
11 | metadata:
12 | labels:
13 | name: nginx
14 | spec:
15 | containers:
16 | - name: nginx
17 | image: nginx:1.14.2
18 | tolerations:
19 | - effect: NoSchedule
20 | operator: Exists
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: DaemonSet.default.example-2
File: /lessons/097/examples/1-daemon-set.yaml:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: example-2
6 | spec:
7 | selector:
8 | matchLabels:
9 | name: nginx
10 | template:
11 | metadata:
12 | labels:
13 | name: nginx
14 | spec:
15 | containers:
16 | - name: nginx
17 | image: nginx:1.14.2
18 | tolerations:
19 | - effect: NoSchedule
20 | operator: Exists
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: DaemonSet.default.example-2
File: /lessons/097/examples/1-daemon-set.yaml:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: example-2
6 | spec:
7 | selector:
8 | matchLabels:
9 | name: nginx
10 | template:
11 | metadata:
12 | labels:
13 | name: nginx
14 | spec:
15 | containers:
16 | - name: nginx
17 | image: nginx:1.14.2
18 | tolerations:
19 | - effect: NoSchedule
20 | operator: Exists
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: DaemonSet.default.example-2
File: /lessons/097/examples/1-daemon-set.yaml:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: example-2
6 | spec:
7 | selector:
8 | matchLabels:
9 | name: nginx
10 | template:
11 | metadata:
12 | labels:
13 | name: nginx
14 | spec:
15 | containers:
16 | - name: nginx
17 | image: nginx:1.14.2
18 | tolerations:
19 | - effect: NoSchedule
20 | operator: Exists
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: DaemonSet.default.example-2
File: /lessons/097/examples/1-daemon-set.yaml:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: example-2
6 | spec:
7 | selector:
8 | matchLabels:
9 | name: nginx
10 | template:
11 | metadata:
12 | labels:
13 | name: nginx
14 | spec:
15 | containers:
16 | - name: nginx
17 | image: nginx:1.14.2
18 | tolerations:
19 | - effect: NoSchedule
20 | operator: Exists
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: DaemonSet.default.example-2
File: /lessons/097/examples/1-daemon-set.yaml:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: example-2
6 | spec:
7 | selector:
8 | matchLabels:
9 | name: nginx
10 | template:
11 | metadata:
12 | labels:
13 | name: nginx
14 | spec:
15 | containers:
16 | - name: nginx
17 | image: nginx:1.14.2
18 | tolerations:
19 | - effect: NoSchedule
20 | operator: Exists
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: DaemonSet.default.example-2
File: /lessons/097/examples/1-daemon-set.yaml:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: example-2
6 | spec:
7 | selector:
8 | matchLabels:
9 | name: nginx
10 | template:
11 | metadata:
12 | labels:
13 | name: nginx
14 | spec:
15 | containers:
16 | - name: nginx
17 | image: nginx:1.14.2
18 | tolerations:
19 | - effect: NoSchedule
20 | operator: Exists
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: DaemonSet.default.example-2
File: /lessons/097/examples/1-daemon-set.yaml:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: example-2
6 | spec:
7 | selector:
8 | matchLabels:
9 | name: nginx
10 | template:
11 | metadata:
12 | labels:
13 | name: nginx
14 | spec:
15 | containers:
16 | - name: nginx
17 | image: nginx:1.14.2
18 | tolerations:
19 | - effect: NoSchedule
20 | operator: Exists
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: DaemonSet.default.example-2
File: /lessons/097/examples/1-daemon-set.yaml:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: example-2
6 | spec:
7 | selector:
8 | matchLabels:
9 | name: nginx
10 | template:
11 | metadata:
12 | labels:
13 | name: nginx
14 | spec:
15 | containers:
16 | - name: nginx
17 | image: nginx:1.14.2
18 | tolerations:
19 | - effect: NoSchedule
20 | operator: Exists
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: DaemonSet.default.example-2
File: /lessons/097/examples/1-daemon-set.yaml:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: example-2
6 | spec:
7 | selector:
8 | matchLabels:
9 | name: nginx
10 | template:
11 | metadata:
12 | labels:
13 | name: nginx
14 | spec:
15 | containers:
16 | - name: nginx
17 | image: nginx:1.14.2
18 | tolerations:
19 | - effect: NoSchedule
20 | operator: Exists
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: DaemonSet.default.example-2
File: /lessons/097/examples/1-daemon-set.yaml:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: example-2
6 | spec:
7 | selector:
8 | matchLabels:
9 | name: nginx
10 | template:
11 | metadata:
12 | labels:
13 | name: nginx
14 | spec:
15 | containers:
16 | - name: nginx
17 | image: nginx:1.14.2
18 | tolerations:
19 | - effect: NoSchedule
20 | operator: Exists
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: DaemonSet.default.example-2
File: /lessons/097/examples/1-daemon-set.yaml:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: example-2
6 | spec:
7 | selector:
8 | matchLabels:
9 | name: nginx
10 | template:
11 | metadata:
12 | labels:
13 | name: nginx
14 | spec:
15 | containers:
16 | - name: nginx
17 | image: nginx:1.14.2
18 | tolerations:
19 | - effect: NoSchedule
20 | operator: Exists
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: DaemonSet.default.example-2
File: /lessons/097/examples/1-daemon-set.yaml:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: example-2
6 | spec:
7 | selector:
8 | matchLabels:
9 | name: nginx
10 | template:
11 | metadata:
12 | labels:
13 | name: nginx
14 | spec:
15 | containers:
16 | - name: nginx
17 | image: nginx:1.14.2
18 | tolerations:
19 | - effect: NoSchedule
20 | operator: Exists
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: DaemonSet.default.example-2
File: /lessons/097/examples/1-daemon-set.yaml:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: example-2
6 | spec:
7 | selector:
8 | matchLabels:
9 | name: nginx
10 | template:
11 | metadata:
12 | labels:
13 | name: nginx
14 | spec:
15 | containers:
16 | - name: nginx
17 | image: nginx:1.14.2
18 | tolerations:
19 | - effect: NoSchedule
20 | operator: Exists
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: DaemonSet.default.example-2
File: /lessons/097/examples/1-daemon-set.yaml:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: example-2
6 | spec:
7 | selector:
8 | matchLabels:
9 | name: nginx
10 | template:
11 | metadata:
12 | labels:
13 | name: nginx
14 | spec:
15 | containers:
16 | - name: nginx
17 | image: nginx:1.14.2
18 | tolerations:
19 | - effect: NoSchedule
20 | operator: Exists
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.example-1
File: /lessons/097/examples/0-toleration.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: example-1
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | tolerations:
22 | - key: role
23 | operator: Equal
24 | value: spot
25 | effect: NoSchedule
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.example-1
File: /lessons/097/examples/0-toleration.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: example-1
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | tolerations:
22 | - key: role
23 | operator: Equal
24 | value: spot
25 | effect: NoSchedule
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.example-1
File: /lessons/097/examples/0-toleration.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: example-1
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | tolerations:
22 | - key: role
23 | operator: Equal
24 | value: spot
25 | effect: NoSchedule
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.example-1
File: /lessons/097/examples/0-toleration.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: example-1
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | tolerations:
22 | - key: role
23 | operator: Equal
24 | value: spot
25 | effect: NoSchedule
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.example-1
File: /lessons/097/examples/0-toleration.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: example-1
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | tolerations:
22 | - key: role
23 | operator: Equal
24 | value: spot
25 | effect: NoSchedule
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.example-1
File: /lessons/097/examples/0-toleration.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: example-1
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | tolerations:
22 | - key: role
23 | operator: Equal
24 | value: spot
25 | effect: NoSchedule
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.example-1
File: /lessons/097/examples/0-toleration.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: example-1
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | tolerations:
22 | - key: role
23 | operator: Equal
24 | value: spot
25 | effect: NoSchedule
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.example-1
File: /lessons/097/examples/0-toleration.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: example-1
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | tolerations:
22 | - key: role
23 | operator: Equal
24 | value: spot
25 | effect: NoSchedule
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.example-1
File: /lessons/097/examples/0-toleration.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: example-1
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | tolerations:
22 | - key: role
23 | operator: Equal
24 | value: spot
25 | effect: NoSchedule
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.example-1
File: /lessons/097/examples/0-toleration.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: example-1
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | tolerations:
22 | - key: role
23 | operator: Equal
24 | value: spot
25 | effect: NoSchedule
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.example-1
File: /lessons/097/examples/0-toleration.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: example-1
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | tolerations:
22 | - key: role
23 | operator: Equal
24 | value: spot
25 | effect: NoSchedule
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.example-1
File: /lessons/097/examples/0-toleration.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: example-1
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | tolerations:
22 | - key: role
23 | operator: Equal
24 | value: spot
25 | effect: NoSchedule
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.example-1
File: /lessons/097/examples/0-toleration.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: example-1
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | tolerations:
22 | - key: role
23 | operator: Equal
24 | value: spot
25 | effect: NoSchedule
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.example-1
File: /lessons/097/examples/0-toleration.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: example-1
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | tolerations:
22 | - key: role
23 | operator: Equal
24 | value: spot
25 | effect: NoSchedule
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.example-1
File: /lessons/097/examples/0-toleration.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: example-1
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | tolerations:
22 | - key: role
23 | operator: Equal
24 | value: spot
25 | effect: NoSchedule
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.example-1
File: /lessons/097/examples/0-toleration.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: example-1
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | tolerations:
22 | - key: role
23 | operator: Equal
24 | value: spot
25 | effect: NoSchedule
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.example-1
File: /lessons/097/examples/0-toleration.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: example-1
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | tolerations:
22 | - key: role
23 | operator: Equal
24 | value: spot
25 | effect: NoSchedule
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.example-1
File: /lessons/097/examples/0-toleration.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: example-1
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | tolerations:
22 | - key: role
23 | operator: Equal
24 | value: spot
25 | effect: NoSchedule
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.example-1
File: /lessons/097/examples/0-toleration.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: example-1
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | tolerations:
22 | - key: role
23 | operator: Equal
24 | value: spot
25 | effect: NoSchedule
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Role.default.eks-ebs-csi-driver
File: /lessons/176/4-irsa/1-csi-driver-iam.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: iam.aws.upbound.io/v1beta1
3 | kind: Role
4 | metadata:
5 | name: eks-ebs-csi-driver
6 | spec:
7 | forProvider:
8 | assumeRolePolicy: |
9 | {
10 | "Version": "2012-10-17",
11 | "Statement": [
12 | {
13 | "Effect": "Allow",
14 | "Action": "sts:AssumeRoleWithWebIdentity",
15 | "Principal": {
16 | "Federated": "arn:aws:iam::424432388155:oidc-provider/oidc.eks.us-east-2.amazonaws.com/id/2CBE3D3F6C281B6791594324922A4727"
17 | },
18 | "Condition": {
19 | "StringEquals": {
20 | "oidc.eks.us-east-2.amazonaws.com/id/2CBE3D3F6C281B6791594324922A4727:sub": "system:serviceaccount:kube-system:ebs-csi-controller-sa"
21 | }
22 | }
23 | }
24 | ]
25 | }
26 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: StatefulSet.default.web
File: /lessons/176/5-storageclass/1-sts.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | spec:
7 | replicas: 1
8 | serviceName: nginx
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: registry.k8s.io/nginx-slim:0.8
20 | ports:
21 | - containerPort: 80
22 | name: web
23 | volumeMounts:
24 | - name: www
25 | mountPath: /usr/share/nginx/html
26 | volumeClaimTemplates:
27 | - metadata:
28 | name: www
29 | spec:
30 | accessModes: ["ReadWriteOnce"]
31 | storageClassName: gp3-ebs
32 | resources:
33 | requests:
34 | storage: 10Gi
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: StatefulSet.default.web
File: /lessons/176/5-storageclass/1-sts.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | spec:
7 | replicas: 1
8 | serviceName: nginx
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: registry.k8s.io/nginx-slim:0.8
20 | ports:
21 | - containerPort: 80
22 | name: web
23 | volumeMounts:
24 | - name: www
25 | mountPath: /usr/share/nginx/html
26 | volumeClaimTemplates:
27 | - metadata:
28 | name: www
29 | spec:
30 | accessModes: ["ReadWriteOnce"]
31 | storageClassName: gp3-ebs
32 | resources:
33 | requests:
34 | storage: 10Gi
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: StatefulSet.default.web
File: /lessons/176/5-storageclass/1-sts.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | spec:
7 | replicas: 1
8 | serviceName: nginx
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: registry.k8s.io/nginx-slim:0.8
20 | ports:
21 | - containerPort: 80
22 | name: web
23 | volumeMounts:
24 | - name: www
25 | mountPath: /usr/share/nginx/html
26 | volumeClaimTemplates:
27 | - metadata:
28 | name: www
29 | spec:
30 | accessModes: ["ReadWriteOnce"]
31 | storageClassName: gp3-ebs
32 | resources:
33 | requests:
34 | storage: 10Gi
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: StatefulSet.default.web
File: /lessons/176/5-storageclass/1-sts.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | spec:
7 | replicas: 1
8 | serviceName: nginx
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: registry.k8s.io/nginx-slim:0.8
20 | ports:
21 | - containerPort: 80
22 | name: web
23 | volumeMounts:
24 | - name: www
25 | mountPath: /usr/share/nginx/html
26 | volumeClaimTemplates:
27 | - metadata:
28 | name: www
29 | spec:
30 | accessModes: ["ReadWriteOnce"]
31 | storageClassName: gp3-ebs
32 | resources:
33 | requests:
34 | storage: 10Gi
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: StatefulSet.default.web
File: /lessons/176/5-storageclass/1-sts.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | spec:
7 | replicas: 1
8 | serviceName: nginx
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: registry.k8s.io/nginx-slim:0.8
20 | ports:
21 | - containerPort: 80
22 | name: web
23 | volumeMounts:
24 | - name: www
25 | mountPath: /usr/share/nginx/html
26 | volumeClaimTemplates:
27 | - metadata:
28 | name: www
29 | spec:
30 | accessModes: ["ReadWriteOnce"]
31 | storageClassName: gp3-ebs
32 | resources:
33 | requests:
34 | storage: 10Gi
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: StatefulSet.default.web
File: /lessons/176/5-storageclass/1-sts.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | spec:
7 | replicas: 1
8 | serviceName: nginx
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: registry.k8s.io/nginx-slim:0.8
20 | ports:
21 | - containerPort: 80
22 | name: web
23 | volumeMounts:
24 | - name: www
25 | mountPath: /usr/share/nginx/html
26 | volumeClaimTemplates:
27 | - metadata:
28 | name: www
29 | spec:
30 | accessModes: ["ReadWriteOnce"]
31 | storageClassName: gp3-ebs
32 | resources:
33 | requests:
34 | storage: 10Gi
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: StatefulSet.default.web
File: /lessons/176/5-storageclass/1-sts.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | spec:
7 | replicas: 1
8 | serviceName: nginx
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: registry.k8s.io/nginx-slim:0.8
20 | ports:
21 | - containerPort: 80
22 | name: web
23 | volumeMounts:
24 | - name: www
25 | mountPath: /usr/share/nginx/html
26 | volumeClaimTemplates:
27 | - metadata:
28 | name: www
29 | spec:
30 | accessModes: ["ReadWriteOnce"]
31 | storageClassName: gp3-ebs
32 | resources:
33 | requests:
34 | storage: 10Gi
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: StatefulSet.default.web
File: /lessons/176/5-storageclass/1-sts.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | spec:
7 | replicas: 1
8 | serviceName: nginx
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: registry.k8s.io/nginx-slim:0.8
20 | ports:
21 | - containerPort: 80
22 | name: web
23 | volumeMounts:
24 | - name: www
25 | mountPath: /usr/share/nginx/html
26 | volumeClaimTemplates:
27 | - metadata:
28 | name: www
29 | spec:
30 | accessModes: ["ReadWriteOnce"]
31 | storageClassName: gp3-ebs
32 | resources:
33 | requests:
34 | storage: 10Gi
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: StatefulSet.default.web
File: /lessons/176/5-storageclass/1-sts.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | spec:
7 | replicas: 1
8 | serviceName: nginx
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: registry.k8s.io/nginx-slim:0.8
20 | ports:
21 | - containerPort: 80
22 | name: web
23 | volumeMounts:
24 | - name: www
25 | mountPath: /usr/share/nginx/html
26 | volumeClaimTemplates:
27 | - metadata:
28 | name: www
29 | spec:
30 | accessModes: ["ReadWriteOnce"]
31 | storageClassName: gp3-ebs
32 | resources:
33 | requests:
34 | storage: 10Gi
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: StatefulSet.default.web
File: /lessons/176/5-storageclass/1-sts.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | spec:
7 | replicas: 1
8 | serviceName: nginx
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: registry.k8s.io/nginx-slim:0.8
20 | ports:
21 | - containerPort: 80
22 | name: web
23 | volumeMounts:
24 | - name: www
25 | mountPath: /usr/share/nginx/html
26 | volumeClaimTemplates:
27 | - metadata:
28 | name: www
29 | spec:
30 | accessModes: ["ReadWriteOnce"]
31 | storageClassName: gp3-ebs
32 | resources:
33 | requests:
34 | storage: 10Gi
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: StatefulSet.default.web
File: /lessons/176/5-storageclass/1-sts.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | spec:
7 | replicas: 1
8 | serviceName: nginx
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: registry.k8s.io/nginx-slim:0.8
20 | ports:
21 | - containerPort: 80
22 | name: web
23 | volumeMounts:
24 | - name: www
25 | mountPath: /usr/share/nginx/html
26 | volumeClaimTemplates:
27 | - metadata:
28 | name: www
29 | spec:
30 | accessModes: ["ReadWriteOnce"]
31 | storageClassName: gp3-ebs
32 | resources:
33 | requests:
34 | storage: 10Gi
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: StatefulSet.default.web
File: /lessons/176/5-storageclass/1-sts.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | spec:
7 | replicas: 1
8 | serviceName: nginx
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: registry.k8s.io/nginx-slim:0.8
20 | ports:
21 | - containerPort: 80
22 | name: web
23 | volumeMounts:
24 | - name: www
25 | mountPath: /usr/share/nginx/html
26 | volumeClaimTemplates:
27 | - metadata:
28 | name: www
29 | spec:
30 | accessModes: ["ReadWriteOnce"]
31 | storageClassName: gp3-ebs
32 | resources:
33 | requests:
34 | storage: 10Gi
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: StatefulSet.default.web
File: /lessons/176/5-storageclass/1-sts.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | spec:
7 | replicas: 1
8 | serviceName: nginx
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: registry.k8s.io/nginx-slim:0.8
20 | ports:
21 | - containerPort: 80
22 | name: web
23 | volumeMounts:
24 | - name: www
25 | mountPath: /usr/share/nginx/html
26 | volumeClaimTemplates:
27 | - metadata:
28 | name: www
29 | spec:
30 | accessModes: ["ReadWriteOnce"]
31 | storageClassName: gp3-ebs
32 | resources:
33 | requests:
34 | storage: 10Gi
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: StatefulSet.default.web
File: /lessons/176/5-storageclass/1-sts.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | spec:
7 | replicas: 1
8 | serviceName: nginx
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: registry.k8s.io/nginx-slim:0.8
20 | ports:
21 | - containerPort: 80
22 | name: web
23 | volumeMounts:
24 | - name: www
25 | mountPath: /usr/share/nginx/html
26 | volumeClaimTemplates:
27 | - metadata:
28 | name: www
29 | spec:
30 | accessModes: ["ReadWriteOnce"]
31 | storageClassName: gp3-ebs
32 | resources:
33 | requests:
34 | storage: 10Gi
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: StatefulSet.default.web
File: /lessons/176/5-storageclass/1-sts.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | spec:
7 | replicas: 1
8 | serviceName: nginx
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: registry.k8s.io/nginx-slim:0.8
20 | ports:
21 | - containerPort: 80
22 | name: web
23 | volumeMounts:
24 | - name: www
25 | mountPath: /usr/share/nginx/html
26 | volumeClaimTemplates:
27 | - metadata:
28 | name: www
29 | spec:
30 | accessModes: ["ReadWriteOnce"]
31 | storageClassName: gp3-ebs
32 | resources:
33 | requests:
34 | storage: 10Gi
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: StatefulSet.default.web
File: /lessons/176/5-storageclass/1-sts.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | spec:
7 | replicas: 1
8 | serviceName: nginx
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: registry.k8s.io/nginx-slim:0.8
20 | ports:
21 | - containerPort: 80
22 | name: web
23 | volumeMounts:
24 | - name: www
25 | mountPath: /usr/share/nginx/html
26 | volumeClaimTemplates:
27 | - metadata:
28 | name: www
29 | spec:
30 | accessModes: ["ReadWriteOnce"]
31 | storageClassName: gp3-ebs
32 | resources:
33 | requests:
34 | storage: 10Gi
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: StatefulSet.default.web
File: /lessons/176/5-storageclass/1-sts.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | spec:
7 | replicas: 1
8 | serviceName: nginx
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: registry.k8s.io/nginx-slim:0.8
20 | ports:
21 | - containerPort: 80
22 | name: web
23 | volumeMounts:
24 | - name: www
25 | mountPath: /usr/share/nginx/html
26 | volumeClaimTemplates:
27 | - metadata:
28 | name: www
29 | spec:
30 | accessModes: ["ReadWriteOnce"]
31 | storageClassName: gp3-ebs
32 | resources:
33 | requests:
34 | storage: 10Gi
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: StatefulSet.default.web
File: /lessons/176/5-storageclass/1-sts.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | spec:
7 | replicas: 1
8 | serviceName: nginx
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: registry.k8s.io/nginx-slim:0.8
20 | ports:
21 | - containerPort: 80
22 | name: web
23 | volumeMounts:
24 | - name: www
25 | mountPath: /usr/share/nginx/html
26 | volumeClaimTemplates:
27 | - metadata:
28 | name: www
29 | spec:
30 | accessModes: ["ReadWriteOnce"]
31 | storageClassName: gp3-ebs
32 | resources:
33 | requests:
34 | storage: 10Gi
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: StatefulSet.default.web
File: /lessons/176/5-storageclass/1-sts.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | spec:
7 | replicas: 1
8 | serviceName: nginx
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: registry.k8s.io/nginx-slim:0.8
20 | ports:
21 | - containerPort: 80
22 | name: web
23 | volumeMounts:
24 | - name: www
25 | mountPath: /usr/share/nginx/html
26 | volumeClaimTemplates:
27 | - metadata:
28 | name: www
29 | spec:
30 | accessModes: ["ReadWriteOnce"]
31 | storageClassName: gp3-ebs
32 | resources:
33 | requests:
34 | storage: 10Gi
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/176/6-cluster-autoscaler/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: 256Mi
26 | cpu: 250m
27 | limits:
28 | memory: 256Mi
29 | cpu: 250m
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/176/6-cluster-autoscaler/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: 256Mi
26 | cpu: 250m
27 | limits:
28 | memory: 256Mi
29 | cpu: 250m
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/176/6-cluster-autoscaler/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: 256Mi
26 | cpu: 250m
27 | limits:
28 | memory: 256Mi
29 | cpu: 250m
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/176/6-cluster-autoscaler/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: 256Mi
26 | cpu: 250m
27 | limits:
28 | memory: 256Mi
29 | cpu: 250m
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/176/6-cluster-autoscaler/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: 256Mi
26 | cpu: 250m
27 | limits:
28 | memory: 256Mi
29 | cpu: 250m
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/176/6-cluster-autoscaler/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: 256Mi
26 | cpu: 250m
27 | limits:
28 | memory: 256Mi
29 | cpu: 250m
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/176/6-cluster-autoscaler/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: 256Mi
26 | cpu: 250m
27 | limits:
28 | memory: 256Mi
29 | cpu: 250m
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/176/6-cluster-autoscaler/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: 256Mi
26 | cpu: 250m
27 | limits:
28 | memory: 256Mi
29 | cpu: 250m
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/176/6-cluster-autoscaler/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: 256Mi
26 | cpu: 250m
27 | limits:
28 | memory: 256Mi
29 | cpu: 250m
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/176/6-cluster-autoscaler/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: 256Mi
26 | cpu: 250m
27 | limits:
28 | memory: 256Mi
29 | cpu: 250m
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/176/6-cluster-autoscaler/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: 256Mi
26 | cpu: 250m
27 | limits:
28 | memory: 256Mi
29 | cpu: 250m
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/176/6-cluster-autoscaler/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: 256Mi
26 | cpu: 250m
27 | limits:
28 | memory: 256Mi
29 | cpu: 250m
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/176/6-cluster-autoscaler/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: 256Mi
26 | cpu: 250m
27 | limits:
28 | memory: 256Mi
29 | cpu: 250m
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/176/6-cluster-autoscaler/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: 256Mi
26 | cpu: 250m
27 | limits:
28 | memory: 256Mi
29 | cpu: 250m
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/176/6-cluster-autoscaler/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | resources:
24 | requests:
25 | memory: 256Mi
26 | cpu: 250m
27 | limits:
28 | memory: 256Mi
29 | cpu: 250m
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Role.default.cluster-autoscaler
File: /lessons/176/6-cluster-autoscaler/0-cluster-autoscaler-iam.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: iam.aws.upbound.io/v1beta1
3 | kind: Role
4 | metadata:
5 | name: cluster-autoscaler
6 | spec:
7 | forProvider:
8 | assumeRolePolicy: |
9 | {
10 | "Version": "2012-10-17",
11 | "Statement": [
12 | {
13 | "Effect": "Allow",
14 | "Action": "sts:AssumeRoleWithWebIdentity",
15 | "Principal": {
16 | "Federated": "arn:aws:iam::424432388155:oidc-provider/oidc.eks.us-east-2.amazonaws.com/id/2CBE3D3F6C281B6791594324922A4727"
17 | },
18 | "Condition": {
19 | "StringEquals": {
20 | "oidc.eks.us-east-2.amazonaws.com/id/2CBE3D3F6C281B6791594324922A4727:sub": "system:serviceaccount:kube-system:cluster-autoscaler"
21 | }
22 | }
23 | }
24 | ]
25 | }
26 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Role.default.dev-demo-eks-cluster
File: /lessons/176/3-eks/0-eks-iam-role.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: iam.aws.upbound.io/v1beta1
3 | kind: Role
4 | metadata:
5 | name: dev-demo-eks-cluster
6 | spec:
7 | forProvider:
8 | assumeRolePolicy: |
9 | {
10 | "Version": "2012-10-17",
11 | "Statement": [
12 | {
13 | "Effect": "Allow",
14 | "Principal": {
15 | "Service": "eks.amazonaws.com"
16 | },
17 | "Action": "sts:AssumeRole"
18 | }
19 | ]
20 | }
21 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Role.default.dev-demo-eks-nodes
File: /lessons/176/3-eks/2-nodes-iam.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: iam.aws.upbound.io/v1beta1
3 | kind: Role
4 | metadata:
5 | name: dev-demo-eks-nodes
6 | spec:
7 | forProvider:
8 | assumeRolePolicy: |
9 | {
10 | "Version": "2012-10-17",
11 | "Statement": [
12 | {
13 | "Effect": "Allow",
14 | "Action": "sts:AssumeRole",
15 | "Principal": {
16 | "Service": "ec2.amazonaws.com"
17 | }
18 | }
19 | ]
20 | }
21 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/149/monitoring/cadvison/daemonset.yaml:2-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/149/monitoring/cadvison/daemonset.yaml:2-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/149/monitoring/cadvison/daemonset.yaml:2-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/149/monitoring/cadvison/daemonset.yaml:2-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/149/monitoring/cadvison/daemonset.yaml:2-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/149/monitoring/cadvison/daemonset.yaml:2-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/149/monitoring/cadvison/daemonset.yaml:2-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/149/monitoring/cadvison/daemonset.yaml:2-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/149/monitoring/cadvison/daemonset.yaml:2-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/149/monitoring/cadvison/daemonset.yaml:2-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/149/monitoring/cadvison/daemonset.yaml:2-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/149/monitoring/cadvison/daemonset.yaml:2-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/149/monitoring/cadvison/daemonset.yaml:2-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/149/monitoring/grafana/deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/149/monitoring/grafana/deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/149/monitoring/grafana/deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/149/monitoring/grafana/deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/149/monitoring/grafana/deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/149/monitoring/grafana/deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/149/monitoring/grafana/deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/149/monitoring/grafana/deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/149/monitoring/grafana/deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/149/monitoring/grafana/deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/149/monitoring/grafana/deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: ClusterRole.default.prometheus-operator
File: /lessons/149/monitoring/prometheus-operator/rbac.yaml:19-98
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/149/monitoring/prometheus-operator/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/149/monitoring/prometheus-operator/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/149/monitoring/prometheus-operator/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/149/monitoring/prometheus-operator/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/149/monitoring/prometheus-operator/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/149/monitoring/prometheus-operator/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/149/monitoring/kube-state-metrics/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/149/monitoring/kube-state-metrics/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/149/monitoring/kube-state-metrics/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/149/monitoring/kube-state-metrics/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/149/monitoring/kube-state-metrics/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.grpc
File: /lessons/149/app/deploy/grpc/deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: grpc
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grpc
12 | template:
13 | metadata:
14 | labels:
15 | app: grpc
16 | spec:
17 | containers:
18 | - name: grpc
19 | image: aputra/grpc-lesson149:latest
20 | ports:
21 | - name: grpc
22 | containerPort: 8082
23 | resources:
24 | requests:
25 | memory: 64Mi
26 | cpu: 50m
27 | limits:
28 | memory: 64Mi
29 | cpu: 50m
30 | affinity:
31 | podAntiAffinity:
32 | requiredDuringSchedulingIgnoredDuringExecution:
33 | - labelSelector:
34 | matchExpressions:
35 | - key: app
36 | operator: In
37 | values:
38 | - grpc
39 | - rest
40 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.grpc
File: /lessons/149/app/deploy/grpc/deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: grpc
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grpc
12 | template:
13 | metadata:
14 | labels:
15 | app: grpc
16 | spec:
17 | containers:
18 | - name: grpc
19 | image: aputra/grpc-lesson149:latest
20 | ports:
21 | - name: grpc
22 | containerPort: 8082
23 | resources:
24 | requests:
25 | memory: 64Mi
26 | cpu: 50m
27 | limits:
28 | memory: 64Mi
29 | cpu: 50m
30 | affinity:
31 | podAntiAffinity:
32 | requiredDuringSchedulingIgnoredDuringExecution:
33 | - labelSelector:
34 | matchExpressions:
35 | - key: app
36 | operator: In
37 | values:
38 | - grpc
39 | - rest
40 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.grpc
File: /lessons/149/app/deploy/grpc/deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: grpc
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grpc
12 | template:
13 | metadata:
14 | labels:
15 | app: grpc
16 | spec:
17 | containers:
18 | - name: grpc
19 | image: aputra/grpc-lesson149:latest
20 | ports:
21 | - name: grpc
22 | containerPort: 8082
23 | resources:
24 | requests:
25 | memory: 64Mi
26 | cpu: 50m
27 | limits:
28 | memory: 64Mi
29 | cpu: 50m
30 | affinity:
31 | podAntiAffinity:
32 | requiredDuringSchedulingIgnoredDuringExecution:
33 | - labelSelector:
34 | matchExpressions:
35 | - key: app
36 | operator: In
37 | values:
38 | - grpc
39 | - rest
40 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.staging.grpc
File: /lessons/149/app/deploy/grpc/deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: grpc
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grpc
12 | template:
13 | metadata:
14 | labels:
15 | app: grpc
16 | spec:
17 | containers:
18 | - name: grpc
19 | image: aputra/grpc-lesson149:latest
20 | ports:
21 | - name: grpc
22 | containerPort: 8082
23 | resources:
24 | requests:
25 | memory: 64Mi
26 | cpu: 50m
27 | limits:
28 | memory: 64Mi
29 | cpu: 50m
30 | affinity:
31 | podAntiAffinity:
32 | requiredDuringSchedulingIgnoredDuringExecution:
33 | - labelSelector:
34 | matchExpressions:
35 | - key: app
36 | operator: In
37 | values:
38 | - grpc
39 | - rest
40 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.grpc
File: /lessons/149/app/deploy/grpc/deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: grpc
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grpc
12 | template:
13 | metadata:
14 | labels:
15 | app: grpc
16 | spec:
17 | containers:
18 | - name: grpc
19 | image: aputra/grpc-lesson149:latest
20 | ports:
21 | - name: grpc
22 | containerPort: 8082
23 | resources:
24 | requests:
25 | memory: 64Mi
26 | cpu: 50m
27 | limits:
28 | memory: 64Mi
29 | cpu: 50m
30 | affinity:
31 | podAntiAffinity:
32 | requiredDuringSchedulingIgnoredDuringExecution:
33 | - labelSelector:
34 | matchExpressions:
35 | - key: app
36 | operator: In
37 | values:
38 | - grpc
39 | - rest
40 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.grpc
File: /lessons/149/app/deploy/grpc/deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: grpc
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grpc
12 | template:
13 | metadata:
14 | labels:
15 | app: grpc
16 | spec:
17 | containers:
18 | - name: grpc
19 | image: aputra/grpc-lesson149:latest
20 | ports:
21 | - name: grpc
22 | containerPort: 8082
23 | resources:
24 | requests:
25 | memory: 64Mi
26 | cpu: 50m
27 | limits:
28 | memory: 64Mi
29 | cpu: 50m
30 | affinity:
31 | podAntiAffinity:
32 | requiredDuringSchedulingIgnoredDuringExecution:
33 | - labelSelector:
34 | matchExpressions:
35 | - key: app
36 | operator: In
37 | values:
38 | - grpc
39 | - rest
40 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.grpc
File: /lessons/149/app/deploy/grpc/deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: grpc
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grpc
12 | template:
13 | metadata:
14 | labels:
15 | app: grpc
16 | spec:
17 | containers:
18 | - name: grpc
19 | image: aputra/grpc-lesson149:latest
20 | ports:
21 | - name: grpc
22 | containerPort: 8082
23 | resources:
24 | requests:
25 | memory: 64Mi
26 | cpu: 50m
27 | limits:
28 | memory: 64Mi
29 | cpu: 50m
30 | affinity:
31 | podAntiAffinity:
32 | requiredDuringSchedulingIgnoredDuringExecution:
33 | - labelSelector:
34 | matchExpressions:
35 | - key: app
36 | operator: In
37 | values:
38 | - grpc
39 | - rest
40 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.staging.grpc
File: /lessons/149/app/deploy/grpc/deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: grpc
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grpc
12 | template:
13 | metadata:
14 | labels:
15 | app: grpc
16 | spec:
17 | containers:
18 | - name: grpc
19 | image: aputra/grpc-lesson149:latest
20 | ports:
21 | - name: grpc
22 | containerPort: 8082
23 | resources:
24 | requests:
25 | memory: 64Mi
26 | cpu: 50m
27 | limits:
28 | memory: 64Mi
29 | cpu: 50m
30 | affinity:
31 | podAntiAffinity:
32 | requiredDuringSchedulingIgnoredDuringExecution:
33 | - labelSelector:
34 | matchExpressions:
35 | - key: app
36 | operator: In
37 | values:
38 | - grpc
39 | - rest
40 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.grpc
File: /lessons/149/app/deploy/grpc/deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: grpc
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grpc
12 | template:
13 | metadata:
14 | labels:
15 | app: grpc
16 | spec:
17 | containers:
18 | - name: grpc
19 | image: aputra/grpc-lesson149:latest
20 | ports:
21 | - name: grpc
22 | containerPort: 8082
23 | resources:
24 | requests:
25 | memory: 64Mi
26 | cpu: 50m
27 | limits:
28 | memory: 64Mi
29 | cpu: 50m
30 | affinity:
31 | podAntiAffinity:
32 | requiredDuringSchedulingIgnoredDuringExecution:
33 | - labelSelector:
34 | matchExpressions:
35 | - key: app
36 | operator: In
37 | values:
38 | - grpc
39 | - rest
40 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.grpc
File: /lessons/149/app/deploy/grpc/deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: grpc
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grpc
12 | template:
13 | metadata:
14 | labels:
15 | app: grpc
16 | spec:
17 | containers:
18 | - name: grpc
19 | image: aputra/grpc-lesson149:latest
20 | ports:
21 | - name: grpc
22 | containerPort: 8082
23 | resources:
24 | requests:
25 | memory: 64Mi
26 | cpu: 50m
27 | limits:
28 | memory: 64Mi
29 | cpu: 50m
30 | affinity:
31 | podAntiAffinity:
32 | requiredDuringSchedulingIgnoredDuringExecution:
33 | - labelSelector:
34 | matchExpressions:
35 | - key: app
36 | operator: In
37 | values:
38 | - grpc
39 | - rest
40 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.grpc
File: /lessons/149/app/deploy/grpc/deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: grpc
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grpc
12 | template:
13 | metadata:
14 | labels:
15 | app: grpc
16 | spec:
17 | containers:
18 | - name: grpc
19 | image: aputra/grpc-lesson149:latest
20 | ports:
21 | - name: grpc
22 | containerPort: 8082
23 | resources:
24 | requests:
25 | memory: 64Mi
26 | cpu: 50m
27 | limits:
28 | memory: 64Mi
29 | cpu: 50m
30 | affinity:
31 | podAntiAffinity:
32 | requiredDuringSchedulingIgnoredDuringExecution:
33 | - labelSelector:
34 | matchExpressions:
35 | - key: app
36 | operator: In
37 | values:
38 | - grpc
39 | - rest
40 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.grpc
File: /lessons/149/app/deploy/grpc/deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: grpc
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grpc
12 | template:
13 | metadata:
14 | labels:
15 | app: grpc
16 | spec:
17 | containers:
18 | - name: grpc
19 | image: aputra/grpc-lesson149:latest
20 | ports:
21 | - name: grpc
22 | containerPort: 8082
23 | resources:
24 | requests:
25 | memory: 64Mi
26 | cpu: 50m
27 | limits:
28 | memory: 64Mi
29 | cpu: 50m
30 | affinity:
31 | podAntiAffinity:
32 | requiredDuringSchedulingIgnoredDuringExecution:
33 | - labelSelector:
34 | matchExpressions:
35 | - key: app
36 | operator: In
37 | values:
38 | - grpc
39 | - rest
40 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.staging.grpc
File: /lessons/149/app/deploy/grpc/deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: grpc
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grpc
12 | template:
13 | metadata:
14 | labels:
15 | app: grpc
16 | spec:
17 | containers:
18 | - name: grpc
19 | image: aputra/grpc-lesson149:latest
20 | ports:
21 | - name: grpc
22 | containerPort: 8082
23 | resources:
24 | requests:
25 | memory: 64Mi
26 | cpu: 50m
27 | limits:
28 | memory: 64Mi
29 | cpu: 50m
30 | affinity:
31 | podAntiAffinity:
32 | requiredDuringSchedulingIgnoredDuringExecution:
33 | - labelSelector:
34 | matchExpressions:
35 | - key: app
36 | operator: In
37 | values:
38 | - grpc
39 | - rest
40 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.grpc
File: /lessons/149/app/deploy/grpc/deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: grpc
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grpc
12 | template:
13 | metadata:
14 | labels:
15 | app: grpc
16 | spec:
17 | containers:
18 | - name: grpc
19 | image: aputra/grpc-lesson149:latest
20 | ports:
21 | - name: grpc
22 | containerPort: 8082
23 | resources:
24 | requests:
25 | memory: 64Mi
26 | cpu: 50m
27 | limits:
28 | memory: 64Mi
29 | cpu: 50m
30 | affinity:
31 | podAntiAffinity:
32 | requiredDuringSchedulingIgnoredDuringExecution:
33 | - labelSelector:
34 | matchExpressions:
35 | - key: app
36 | operator: In
37 | values:
38 | - grpc
39 | - rest
40 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.rest
File: /lessons/149/app/deploy/rest/deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: rest
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: rest
12 | template:
13 | metadata:
14 | labels:
15 | app: rest
16 | spec:
17 | containers:
18 | - name: rest
19 | image: aputra/rest-lesson149:latest
20 | ports:
21 | - name: http
22 | containerPort: 8080
23 | - name: metrics
24 | containerPort: 8081
25 | resources:
26 | requests:
27 | memory: 64Mi
28 | cpu: 50m
29 | limits:
30 | memory: 64Mi
31 | cpu: 50m
32 | affinity:
33 | podAntiAffinity:
34 | requiredDuringSchedulingIgnoredDuringExecution:
35 | - labelSelector:
36 | matchExpressions:
37 | - key: app
38 | operator: In
39 | values:
40 | - grpc
41 | - rest
42 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.rest
File: /lessons/149/app/deploy/rest/deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: rest
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: rest
12 | template:
13 | metadata:
14 | labels:
15 | app: rest
16 | spec:
17 | containers:
18 | - name: rest
19 | image: aputra/rest-lesson149:latest
20 | ports:
21 | - name: http
22 | containerPort: 8080
23 | - name: metrics
24 | containerPort: 8081
25 | resources:
26 | requests:
27 | memory: 64Mi
28 | cpu: 50m
29 | limits:
30 | memory: 64Mi
31 | cpu: 50m
32 | affinity:
33 | podAntiAffinity:
34 | requiredDuringSchedulingIgnoredDuringExecution:
35 | - labelSelector:
36 | matchExpressions:
37 | - key: app
38 | operator: In
39 | values:
40 | - grpc
41 | - rest
42 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.rest
File: /lessons/149/app/deploy/rest/deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: rest
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: rest
12 | template:
13 | metadata:
14 | labels:
15 | app: rest
16 | spec:
17 | containers:
18 | - name: rest
19 | image: aputra/rest-lesson149:latest
20 | ports:
21 | - name: http
22 | containerPort: 8080
23 | - name: metrics
24 | containerPort: 8081
25 | resources:
26 | requests:
27 | memory: 64Mi
28 | cpu: 50m
29 | limits:
30 | memory: 64Mi
31 | cpu: 50m
32 | affinity:
33 | podAntiAffinity:
34 | requiredDuringSchedulingIgnoredDuringExecution:
35 | - labelSelector:
36 | matchExpressions:
37 | - key: app
38 | operator: In
39 | values:
40 | - grpc
41 | - rest
42 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.staging.rest
File: /lessons/149/app/deploy/rest/deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: rest
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: rest
12 | template:
13 | metadata:
14 | labels:
15 | app: rest
16 | spec:
17 | containers:
18 | - name: rest
19 | image: aputra/rest-lesson149:latest
20 | ports:
21 | - name: http
22 | containerPort: 8080
23 | - name: metrics
24 | containerPort: 8081
25 | resources:
26 | requests:
27 | memory: 64Mi
28 | cpu: 50m
29 | limits:
30 | memory: 64Mi
31 | cpu: 50m
32 | affinity:
33 | podAntiAffinity:
34 | requiredDuringSchedulingIgnoredDuringExecution:
35 | - labelSelector:
36 | matchExpressions:
37 | - key: app
38 | operator: In
39 | values:
40 | - grpc
41 | - rest
42 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.rest
File: /lessons/149/app/deploy/rest/deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: rest
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: rest
12 | template:
13 | metadata:
14 | labels:
15 | app: rest
16 | spec:
17 | containers:
18 | - name: rest
19 | image: aputra/rest-lesson149:latest
20 | ports:
21 | - name: http
22 | containerPort: 8080
23 | - name: metrics
24 | containerPort: 8081
25 | resources:
26 | requests:
27 | memory: 64Mi
28 | cpu: 50m
29 | limits:
30 | memory: 64Mi
31 | cpu: 50m
32 | affinity:
33 | podAntiAffinity:
34 | requiredDuringSchedulingIgnoredDuringExecution:
35 | - labelSelector:
36 | matchExpressions:
37 | - key: app
38 | operator: In
39 | values:
40 | - grpc
41 | - rest
42 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.rest
File: /lessons/149/app/deploy/rest/deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: rest
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: rest
12 | template:
13 | metadata:
14 | labels:
15 | app: rest
16 | spec:
17 | containers:
18 | - name: rest
19 | image: aputra/rest-lesson149:latest
20 | ports:
21 | - name: http
22 | containerPort: 8080
23 | - name: metrics
24 | containerPort: 8081
25 | resources:
26 | requests:
27 | memory: 64Mi
28 | cpu: 50m
29 | limits:
30 | memory: 64Mi
31 | cpu: 50m
32 | affinity:
33 | podAntiAffinity:
34 | requiredDuringSchedulingIgnoredDuringExecution:
35 | - labelSelector:
36 | matchExpressions:
37 | - key: app
38 | operator: In
39 | values:
40 | - grpc
41 | - rest
42 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.rest
File: /lessons/149/app/deploy/rest/deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: rest
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: rest
12 | template:
13 | metadata:
14 | labels:
15 | app: rest
16 | spec:
17 | containers:
18 | - name: rest
19 | image: aputra/rest-lesson149:latest
20 | ports:
21 | - name: http
22 | containerPort: 8080
23 | - name: metrics
24 | containerPort: 8081
25 | resources:
26 | requests:
27 | memory: 64Mi
28 | cpu: 50m
29 | limits:
30 | memory: 64Mi
31 | cpu: 50m
32 | affinity:
33 | podAntiAffinity:
34 | requiredDuringSchedulingIgnoredDuringExecution:
35 | - labelSelector:
36 | matchExpressions:
37 | - key: app
38 | operator: In
39 | values:
40 | - grpc
41 | - rest
42 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.staging.rest
File: /lessons/149/app/deploy/rest/deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: rest
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: rest
12 | template:
13 | metadata:
14 | labels:
15 | app: rest
16 | spec:
17 | containers:
18 | - name: rest
19 | image: aputra/rest-lesson149:latest
20 | ports:
21 | - name: http
22 | containerPort: 8080
23 | - name: metrics
24 | containerPort: 8081
25 | resources:
26 | requests:
27 | memory: 64Mi
28 | cpu: 50m
29 | limits:
30 | memory: 64Mi
31 | cpu: 50m
32 | affinity:
33 | podAntiAffinity:
34 | requiredDuringSchedulingIgnoredDuringExecution:
35 | - labelSelector:
36 | matchExpressions:
37 | - key: app
38 | operator: In
39 | values:
40 | - grpc
41 | - rest
42 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.rest
File: /lessons/149/app/deploy/rest/deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: rest
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: rest
12 | template:
13 | metadata:
14 | labels:
15 | app: rest
16 | spec:
17 | containers:
18 | - name: rest
19 | image: aputra/rest-lesson149:latest
20 | ports:
21 | - name: http
22 | containerPort: 8080
23 | - name: metrics
24 | containerPort: 8081
25 | resources:
26 | requests:
27 | memory: 64Mi
28 | cpu: 50m
29 | limits:
30 | memory: 64Mi
31 | cpu: 50m
32 | affinity:
33 | podAntiAffinity:
34 | requiredDuringSchedulingIgnoredDuringExecution:
35 | - labelSelector:
36 | matchExpressions:
37 | - key: app
38 | operator: In
39 | values:
40 | - grpc
41 | - rest
42 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.rest
File: /lessons/149/app/deploy/rest/deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: rest
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: rest
12 | template:
13 | metadata:
14 | labels:
15 | app: rest
16 | spec:
17 | containers:
18 | - name: rest
19 | image: aputra/rest-lesson149:latest
20 | ports:
21 | - name: http
22 | containerPort: 8080
23 | - name: metrics
24 | containerPort: 8081
25 | resources:
26 | requests:
27 | memory: 64Mi
28 | cpu: 50m
29 | limits:
30 | memory: 64Mi
31 | cpu: 50m
32 | affinity:
33 | podAntiAffinity:
34 | requiredDuringSchedulingIgnoredDuringExecution:
35 | - labelSelector:
36 | matchExpressions:
37 | - key: app
38 | operator: In
39 | values:
40 | - grpc
41 | - rest
42 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.rest
File: /lessons/149/app/deploy/rest/deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: rest
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: rest
12 | template:
13 | metadata:
14 | labels:
15 | app: rest
16 | spec:
17 | containers:
18 | - name: rest
19 | image: aputra/rest-lesson149:latest
20 | ports:
21 | - name: http
22 | containerPort: 8080
23 | - name: metrics
24 | containerPort: 8081
25 | resources:
26 | requests:
27 | memory: 64Mi
28 | cpu: 50m
29 | limits:
30 | memory: 64Mi
31 | cpu: 50m
32 | affinity:
33 | podAntiAffinity:
34 | requiredDuringSchedulingIgnoredDuringExecution:
35 | - labelSelector:
36 | matchExpressions:
37 | - key: app
38 | operator: In
39 | values:
40 | - grpc
41 | - rest
42 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.rest
File: /lessons/149/app/deploy/rest/deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: rest
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: rest
12 | template:
13 | metadata:
14 | labels:
15 | app: rest
16 | spec:
17 | containers:
18 | - name: rest
19 | image: aputra/rest-lesson149:latest
20 | ports:
21 | - name: http
22 | containerPort: 8080
23 | - name: metrics
24 | containerPort: 8081
25 | resources:
26 | requests:
27 | memory: 64Mi
28 | cpu: 50m
29 | limits:
30 | memory: 64Mi
31 | cpu: 50m
32 | affinity:
33 | podAntiAffinity:
34 | requiredDuringSchedulingIgnoredDuringExecution:
35 | - labelSelector:
36 | matchExpressions:
37 | - key: app
38 | operator: In
39 | values:
40 | - grpc
41 | - rest
42 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.staging.rest
File: /lessons/149/app/deploy/rest/deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: rest
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: rest
12 | template:
13 | metadata:
14 | labels:
15 | app: rest
16 | spec:
17 | containers:
18 | - name: rest
19 | image: aputra/rest-lesson149:latest
20 | ports:
21 | - name: http
22 | containerPort: 8080
23 | - name: metrics
24 | containerPort: 8081
25 | resources:
26 | requests:
27 | memory: 64Mi
28 | cpu: 50m
29 | limits:
30 | memory: 64Mi
31 | cpu: 50m
32 | affinity:
33 | podAntiAffinity:
34 | requiredDuringSchedulingIgnoredDuringExecution:
35 | - labelSelector:
36 | matchExpressions:
37 | - key: app
38 | operator: In
39 | values:
40 | - grpc
41 | - rest
42 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.rest
File: /lessons/149/app/deploy/rest/deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: rest
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: rest
12 | template:
13 | metadata:
14 | labels:
15 | app: rest
16 | spec:
17 | containers:
18 | - name: rest
19 | image: aputra/rest-lesson149:latest
20 | ports:
21 | - name: http
22 | containerPort: 8080
23 | - name: metrics
24 | containerPort: 8081
25 | resources:
26 | requests:
27 | memory: 64Mi
28 | cpu: 50m
29 | limits:
30 | memory: 64Mi
31 | cpu: 50m
32 | affinity:
33 | podAntiAffinity:
34 | requiredDuringSchedulingIgnoredDuringExecution:
35 | - labelSelector:
36 | matchExpressions:
37 | - key: app
38 | operator: In
39 | values:
40 | - grpc
41 | - rest
42 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/136/monitoring/cadvisor/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/136/monitoring/cadvisor/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/136/monitoring/cadvisor/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/136/monitoring/cadvisor/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/136/monitoring/cadvisor/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/136/monitoring/cadvisor/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/136/monitoring/cadvisor/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/136/monitoring/cadvisor/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/136/monitoring/cadvisor/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/136/monitoring/cadvisor/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/136/monitoring/cadvisor/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/136/monitoring/cadvisor/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/136/monitoring/cadvisor/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/136/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/136/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/136/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/136/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/136/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/136/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/136/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/136/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/136/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/136/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/136/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/136/monitoring/prometheus-operator/3-deployment.yaml:1-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/136/monitoring/prometheus-operator/3-deployment.yaml:1-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/136/monitoring/prometheus-operator/3-deployment.yaml:1-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/136/monitoring/prometheus-operator/3-deployment.yaml:1-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/136/monitoring/prometheus-operator/3-deployment.yaml:1-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/136/monitoring/prometheus-operator/3-deployment.yaml:1-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: ClusterRole.default.prometheus-operator
File: /lessons/136/monitoring/prometheus-operator/1-cluster-role.yaml:2-81
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/136/monitoring/kube-state-metrics/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/136/monitoring/kube-state-metrics/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/136/monitoring/kube-state-metrics/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/136/monitoring/kube-state-metrics/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/136/monitoring/kube-state-metrics/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.my-app
File: /lessons/136/my-app/deploy/1-deployment.yaml:2-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: my-app
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: my-app
12 | template:
13 | metadata:
14 | labels:
15 | app: my-app
16 | spec:
17 | containers:
18 | - name: my-app
19 | imagePullPolicy: Always
20 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/my-app:latest
21 | ports:
22 | - name: http
23 | containerPort: 8080
24 | env:
25 | - name: GIN_MODE
26 | value: release
27 | resources:
28 | requests:
29 | cpu: 10m
30 | memory: 16Mi
31 | limits:
32 | cpu: 20m
33 | memory: 32Mi
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.my-app
File: /lessons/136/my-app/deploy/1-deployment.yaml:2-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: my-app
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: my-app
12 | template:
13 | metadata:
14 | labels:
15 | app: my-app
16 | spec:
17 | containers:
18 | - name: my-app
19 | imagePullPolicy: Always
20 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/my-app:latest
21 | ports:
22 | - name: http
23 | containerPort: 8080
24 | env:
25 | - name: GIN_MODE
26 | value: release
27 | resources:
28 | requests:
29 | cpu: 10m
30 | memory: 16Mi
31 | limits:
32 | cpu: 20m
33 | memory: 32Mi
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.my-app
File: /lessons/136/my-app/deploy/1-deployment.yaml:2-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: my-app
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: my-app
12 | template:
13 | metadata:
14 | labels:
15 | app: my-app
16 | spec:
17 | containers:
18 | - name: my-app
19 | imagePullPolicy: Always
20 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/my-app:latest
21 | ports:
22 | - name: http
23 | containerPort: 8080
24 | env:
25 | - name: GIN_MODE
26 | value: release
27 | resources:
28 | requests:
29 | cpu: 10m
30 | memory: 16Mi
31 | limits:
32 | cpu: 20m
33 | memory: 32Mi
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.staging.my-app
File: /lessons/136/my-app/deploy/1-deployment.yaml:2-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: my-app
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: my-app
12 | template:
13 | metadata:
14 | labels:
15 | app: my-app
16 | spec:
17 | containers:
18 | - name: my-app
19 | imagePullPolicy: Always
20 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/my-app:latest
21 | ports:
22 | - name: http
23 | containerPort: 8080
24 | env:
25 | - name: GIN_MODE
26 | value: release
27 | resources:
28 | requests:
29 | cpu: 10m
30 | memory: 16Mi
31 | limits:
32 | cpu: 20m
33 | memory: 32Mi
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.my-app
File: /lessons/136/my-app/deploy/1-deployment.yaml:2-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: my-app
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: my-app
12 | template:
13 | metadata:
14 | labels:
15 | app: my-app
16 | spec:
17 | containers:
18 | - name: my-app
19 | imagePullPolicy: Always
20 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/my-app:latest
21 | ports:
22 | - name: http
23 | containerPort: 8080
24 | env:
25 | - name: GIN_MODE
26 | value: release
27 | resources:
28 | requests:
29 | cpu: 10m
30 | memory: 16Mi
31 | limits:
32 | cpu: 20m
33 | memory: 32Mi
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.my-app
File: /lessons/136/my-app/deploy/1-deployment.yaml:2-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: my-app
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: my-app
12 | template:
13 | metadata:
14 | labels:
15 | app: my-app
16 | spec:
17 | containers:
18 | - name: my-app
19 | imagePullPolicy: Always
20 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/my-app:latest
21 | ports:
22 | - name: http
23 | containerPort: 8080
24 | env:
25 | - name: GIN_MODE
26 | value: release
27 | resources:
28 | requests:
29 | cpu: 10m
30 | memory: 16Mi
31 | limits:
32 | cpu: 20m
33 | memory: 32Mi
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.my-app
File: /lessons/136/my-app/deploy/1-deployment.yaml:2-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: my-app
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: my-app
12 | template:
13 | metadata:
14 | labels:
15 | app: my-app
16 | spec:
17 | containers:
18 | - name: my-app
19 | imagePullPolicy: Always
20 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/my-app:latest
21 | ports:
22 | - name: http
23 | containerPort: 8080
24 | env:
25 | - name: GIN_MODE
26 | value: release
27 | resources:
28 | requests:
29 | cpu: 10m
30 | memory: 16Mi
31 | limits:
32 | cpu: 20m
33 | memory: 32Mi
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.staging.my-app
File: /lessons/136/my-app/deploy/1-deployment.yaml:2-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: my-app
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: my-app
12 | template:
13 | metadata:
14 | labels:
15 | app: my-app
16 | spec:
17 | containers:
18 | - name: my-app
19 | imagePullPolicy: Always
20 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/my-app:latest
21 | ports:
22 | - name: http
23 | containerPort: 8080
24 | env:
25 | - name: GIN_MODE
26 | value: release
27 | resources:
28 | requests:
29 | cpu: 10m
30 | memory: 16Mi
31 | limits:
32 | cpu: 20m
33 | memory: 32Mi
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.my-app
File: /lessons/136/my-app/deploy/1-deployment.yaml:2-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: my-app
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: my-app
12 | template:
13 | metadata:
14 | labels:
15 | app: my-app
16 | spec:
17 | containers:
18 | - name: my-app
19 | imagePullPolicy: Always
20 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/my-app:latest
21 | ports:
22 | - name: http
23 | containerPort: 8080
24 | env:
25 | - name: GIN_MODE
26 | value: release
27 | resources:
28 | requests:
29 | cpu: 10m
30 | memory: 16Mi
31 | limits:
32 | cpu: 20m
33 | memory: 32Mi
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.my-app
File: /lessons/136/my-app/deploy/1-deployment.yaml:2-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: my-app
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: my-app
12 | template:
13 | metadata:
14 | labels:
15 | app: my-app
16 | spec:
17 | containers:
18 | - name: my-app
19 | imagePullPolicy: Always
20 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/my-app:latest
21 | ports:
22 | - name: http
23 | containerPort: 8080
24 | env:
25 | - name: GIN_MODE
26 | value: release
27 | resources:
28 | requests:
29 | cpu: 10m
30 | memory: 16Mi
31 | limits:
32 | cpu: 20m
33 | memory: 32Mi
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.my-app
File: /lessons/136/my-app/deploy/1-deployment.yaml:2-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: my-app
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: my-app
12 | template:
13 | metadata:
14 | labels:
15 | app: my-app
16 | spec:
17 | containers:
18 | - name: my-app
19 | imagePullPolicy: Always
20 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/my-app:latest
21 | ports:
22 | - name: http
23 | containerPort: 8080
24 | env:
25 | - name: GIN_MODE
26 | value: release
27 | resources:
28 | requests:
29 | cpu: 10m
30 | memory: 16Mi
31 | limits:
32 | cpu: 20m
33 | memory: 32Mi
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.my-app
File: /lessons/136/my-app/deploy/1-deployment.yaml:2-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: my-app
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: my-app
12 | template:
13 | metadata:
14 | labels:
15 | app: my-app
16 | spec:
17 | containers:
18 | - name: my-app
19 | imagePullPolicy: Always
20 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/my-app:latest
21 | ports:
22 | - name: http
23 | containerPort: 8080
24 | env:
25 | - name: GIN_MODE
26 | value: release
27 | resources:
28 | requests:
29 | cpu: 10m
30 | memory: 16Mi
31 | limits:
32 | cpu: 20m
33 | memory: 32Mi
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.staging.my-app
File: /lessons/136/my-app/deploy/1-deployment.yaml:2-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: my-app
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: my-app
12 | template:
13 | metadata:
14 | labels:
15 | app: my-app
16 | spec:
17 | containers:
18 | - name: my-app
19 | imagePullPolicy: Always
20 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/my-app:latest
21 | ports:
22 | - name: http
23 | containerPort: 8080
24 | env:
25 | - name: GIN_MODE
26 | value: release
27 | resources:
28 | requests:
29 | cpu: 10m
30 | memory: 16Mi
31 | limits:
32 | cpu: 20m
33 | memory: 32Mi
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.my-app
File: /lessons/136/my-app/deploy/1-deployment.yaml:2-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: my-app
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: my-app
12 | template:
13 | metadata:
14 | labels:
15 | app: my-app
16 | spec:
17 | containers:
18 | - name: my-app
19 | imagePullPolicy: Always
20 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/my-app:latest
21 | ports:
22 | - name: http
23 | containerPort: 8080
24 | env:
25 | - name: GIN_MODE
26 | value: release
27 | resources:
28 | requests:
29 | cpu: 10m
30 | memory: 16Mi
31 | limits:
32 | cpu: 20m
33 | memory: 32Mi
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.ingress-nginx.ingress-nginx-controller
File: /lessons/046/k8s/2-nginx-ingress.yaml:213-300
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.ingress-nginx.ingress-nginx-controller
File: /lessons/046/k8s/2-nginx-ingress.yaml:213-300
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_25: "Minimize the admission of containers with added capability"
FAILED for resource: Deployment.ingress-nginx.ingress-nginx-controller
File: /lessons/046/k8s/2-nginx-ingress.yaml:213-300
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-24.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.ingress-nginx.ingress-nginx-controller
File: /lessons/046/k8s/2-nginx-ingress.yaml:213-300
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.ingress-nginx.ingress-nginx-controller
File: /lessons/046/k8s/2-nginx-ingress.yaml:213-300
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.ingress-nginx.ingress-nginx-controller
File: /lessons/046/k8s/2-nginx-ingress.yaml:213-300
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.ingress-nginx.ingress-nginx-controller
File: /lessons/046/k8s/2-nginx-ingress.yaml:213-300
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.ingress-nginx.ingress-nginx-controller
File: /lessons/046/k8s/2-nginx-ingress.yaml:213-300
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.ingress-nginx.ingress-nginx-controller
File: /lessons/046/k8s/2-nginx-ingress.yaml:213-300
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.express
File: /lessons/046/k8s/1-express.yaml:7-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: express
11 | namespace: staging
12 | labels:
13 | app: express
14 | spec:
15 | replicas: 2
16 | selector:
17 | matchLabels:
18 | app: express
19 | template:
20 | metadata:
21 | labels:
22 | app: express
23 | spec:
24 | containers:
25 | - name: express
26 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/express:v0.1.0
27 | ports:
28 | - name: http
29 | containerPort: 8080
30 | resources:
31 | requests:
32 | memory: 64Mi
33 | cpu: 100m
34 | limits:
35 | memory: 128Mi
36 | cpu: 300m
37 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.express
File: /lessons/046/k8s/1-express.yaml:7-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: express
11 | namespace: staging
12 | labels:
13 | app: express
14 | spec:
15 | replicas: 2
16 | selector:
17 | matchLabels:
18 | app: express
19 | template:
20 | metadata:
21 | labels:
22 | app: express
23 | spec:
24 | containers:
25 | - name: express
26 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/express:v0.1.0
27 | ports:
28 | - name: http
29 | containerPort: 8080
30 | resources:
31 | requests:
32 | memory: 64Mi
33 | cpu: 100m
34 | limits:
35 | memory: 128Mi
36 | cpu: 300m
37 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.express
File: /lessons/046/k8s/1-express.yaml:7-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: express
11 | namespace: staging
12 | labels:
13 | app: express
14 | spec:
15 | replicas: 2
16 | selector:
17 | matchLabels:
18 | app: express
19 | template:
20 | metadata:
21 | labels:
22 | app: express
23 | spec:
24 | containers:
25 | - name: express
26 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/express:v0.1.0
27 | ports:
28 | - name: http
29 | containerPort: 8080
30 | resources:
31 | requests:
32 | memory: 64Mi
33 | cpu: 100m
34 | limits:
35 | memory: 128Mi
36 | cpu: 300m
37 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.staging.express
File: /lessons/046/k8s/1-express.yaml:7-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: express
11 | namespace: staging
12 | labels:
13 | app: express
14 | spec:
15 | replicas: 2
16 | selector:
17 | matchLabels:
18 | app: express
19 | template:
20 | metadata:
21 | labels:
22 | app: express
23 | spec:
24 | containers:
25 | - name: express
26 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/express:v0.1.0
27 | ports:
28 | - name: http
29 | containerPort: 8080
30 | resources:
31 | requests:
32 | memory: 64Mi
33 | cpu: 100m
34 | limits:
35 | memory: 128Mi
36 | cpu: 300m
37 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.express
File: /lessons/046/k8s/1-express.yaml:7-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: express
11 | namespace: staging
12 | labels:
13 | app: express
14 | spec:
15 | replicas: 2
16 | selector:
17 | matchLabels:
18 | app: express
19 | template:
20 | metadata:
21 | labels:
22 | app: express
23 | spec:
24 | containers:
25 | - name: express
26 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/express:v0.1.0
27 | ports:
28 | - name: http
29 | containerPort: 8080
30 | resources:
31 | requests:
32 | memory: 64Mi
33 | cpu: 100m
34 | limits:
35 | memory: 128Mi
36 | cpu: 300m
37 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.express
File: /lessons/046/k8s/1-express.yaml:7-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: express
11 | namespace: staging
12 | labels:
13 | app: express
14 | spec:
15 | replicas: 2
16 | selector:
17 | matchLabels:
18 | app: express
19 | template:
20 | metadata:
21 | labels:
22 | app: express
23 | spec:
24 | containers:
25 | - name: express
26 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/express:v0.1.0
27 | ports:
28 | - name: http
29 | containerPort: 8080
30 | resources:
31 | requests:
32 | memory: 64Mi
33 | cpu: 100m
34 | limits:
35 | memory: 128Mi
36 | cpu: 300m
37 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.express
File: /lessons/046/k8s/1-express.yaml:7-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: express
11 | namespace: staging
12 | labels:
13 | app: express
14 | spec:
15 | replicas: 2
16 | selector:
17 | matchLabels:
18 | app: express
19 | template:
20 | metadata:
21 | labels:
22 | app: express
23 | spec:
24 | containers:
25 | - name: express
26 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/express:v0.1.0
27 | ports:
28 | - name: http
29 | containerPort: 8080
30 | resources:
31 | requests:
32 | memory: 64Mi
33 | cpu: 100m
34 | limits:
35 | memory: 128Mi
36 | cpu: 300m
37 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.staging.express
File: /lessons/046/k8s/1-express.yaml:7-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: express
11 | namespace: staging
12 | labels:
13 | app: express
14 | spec:
15 | replicas: 2
16 | selector:
17 | matchLabels:
18 | app: express
19 | template:
20 | metadata:
21 | labels:
22 | app: express
23 | spec:
24 | containers:
25 | - name: express
26 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/express:v0.1.0
27 | ports:
28 | - name: http
29 | containerPort: 8080
30 | resources:
31 | requests:
32 | memory: 64Mi
33 | cpu: 100m
34 | limits:
35 | memory: 128Mi
36 | cpu: 300m
37 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.express
File: /lessons/046/k8s/1-express.yaml:7-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: express
11 | namespace: staging
12 | labels:
13 | app: express
14 | spec:
15 | replicas: 2
16 | selector:
17 | matchLabels:
18 | app: express
19 | template:
20 | metadata:
21 | labels:
22 | app: express
23 | spec:
24 | containers:
25 | - name: express
26 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/express:v0.1.0
27 | ports:
28 | - name: http
29 | containerPort: 8080
30 | resources:
31 | requests:
32 | memory: 64Mi
33 | cpu: 100m
34 | limits:
35 | memory: 128Mi
36 | cpu: 300m
37 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.express
File: /lessons/046/k8s/1-express.yaml:7-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: express
11 | namespace: staging
12 | labels:
13 | app: express
14 | spec:
15 | replicas: 2
16 | selector:
17 | matchLabels:
18 | app: express
19 | template:
20 | metadata:
21 | labels:
22 | app: express
23 | spec:
24 | containers:
25 | - name: express
26 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/express:v0.1.0
27 | ports:
28 | - name: http
29 | containerPort: 8080
30 | resources:
31 | requests:
32 | memory: 64Mi
33 | cpu: 100m
34 | limits:
35 | memory: 128Mi
36 | cpu: 300m
37 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.express
File: /lessons/046/k8s/1-express.yaml:7-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: express
11 | namespace: staging
12 | labels:
13 | app: express
14 | spec:
15 | replicas: 2
16 | selector:
17 | matchLabels:
18 | app: express
19 | template:
20 | metadata:
21 | labels:
22 | app: express
23 | spec:
24 | containers:
25 | - name: express
26 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/express:v0.1.0
27 | ports:
28 | - name: http
29 | containerPort: 8080
30 | resources:
31 | requests:
32 | memory: 64Mi
33 | cpu: 100m
34 | limits:
35 | memory: 128Mi
36 | cpu: 300m
37 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.express
File: /lessons/046/k8s/1-express.yaml:7-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: express
11 | namespace: staging
12 | labels:
13 | app: express
14 | spec:
15 | replicas: 2
16 | selector:
17 | matchLabels:
18 | app: express
19 | template:
20 | metadata:
21 | labels:
22 | app: express
23 | spec:
24 | containers:
25 | - name: express
26 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/express:v0.1.0
27 | ports:
28 | - name: http
29 | containerPort: 8080
30 | resources:
31 | requests:
32 | memory: 64Mi
33 | cpu: 100m
34 | limits:
35 | memory: 128Mi
36 | cpu: 300m
37 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.staging.express
File: /lessons/046/k8s/1-express.yaml:7-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: express
11 | namespace: staging
12 | labels:
13 | app: express
14 | spec:
15 | replicas: 2
16 | selector:
17 | matchLabels:
18 | app: express
19 | template:
20 | metadata:
21 | labels:
22 | app: express
23 | spec:
24 | containers:
25 | - name: express
26 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/express:v0.1.0
27 | ports:
28 | - name: http
29 | containerPort: 8080
30 | resources:
31 | requests:
32 | memory: 64Mi
33 | cpu: 100m
34 | limits:
35 | memory: 128Mi
36 | cpu: 300m
37 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.express
File: /lessons/046/k8s/1-express.yaml:7-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: express
11 | namespace: staging
12 | labels:
13 | app: express
14 | spec:
15 | replicas: 2
16 | selector:
17 | matchLabels:
18 | app: express
19 | template:
20 | metadata:
21 | labels:
22 | app: express
23 | spec:
24 | containers:
25 | - name: express
26 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/express:v0.1.0
27 | ports:
28 | - name: http
29 | containerPort: 8080
30 | resources:
31 | requests:
32 | memory: 64Mi
33 | cpu: 100m
34 | limits:
35 | memory: 128Mi
36 | cpu: 300m
37 | ---
Check: CKV_K8S_155: "Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations"
FAILED for resource: ClusterRole.default.cert-manager-cainjector
File: /lessons/046/k8s/4-cert-manager.yaml:25474-25546
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-control-over-validating-or-mutating-admission-webhook-configurations-are-minimized.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /lessons/046/k8s/4-cert-manager.yaml:26289-26328
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
26289 | apiVersion: apps/v1
26290 | kind: Deployment
26291 | metadata:
26292 | labels:
26293 | app: cainjector
26294 | app.kubernetes.io/component: cainjector
26295 | app.kubernetes.io/instance: cert-manager
26296 | app.kubernetes.io/name: cainjector
26297 | name: cert-manager-cainjector
26298 | namespace: cert-manager
26299 | spec:
26300 | replicas: 1
26301 | selector:
26302 | matchLabels:
26303 | app.kubernetes.io/component: cainjector
26304 | app.kubernetes.io/instance: cert-manager
26305 | app.kubernetes.io/name: cainjector
26306 | template:
26307 | metadata:
26308 | labels:
26309 | app: cainjector
26310 | app.kubernetes.io/component: cainjector
26311 | app.kubernetes.io/instance: cert-manager
26312 | app.kubernetes.io/name: cainjector
26313 | spec:
26314 | containers:
26315 | - args:
26316 | - --v=2
26317 | - --leader-election-namespace=kube-system
26318 | env:
26319 | - name: POD_NAMESPACE
26320 | valueFrom:
26321 | fieldRef:
26322 | fieldPath: metadata.namespace
26323 | image: quay.io/jetstack/cert-manager-cainjector:v1.2.0
26324 | imagePullPolicy: IfNotPresent
26325 | name: cert-manager
26326 | resources: {}
26327 | serviceAccountName: cert-manager-cainjector
26328 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /lessons/046/k8s/4-cert-manager.yaml:26289-26328
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
26289 | apiVersion: apps/v1
26290 | kind: Deployment
26291 | metadata:
26292 | labels:
26293 | app: cainjector
26294 | app.kubernetes.io/component: cainjector
26295 | app.kubernetes.io/instance: cert-manager
26296 | app.kubernetes.io/name: cainjector
26297 | name: cert-manager-cainjector
26298 | namespace: cert-manager
26299 | spec:
26300 | replicas: 1
26301 | selector:
26302 | matchLabels:
26303 | app.kubernetes.io/component: cainjector
26304 | app.kubernetes.io/instance: cert-manager
26305 | app.kubernetes.io/name: cainjector
26306 | template:
26307 | metadata:
26308 | labels:
26309 | app: cainjector
26310 | app.kubernetes.io/component: cainjector
26311 | app.kubernetes.io/instance: cert-manager
26312 | app.kubernetes.io/name: cainjector
26313 | spec:
26314 | containers:
26315 | - args:
26316 | - --v=2
26317 | - --leader-election-namespace=kube-system
26318 | env:
26319 | - name: POD_NAMESPACE
26320 | valueFrom:
26321 | fieldRef:
26322 | fieldPath: metadata.namespace
26323 | image: quay.io/jetstack/cert-manager-cainjector:v1.2.0
26324 | imagePullPolicy: IfNotPresent
26325 | name: cert-manager
26326 | resources: {}
26327 | serviceAccountName: cert-manager-cainjector
26328 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /lessons/046/k8s/4-cert-manager.yaml:26289-26328
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
26289 | apiVersion: apps/v1
26290 | kind: Deployment
26291 | metadata:
26292 | labels:
26293 | app: cainjector
26294 | app.kubernetes.io/component: cainjector
26295 | app.kubernetes.io/instance: cert-manager
26296 | app.kubernetes.io/name: cainjector
26297 | name: cert-manager-cainjector
26298 | namespace: cert-manager
26299 | spec:
26300 | replicas: 1
26301 | selector:
26302 | matchLabels:
26303 | app.kubernetes.io/component: cainjector
26304 | app.kubernetes.io/instance: cert-manager
26305 | app.kubernetes.io/name: cainjector
26306 | template:
26307 | metadata:
26308 | labels:
26309 | app: cainjector
26310 | app.kubernetes.io/component: cainjector
26311 | app.kubernetes.io/instance: cert-manager
26312 | app.kubernetes.io/name: cainjector
26313 | spec:
26314 | containers:
26315 | - args:
26316 | - --v=2
26317 | - --leader-election-namespace=kube-system
26318 | env:
26319 | - name: POD_NAMESPACE
26320 | valueFrom:
26321 | fieldRef:
26322 | fieldPath: metadata.namespace
26323 | image: quay.io/jetstack/cert-manager-cainjector:v1.2.0
26324 | imagePullPolicy: IfNotPresent
26325 | name: cert-manager
26326 | resources: {}
26327 | serviceAccountName: cert-manager-cainjector
26328 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /lessons/046/k8s/4-cert-manager.yaml:26289-26328
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
26289 | apiVersion: apps/v1
26290 | kind: Deployment
26291 | metadata:
26292 | labels:
26293 | app: cainjector
26294 | app.kubernetes.io/component: cainjector
26295 | app.kubernetes.io/instance: cert-manager
26296 | app.kubernetes.io/name: cainjector
26297 | name: cert-manager-cainjector
26298 | namespace: cert-manager
26299 | spec:
26300 | replicas: 1
26301 | selector:
26302 | matchLabels:
26303 | app.kubernetes.io/component: cainjector
26304 | app.kubernetes.io/instance: cert-manager
26305 | app.kubernetes.io/name: cainjector
26306 | template:
26307 | metadata:
26308 | labels:
26309 | app: cainjector
26310 | app.kubernetes.io/component: cainjector
26311 | app.kubernetes.io/instance: cert-manager
26312 | app.kubernetes.io/name: cainjector
26313 | spec:
26314 | containers:
26315 | - args:
26316 | - --v=2
26317 | - --leader-election-namespace=kube-system
26318 | env:
26319 | - name: POD_NAMESPACE
26320 | valueFrom:
26321 | fieldRef:
26322 | fieldPath: metadata.namespace
26323 | image: quay.io/jetstack/cert-manager-cainjector:v1.2.0
26324 | imagePullPolicy: IfNotPresent
26325 | name: cert-manager
26326 | resources: {}
26327 | serviceAccountName: cert-manager-cainjector
26328 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /lessons/046/k8s/4-cert-manager.yaml:26289-26328
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
26289 | apiVersion: apps/v1
26290 | kind: Deployment
26291 | metadata:
26292 | labels:
26293 | app: cainjector
26294 | app.kubernetes.io/component: cainjector
26295 | app.kubernetes.io/instance: cert-manager
26296 | app.kubernetes.io/name: cainjector
26297 | name: cert-manager-cainjector
26298 | namespace: cert-manager
26299 | spec:
26300 | replicas: 1
26301 | selector:
26302 | matchLabels:
26303 | app.kubernetes.io/component: cainjector
26304 | app.kubernetes.io/instance: cert-manager
26305 | app.kubernetes.io/name: cainjector
26306 | template:
26307 | metadata:
26308 | labels:
26309 | app: cainjector
26310 | app.kubernetes.io/component: cainjector
26311 | app.kubernetes.io/instance: cert-manager
26312 | app.kubernetes.io/name: cainjector
26313 | spec:
26314 | containers:
26315 | - args:
26316 | - --v=2
26317 | - --leader-election-namespace=kube-system
26318 | env:
26319 | - name: POD_NAMESPACE
26320 | valueFrom:
26321 | fieldRef:
26322 | fieldPath: metadata.namespace
26323 | image: quay.io/jetstack/cert-manager-cainjector:v1.2.0
26324 | imagePullPolicy: IfNotPresent
26325 | name: cert-manager
26326 | resources: {}
26327 | serviceAccountName: cert-manager-cainjector
26328 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /lessons/046/k8s/4-cert-manager.yaml:26289-26328
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
26289 | apiVersion: apps/v1
26290 | kind: Deployment
26291 | metadata:
26292 | labels:
26293 | app: cainjector
26294 | app.kubernetes.io/component: cainjector
26295 | app.kubernetes.io/instance: cert-manager
26296 | app.kubernetes.io/name: cainjector
26297 | name: cert-manager-cainjector
26298 | namespace: cert-manager
26299 | spec:
26300 | replicas: 1
26301 | selector:
26302 | matchLabels:
26303 | app.kubernetes.io/component: cainjector
26304 | app.kubernetes.io/instance: cert-manager
26305 | app.kubernetes.io/name: cainjector
26306 | template:
26307 | metadata:
26308 | labels:
26309 | app: cainjector
26310 | app.kubernetes.io/component: cainjector
26311 | app.kubernetes.io/instance: cert-manager
26312 | app.kubernetes.io/name: cainjector
26313 | spec:
26314 | containers:
26315 | - args:
26316 | - --v=2
26317 | - --leader-election-namespace=kube-system
26318 | env:
26319 | - name: POD_NAMESPACE
26320 | valueFrom:
26321 | fieldRef:
26322 | fieldPath: metadata.namespace
26323 | image: quay.io/jetstack/cert-manager-cainjector:v1.2.0
26324 | imagePullPolicy: IfNotPresent
26325 | name: cert-manager
26326 | resources: {}
26327 | serviceAccountName: cert-manager-cainjector
26328 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /lessons/046/k8s/4-cert-manager.yaml:26289-26328
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
26289 | apiVersion: apps/v1
26290 | kind: Deployment
26291 | metadata:
26292 | labels:
26293 | app: cainjector
26294 | app.kubernetes.io/component: cainjector
26295 | app.kubernetes.io/instance: cert-manager
26296 | app.kubernetes.io/name: cainjector
26297 | name: cert-manager-cainjector
26298 | namespace: cert-manager
26299 | spec:
26300 | replicas: 1
26301 | selector:
26302 | matchLabels:
26303 | app.kubernetes.io/component: cainjector
26304 | app.kubernetes.io/instance: cert-manager
26305 | app.kubernetes.io/name: cainjector
26306 | template:
26307 | metadata:
26308 | labels:
26309 | app: cainjector
26310 | app.kubernetes.io/component: cainjector
26311 | app.kubernetes.io/instance: cert-manager
26312 | app.kubernetes.io/name: cainjector
26313 | spec:
26314 | containers:
26315 | - args:
26316 | - --v=2
26317 | - --leader-election-namespace=kube-system
26318 | env:
26319 | - name: POD_NAMESPACE
26320 | valueFrom:
26321 | fieldRef:
26322 | fieldPath: metadata.namespace
26323 | image: quay.io/jetstack/cert-manager-cainjector:v1.2.0
26324 | imagePullPolicy: IfNotPresent
26325 | name: cert-manager
26326 | resources: {}
26327 | serviceAccountName: cert-manager-cainjector
26328 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /lessons/046/k8s/4-cert-manager.yaml:26289-26328
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
26289 | apiVersion: apps/v1
26290 | kind: Deployment
26291 | metadata:
26292 | labels:
26293 | app: cainjector
26294 | app.kubernetes.io/component: cainjector
26295 | app.kubernetes.io/instance: cert-manager
26296 | app.kubernetes.io/name: cainjector
26297 | name: cert-manager-cainjector
26298 | namespace: cert-manager
26299 | spec:
26300 | replicas: 1
26301 | selector:
26302 | matchLabels:
26303 | app.kubernetes.io/component: cainjector
26304 | app.kubernetes.io/instance: cert-manager
26305 | app.kubernetes.io/name: cainjector
26306 | template:
26307 | metadata:
26308 | labels:
26309 | app: cainjector
26310 | app.kubernetes.io/component: cainjector
26311 | app.kubernetes.io/instance: cert-manager
26312 | app.kubernetes.io/name: cainjector
26313 | spec:
26314 | containers:
26315 | - args:
26316 | - --v=2
26317 | - --leader-election-namespace=kube-system
26318 | env:
26319 | - name: POD_NAMESPACE
26320 | valueFrom:
26321 | fieldRef:
26322 | fieldPath: metadata.namespace
26323 | image: quay.io/jetstack/cert-manager-cainjector:v1.2.0
26324 | imagePullPolicy: IfNotPresent
26325 | name: cert-manager
26326 | resources: {}
26327 | serviceAccountName: cert-manager-cainjector
26328 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /lessons/046/k8s/4-cert-manager.yaml:26289-26328
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
26289 | apiVersion: apps/v1
26290 | kind: Deployment
26291 | metadata:
26292 | labels:
26293 | app: cainjector
26294 | app.kubernetes.io/component: cainjector
26295 | app.kubernetes.io/instance: cert-manager
26296 | app.kubernetes.io/name: cainjector
26297 | name: cert-manager-cainjector
26298 | namespace: cert-manager
26299 | spec:
26300 | replicas: 1
26301 | selector:
26302 | matchLabels:
26303 | app.kubernetes.io/component: cainjector
26304 | app.kubernetes.io/instance: cert-manager
26305 | app.kubernetes.io/name: cainjector
26306 | template:
26307 | metadata:
26308 | labels:
26309 | app: cainjector
26310 | app.kubernetes.io/component: cainjector
26311 | app.kubernetes.io/instance: cert-manager
26312 | app.kubernetes.io/name: cainjector
26313 | spec:
26314 | containers:
26315 | - args:
26316 | - --v=2
26317 | - --leader-election-namespace=kube-system
26318 | env:
26319 | - name: POD_NAMESPACE
26320 | valueFrom:
26321 | fieldRef:
26322 | fieldPath: metadata.namespace
26323 | image: quay.io/jetstack/cert-manager-cainjector:v1.2.0
26324 | imagePullPolicy: IfNotPresent
26325 | name: cert-manager
26326 | resources: {}
26327 | serviceAccountName: cert-manager-cainjector
26328 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /lessons/046/k8s/4-cert-manager.yaml:26289-26328
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
26289 | apiVersion: apps/v1
26290 | kind: Deployment
26291 | metadata:
26292 | labels:
26293 | app: cainjector
26294 | app.kubernetes.io/component: cainjector
26295 | app.kubernetes.io/instance: cert-manager
26296 | app.kubernetes.io/name: cainjector
26297 | name: cert-manager-cainjector
26298 | namespace: cert-manager
26299 | spec:
26300 | replicas: 1
26301 | selector:
26302 | matchLabels:
26303 | app.kubernetes.io/component: cainjector
26304 | app.kubernetes.io/instance: cert-manager
26305 | app.kubernetes.io/name: cainjector
26306 | template:
26307 | metadata:
26308 | labels:
26309 | app: cainjector
26310 | app.kubernetes.io/component: cainjector
26311 | app.kubernetes.io/instance: cert-manager
26312 | app.kubernetes.io/name: cainjector
26313 | spec:
26314 | containers:
26315 | - args:
26316 | - --v=2
26317 | - --leader-election-namespace=kube-system
26318 | env:
26319 | - name: POD_NAMESPACE
26320 | valueFrom:
26321 | fieldRef:
26322 | fieldPath: metadata.namespace
26323 | image: quay.io/jetstack/cert-manager-cainjector:v1.2.0
26324 | imagePullPolicy: IfNotPresent
26325 | name: cert-manager
26326 | resources: {}
26327 | serviceAccountName: cert-manager-cainjector
26328 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /lessons/046/k8s/4-cert-manager.yaml:26289-26328
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
26289 | apiVersion: apps/v1
26290 | kind: Deployment
26291 | metadata:
26292 | labels:
26293 | app: cainjector
26294 | app.kubernetes.io/component: cainjector
26295 | app.kubernetes.io/instance: cert-manager
26296 | app.kubernetes.io/name: cainjector
26297 | name: cert-manager-cainjector
26298 | namespace: cert-manager
26299 | spec:
26300 | replicas: 1
26301 | selector:
26302 | matchLabels:
26303 | app.kubernetes.io/component: cainjector
26304 | app.kubernetes.io/instance: cert-manager
26305 | app.kubernetes.io/name: cainjector
26306 | template:
26307 | metadata:
26308 | labels:
26309 | app: cainjector
26310 | app.kubernetes.io/component: cainjector
26311 | app.kubernetes.io/instance: cert-manager
26312 | app.kubernetes.io/name: cainjector
26313 | spec:
26314 | containers:
26315 | - args:
26316 | - --v=2
26317 | - --leader-election-namespace=kube-system
26318 | env:
26319 | - name: POD_NAMESPACE
26320 | valueFrom:
26321 | fieldRef:
26322 | fieldPath: metadata.namespace
26323 | image: quay.io/jetstack/cert-manager-cainjector:v1.2.0
26324 | imagePullPolicy: IfNotPresent
26325 | name: cert-manager
26326 | resources: {}
26327 | serviceAccountName: cert-manager-cainjector
26328 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /lessons/046/k8s/4-cert-manager.yaml:26289-26328
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
26289 | apiVersion: apps/v1
26290 | kind: Deployment
26291 | metadata:
26292 | labels:
26293 | app: cainjector
26294 | app.kubernetes.io/component: cainjector
26295 | app.kubernetes.io/instance: cert-manager
26296 | app.kubernetes.io/name: cainjector
26297 | name: cert-manager-cainjector
26298 | namespace: cert-manager
26299 | spec:
26300 | replicas: 1
26301 | selector:
26302 | matchLabels:
26303 | app.kubernetes.io/component: cainjector
26304 | app.kubernetes.io/instance: cert-manager
26305 | app.kubernetes.io/name: cainjector
26306 | template:
26307 | metadata:
26308 | labels:
26309 | app: cainjector
26310 | app.kubernetes.io/component: cainjector
26311 | app.kubernetes.io/instance: cert-manager
26312 | app.kubernetes.io/name: cainjector
26313 | spec:
26314 | containers:
26315 | - args:
26316 | - --v=2
26317 | - --leader-election-namespace=kube-system
26318 | env:
26319 | - name: POD_NAMESPACE
26320 | valueFrom:
26321 | fieldRef:
26322 | fieldPath: metadata.namespace
26323 | image: quay.io/jetstack/cert-manager-cainjector:v1.2.0
26324 | imagePullPolicy: IfNotPresent
26325 | name: cert-manager
26326 | resources: {}
26327 | serviceAccountName: cert-manager-cainjector
26328 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /lessons/046/k8s/4-cert-manager.yaml:26289-26328
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
26289 | apiVersion: apps/v1
26290 | kind: Deployment
26291 | metadata:
26292 | labels:
26293 | app: cainjector
26294 | app.kubernetes.io/component: cainjector
26295 | app.kubernetes.io/instance: cert-manager
26296 | app.kubernetes.io/name: cainjector
26297 | name: cert-manager-cainjector
26298 | namespace: cert-manager
26299 | spec:
26300 | replicas: 1
26301 | selector:
26302 | matchLabels:
26303 | app.kubernetes.io/component: cainjector
26304 | app.kubernetes.io/instance: cert-manager
26305 | app.kubernetes.io/name: cainjector
26306 | template:
26307 | metadata:
26308 | labels:
26309 | app: cainjector
26310 | app.kubernetes.io/component: cainjector
26311 | app.kubernetes.io/instance: cert-manager
26312 | app.kubernetes.io/name: cainjector
26313 | spec:
26314 | containers:
26315 | - args:
26316 | - --v=2
26317 | - --leader-election-namespace=kube-system
26318 | env:
26319 | - name: POD_NAMESPACE
26320 | valueFrom:
26321 | fieldRef:
26322 | fieldPath: metadata.namespace
26323 | image: quay.io/jetstack/cert-manager-cainjector:v1.2.0
26324 | imagePullPolicy: IfNotPresent
26325 | name: cert-manager
26326 | resources: {}
26327 | serviceAccountName: cert-manager-cainjector
26328 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /lessons/046/k8s/4-cert-manager.yaml:26289-26328
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
26289 | apiVersion: apps/v1
26290 | kind: Deployment
26291 | metadata:
26292 | labels:
26293 | app: cainjector
26294 | app.kubernetes.io/component: cainjector
26295 | app.kubernetes.io/instance: cert-manager
26296 | app.kubernetes.io/name: cainjector
26297 | name: cert-manager-cainjector
26298 | namespace: cert-manager
26299 | spec:
26300 | replicas: 1
26301 | selector:
26302 | matchLabels:
26303 | app.kubernetes.io/component: cainjector
26304 | app.kubernetes.io/instance: cert-manager
26305 | app.kubernetes.io/name: cainjector
26306 | template:
26307 | metadata:
26308 | labels:
26309 | app: cainjector
26310 | app.kubernetes.io/component: cainjector
26311 | app.kubernetes.io/instance: cert-manager
26312 | app.kubernetes.io/name: cainjector
26313 | spec:
26314 | containers:
26315 | - args:
26316 | - --v=2
26317 | - --leader-election-namespace=kube-system
26318 | env:
26319 | - name: POD_NAMESPACE
26320 | valueFrom:
26321 | fieldRef:
26322 | fieldPath: metadata.namespace
26323 | image: quay.io/jetstack/cert-manager-cainjector:v1.2.0
26324 | imagePullPolicy: IfNotPresent
26325 | name: cert-manager
26326 | resources: {}
26327 | serviceAccountName: cert-manager-cainjector
26328 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /lessons/046/k8s/4-cert-manager.yaml:26289-26328
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
26289 | apiVersion: apps/v1
26290 | kind: Deployment
26291 | metadata:
26292 | labels:
26293 | app: cainjector
26294 | app.kubernetes.io/component: cainjector
26295 | app.kubernetes.io/instance: cert-manager
26296 | app.kubernetes.io/name: cainjector
26297 | name: cert-manager-cainjector
26298 | namespace: cert-manager
26299 | spec:
26300 | replicas: 1
26301 | selector:
26302 | matchLabels:
26303 | app.kubernetes.io/component: cainjector
26304 | app.kubernetes.io/instance: cert-manager
26305 | app.kubernetes.io/name: cainjector
26306 | template:
26307 | metadata:
26308 | labels:
26309 | app: cainjector
26310 | app.kubernetes.io/component: cainjector
26311 | app.kubernetes.io/instance: cert-manager
26312 | app.kubernetes.io/name: cainjector
26313 | spec:
26314 | containers:
26315 | - args:
26316 | - --v=2
26317 | - --leader-election-namespace=kube-system
26318 | env:
26319 | - name: POD_NAMESPACE
26320 | valueFrom:
26321 | fieldRef:
26322 | fieldPath: metadata.namespace
26323 | image: quay.io/jetstack/cert-manager-cainjector:v1.2.0
26324 | imagePullPolicy: IfNotPresent
26325 | name: cert-manager
26326 | resources: {}
26327 | serviceAccountName: cert-manager-cainjector
26328 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /lessons/046/k8s/4-cert-manager.yaml:26289-26328
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
26289 | apiVersion: apps/v1
26290 | kind: Deployment
26291 | metadata:
26292 | labels:
26293 | app: cainjector
26294 | app.kubernetes.io/component: cainjector
26295 | app.kubernetes.io/instance: cert-manager
26296 | app.kubernetes.io/name: cainjector
26297 | name: cert-manager-cainjector
26298 | namespace: cert-manager
26299 | spec:
26300 | replicas: 1
26301 | selector:
26302 | matchLabels:
26303 | app.kubernetes.io/component: cainjector
26304 | app.kubernetes.io/instance: cert-manager
26305 | app.kubernetes.io/name: cainjector
26306 | template:
26307 | metadata:
26308 | labels:
26309 | app: cainjector
26310 | app.kubernetes.io/component: cainjector
26311 | app.kubernetes.io/instance: cert-manager
26312 | app.kubernetes.io/name: cainjector
26313 | spec:
26314 | containers:
26315 | - args:
26316 | - --v=2
26317 | - --leader-election-namespace=kube-system
26318 | env:
26319 | - name: POD_NAMESPACE
26320 | valueFrom:
26321 | fieldRef:
26322 | fieldPath: metadata.namespace
26323 | image: quay.io/jetstack/cert-manager-cainjector:v1.2.0
26324 | imagePullPolicy: IfNotPresent
26325 | name: cert-manager
26326 | resources: {}
26327 | serviceAccountName: cert-manager-cainjector
26328 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /lessons/046/k8s/4-cert-manager.yaml:26329-26376
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
26329 | apiVersion: apps/v1
26330 | kind: Deployment
26331 | metadata:
26332 | labels:
26333 | app: cert-manager
26334 | app.kubernetes.io/component: controller
26335 | app.kubernetes.io/instance: cert-manager
26336 | app.kubernetes.io/name: cert-manager
26337 | name: cert-manager
26338 | namespace: cert-manager
26339 | spec:
26340 | replicas: 1
26341 | selector:
26342 | matchLabels:
26343 | app.kubernetes.io/component: controller
26344 | app.kubernetes.io/instance: cert-manager
26345 | app.kubernetes.io/name: cert-manager
26346 | template:
26347 | metadata:
26348 | annotations:
26349 | prometheus.io/path: /metrics
26350 | prometheus.io/port: "9402"
26351 | prometheus.io/scrape: "true"
26352 | labels:
26353 | app: cert-manager
26354 | app.kubernetes.io/component: controller
26355 | app.kubernetes.io/instance: cert-manager
26356 | app.kubernetes.io/name: cert-manager
26357 | spec:
26358 | containers:
26359 | - args:
26360 | - --v=2
26361 | - --cluster-resource-namespace=$(POD_NAMESPACE)
26362 | - --leader-election-namespace=kube-system
26363 | env:
26364 | - name: POD_NAMESPACE
26365 | valueFrom:
26366 | fieldRef:
26367 | fieldPath: metadata.namespace
26368 | image: quay.io/jetstack/cert-manager-controller:v1.2.0
26369 | imagePullPolicy: IfNotPresent
26370 | name: cert-manager
26371 | ports:
26372 | - containerPort: 9402
26373 | protocol: TCP
26374 | resources: {}
26375 | serviceAccountName: cert-manager
26376 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /lessons/046/k8s/4-cert-manager.yaml:26329-26376
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
26329 | apiVersion: apps/v1
26330 | kind: Deployment
26331 | metadata:
26332 | labels:
26333 | app: cert-manager
26334 | app.kubernetes.io/component: controller
26335 | app.kubernetes.io/instance: cert-manager
26336 | app.kubernetes.io/name: cert-manager
26337 | name: cert-manager
26338 | namespace: cert-manager
26339 | spec:
26340 | replicas: 1
26341 | selector:
26342 | matchLabels:
26343 | app.kubernetes.io/component: controller
26344 | app.kubernetes.io/instance: cert-manager
26345 | app.kubernetes.io/name: cert-manager
26346 | template:
26347 | metadata:
26348 | annotations:
26349 | prometheus.io/path: /metrics
26350 | prometheus.io/port: "9402"
26351 | prometheus.io/scrape: "true"
26352 | labels:
26353 | app: cert-manager
26354 | app.kubernetes.io/component: controller
26355 | app.kubernetes.io/instance: cert-manager
26356 | app.kubernetes.io/name: cert-manager
26357 | spec:
26358 | containers:
26359 | - args:
26360 | - --v=2
26361 | - --cluster-resource-namespace=$(POD_NAMESPACE)
26362 | - --leader-election-namespace=kube-system
26363 | env:
26364 | - name: POD_NAMESPACE
26365 | valueFrom:
26366 | fieldRef:
26367 | fieldPath: metadata.namespace
26368 | image: quay.io/jetstack/cert-manager-controller:v1.2.0
26369 | imagePullPolicy: IfNotPresent
26370 | name: cert-manager
26371 | ports:
26372 | - containerPort: 9402
26373 | protocol: TCP
26374 | resources: {}
26375 | serviceAccountName: cert-manager
26376 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /lessons/046/k8s/4-cert-manager.yaml:26329-26376
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
26329 | apiVersion: apps/v1
26330 | kind: Deployment
26331 | metadata:
26332 | labels:
26333 | app: cert-manager
26334 | app.kubernetes.io/component: controller
26335 | app.kubernetes.io/instance: cert-manager
26336 | app.kubernetes.io/name: cert-manager
26337 | name: cert-manager
26338 | namespace: cert-manager
26339 | spec:
26340 | replicas: 1
26341 | selector:
26342 | matchLabels:
26343 | app.kubernetes.io/component: controller
26344 | app.kubernetes.io/instance: cert-manager
26345 | app.kubernetes.io/name: cert-manager
26346 | template:
26347 | metadata:
26348 | annotations:
26349 | prometheus.io/path: /metrics
26350 | prometheus.io/port: "9402"
26351 | prometheus.io/scrape: "true"
26352 | labels:
26353 | app: cert-manager
26354 | app.kubernetes.io/component: controller
26355 | app.kubernetes.io/instance: cert-manager
26356 | app.kubernetes.io/name: cert-manager
26357 | spec:
26358 | containers:
26359 | - args:
26360 | - --v=2
26361 | - --cluster-resource-namespace=$(POD_NAMESPACE)
26362 | - --leader-election-namespace=kube-system
26363 | env:
26364 | - name: POD_NAMESPACE
26365 | valueFrom:
26366 | fieldRef:
26367 | fieldPath: metadata.namespace
26368 | image: quay.io/jetstack/cert-manager-controller:v1.2.0
26369 | imagePullPolicy: IfNotPresent
26370 | name: cert-manager
26371 | ports:
26372 | - containerPort: 9402
26373 | protocol: TCP
26374 | resources: {}
26375 | serviceAccountName: cert-manager
26376 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /lessons/046/k8s/4-cert-manager.yaml:26329-26376
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
26329 | apiVersion: apps/v1
26330 | kind: Deployment
26331 | metadata:
26332 | labels:
26333 | app: cert-manager
26334 | app.kubernetes.io/component: controller
26335 | app.kubernetes.io/instance: cert-manager
26336 | app.kubernetes.io/name: cert-manager
26337 | name: cert-manager
26338 | namespace: cert-manager
26339 | spec:
26340 | replicas: 1
26341 | selector:
26342 | matchLabels:
26343 | app.kubernetes.io/component: controller
26344 | app.kubernetes.io/instance: cert-manager
26345 | app.kubernetes.io/name: cert-manager
26346 | template:
26347 | metadata:
26348 | annotations:
26349 | prometheus.io/path: /metrics
26350 | prometheus.io/port: "9402"
26351 | prometheus.io/scrape: "true"
26352 | labels:
26353 | app: cert-manager
26354 | app.kubernetes.io/component: controller
26355 | app.kubernetes.io/instance: cert-manager
26356 | app.kubernetes.io/name: cert-manager
26357 | spec:
26358 | containers:
26359 | - args:
26360 | - --v=2
26361 | - --cluster-resource-namespace=$(POD_NAMESPACE)
26362 | - --leader-election-namespace=kube-system
26363 | env:
26364 | - name: POD_NAMESPACE
26365 | valueFrom:
26366 | fieldRef:
26367 | fieldPath: metadata.namespace
26368 | image: quay.io/jetstack/cert-manager-controller:v1.2.0
26369 | imagePullPolicy: IfNotPresent
26370 | name: cert-manager
26371 | ports:
26372 | - containerPort: 9402
26373 | protocol: TCP
26374 | resources: {}
26375 | serviceAccountName: cert-manager
26376 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /lessons/046/k8s/4-cert-manager.yaml:26329-26376
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
26329 | apiVersion: apps/v1
26330 | kind: Deployment
26331 | metadata:
26332 | labels:
26333 | app: cert-manager
26334 | app.kubernetes.io/component: controller
26335 | app.kubernetes.io/instance: cert-manager
26336 | app.kubernetes.io/name: cert-manager
26337 | name: cert-manager
26338 | namespace: cert-manager
26339 | spec:
26340 | replicas: 1
26341 | selector:
26342 | matchLabels:
26343 | app.kubernetes.io/component: controller
26344 | app.kubernetes.io/instance: cert-manager
26345 | app.kubernetes.io/name: cert-manager
26346 | template:
26347 | metadata:
26348 | annotations:
26349 | prometheus.io/path: /metrics
26350 | prometheus.io/port: "9402"
26351 | prometheus.io/scrape: "true"
26352 | labels:
26353 | app: cert-manager
26354 | app.kubernetes.io/component: controller
26355 | app.kubernetes.io/instance: cert-manager
26356 | app.kubernetes.io/name: cert-manager
26357 | spec:
26358 | containers:
26359 | - args:
26360 | - --v=2
26361 | - --cluster-resource-namespace=$(POD_NAMESPACE)
26362 | - --leader-election-namespace=kube-system
26363 | env:
26364 | - name: POD_NAMESPACE
26365 | valueFrom:
26366 | fieldRef:
26367 | fieldPath: metadata.namespace
26368 | image: quay.io/jetstack/cert-manager-controller:v1.2.0
26369 | imagePullPolicy: IfNotPresent
26370 | name: cert-manager
26371 | ports:
26372 | - containerPort: 9402
26373 | protocol: TCP
26374 | resources: {}
26375 | serviceAccountName: cert-manager
26376 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /lessons/046/k8s/4-cert-manager.yaml:26329-26376
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
26329 | apiVersion: apps/v1
26330 | kind: Deployment
26331 | metadata:
26332 | labels:
26333 | app: cert-manager
26334 | app.kubernetes.io/component: controller
26335 | app.kubernetes.io/instance: cert-manager
26336 | app.kubernetes.io/name: cert-manager
26337 | name: cert-manager
26338 | namespace: cert-manager
26339 | spec:
26340 | replicas: 1
26341 | selector:
26342 | matchLabels:
26343 | app.kubernetes.io/component: controller
26344 | app.kubernetes.io/instance: cert-manager
26345 | app.kubernetes.io/name: cert-manager
26346 | template:
26347 | metadata:
26348 | annotations:
26349 | prometheus.io/path: /metrics
26350 | prometheus.io/port: "9402"
26351 | prometheus.io/scrape: "true"
26352 | labels:
26353 | app: cert-manager
26354 | app.kubernetes.io/component: controller
26355 | app.kubernetes.io/instance: cert-manager
26356 | app.kubernetes.io/name: cert-manager
26357 | spec:
26358 | containers:
26359 | - args:
26360 | - --v=2
26361 | - --cluster-resource-namespace=$(POD_NAMESPACE)
26362 | - --leader-election-namespace=kube-system
26363 | env:
26364 | - name: POD_NAMESPACE
26365 | valueFrom:
26366 | fieldRef:
26367 | fieldPath: metadata.namespace
26368 | image: quay.io/jetstack/cert-manager-controller:v1.2.0
26369 | imagePullPolicy: IfNotPresent
26370 | name: cert-manager
26371 | ports:
26372 | - containerPort: 9402
26373 | protocol: TCP
26374 | resources: {}
26375 | serviceAccountName: cert-manager
26376 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /lessons/046/k8s/4-cert-manager.yaml:26329-26376
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
26329 | apiVersion: apps/v1
26330 | kind: Deployment
26331 | metadata:
26332 | labels:
26333 | app: cert-manager
26334 | app.kubernetes.io/component: controller
26335 | app.kubernetes.io/instance: cert-manager
26336 | app.kubernetes.io/name: cert-manager
26337 | name: cert-manager
26338 | namespace: cert-manager
26339 | spec:
26340 | replicas: 1
26341 | selector:
26342 | matchLabels:
26343 | app.kubernetes.io/component: controller
26344 | app.kubernetes.io/instance: cert-manager
26345 | app.kubernetes.io/name: cert-manager
26346 | template:
26347 | metadata:
26348 | annotations:
26349 | prometheus.io/path: /metrics
26350 | prometheus.io/port: "9402"
26351 | prometheus.io/scrape: "true"
26352 | labels:
26353 | app: cert-manager
26354 | app.kubernetes.io/component: controller
26355 | app.kubernetes.io/instance: cert-manager
26356 | app.kubernetes.io/name: cert-manager
26357 | spec:
26358 | containers:
26359 | - args:
26360 | - --v=2
26361 | - --cluster-resource-namespace=$(POD_NAMESPACE)
26362 | - --leader-election-namespace=kube-system
26363 | env:
26364 | - name: POD_NAMESPACE
26365 | valueFrom:
26366 | fieldRef:
26367 | fieldPath: metadata.namespace
26368 | image: quay.io/jetstack/cert-manager-controller:v1.2.0
26369 | imagePullPolicy: IfNotPresent
26370 | name: cert-manager
26371 | ports:
26372 | - containerPort: 9402
26373 | protocol: TCP
26374 | resources: {}
26375 | serviceAccountName: cert-manager
26376 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /lessons/046/k8s/4-cert-manager.yaml:26329-26376
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
26329 | apiVersion: apps/v1
26330 | kind: Deployment
26331 | metadata:
26332 | labels:
26333 | app: cert-manager
26334 | app.kubernetes.io/component: controller
26335 | app.kubernetes.io/instance: cert-manager
26336 | app.kubernetes.io/name: cert-manager
26337 | name: cert-manager
26338 | namespace: cert-manager
26339 | spec:
26340 | replicas: 1
26341 | selector:
26342 | matchLabels:
26343 | app.kubernetes.io/component: controller
26344 | app.kubernetes.io/instance: cert-manager
26345 | app.kubernetes.io/name: cert-manager
26346 | template:
26347 | metadata:
26348 | annotations:
26349 | prometheus.io/path: /metrics
26350 | prometheus.io/port: "9402"
26351 | prometheus.io/scrape: "true"
26352 | labels:
26353 | app: cert-manager
26354 | app.kubernetes.io/component: controller
26355 | app.kubernetes.io/instance: cert-manager
26356 | app.kubernetes.io/name: cert-manager
26357 | spec:
26358 | containers:
26359 | - args:
26360 | - --v=2
26361 | - --cluster-resource-namespace=$(POD_NAMESPACE)
26362 | - --leader-election-namespace=kube-system
26363 | env:
26364 | - name: POD_NAMESPACE
26365 | valueFrom:
26366 | fieldRef:
26367 | fieldPath: metadata.namespace
26368 | image: quay.io/jetstack/cert-manager-controller:v1.2.0
26369 | imagePullPolicy: IfNotPresent
26370 | name: cert-manager
26371 | ports:
26372 | - containerPort: 9402
26373 | protocol: TCP
26374 | resources: {}
26375 | serviceAccountName: cert-manager
26376 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /lessons/046/k8s/4-cert-manager.yaml:26329-26376
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
26329 | apiVersion: apps/v1
26330 | kind: Deployment
26331 | metadata:
26332 | labels:
26333 | app: cert-manager
26334 | app.kubernetes.io/component: controller
26335 | app.kubernetes.io/instance: cert-manager
26336 | app.kubernetes.io/name: cert-manager
26337 | name: cert-manager
26338 | namespace: cert-manager
26339 | spec:
26340 | replicas: 1
26341 | selector:
26342 | matchLabels:
26343 | app.kubernetes.io/component: controller
26344 | app.kubernetes.io/instance: cert-manager
26345 | app.kubernetes.io/name: cert-manager
26346 | template:
26347 | metadata:
26348 | annotations:
26349 | prometheus.io/path: /metrics
26350 | prometheus.io/port: "9402"
26351 | prometheus.io/scrape: "true"
26352 | labels:
26353 | app: cert-manager
26354 | app.kubernetes.io/component: controller
26355 | app.kubernetes.io/instance: cert-manager
26356 | app.kubernetes.io/name: cert-manager
26357 | spec:
26358 | containers:
26359 | - args:
26360 | - --v=2
26361 | - --cluster-resource-namespace=$(POD_NAMESPACE)
26362 | - --leader-election-namespace=kube-system
26363 | env:
26364 | - name: POD_NAMESPACE
26365 | valueFrom:
26366 | fieldRef:
26367 | fieldPath: metadata.namespace
26368 | image: quay.io/jetstack/cert-manager-controller:v1.2.0
26369 | imagePullPolicy: IfNotPresent
26370 | name: cert-manager
26371 | ports:
26372 | - containerPort: 9402
26373 | protocol: TCP
26374 | resources: {}
26375 | serviceAccountName: cert-manager
26376 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /lessons/046/k8s/4-cert-manager.yaml:26329-26376
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
26329 | apiVersion: apps/v1
26330 | kind: Deployment
26331 | metadata:
26332 | labels:
26333 | app: cert-manager
26334 | app.kubernetes.io/component: controller
26335 | app.kubernetes.io/instance: cert-manager
26336 | app.kubernetes.io/name: cert-manager
26337 | name: cert-manager
26338 | namespace: cert-manager
26339 | spec:
26340 | replicas: 1
26341 | selector:
26342 | matchLabels:
26343 | app.kubernetes.io/component: controller
26344 | app.kubernetes.io/instance: cert-manager
26345 | app.kubernetes.io/name: cert-manager
26346 | template:
26347 | metadata:
26348 | annotations:
26349 | prometheus.io/path: /metrics
26350 | prometheus.io/port: "9402"
26351 | prometheus.io/scrape: "true"
26352 | labels:
26353 | app: cert-manager
26354 | app.kubernetes.io/component: controller
26355 | app.kubernetes.io/instance: cert-manager
26356 | app.kubernetes.io/name: cert-manager
26357 | spec:
26358 | containers:
26359 | - args:
26360 | - --v=2
26361 | - --cluster-resource-namespace=$(POD_NAMESPACE)
26362 | - --leader-election-namespace=kube-system
26363 | env:
26364 | - name: POD_NAMESPACE
26365 | valueFrom:
26366 | fieldRef:
26367 | fieldPath: metadata.namespace
26368 | image: quay.io/jetstack/cert-manager-controller:v1.2.0
26369 | imagePullPolicy: IfNotPresent
26370 | name: cert-manager
26371 | ports:
26372 | - containerPort: 9402
26373 | protocol: TCP
26374 | resources: {}
26375 | serviceAccountName: cert-manager
26376 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /lessons/046/k8s/4-cert-manager.yaml:26329-26376
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
26329 | apiVersion: apps/v1
26330 | kind: Deployment
26331 | metadata:
26332 | labels:
26333 | app: cert-manager
26334 | app.kubernetes.io/component: controller
26335 | app.kubernetes.io/instance: cert-manager
26336 | app.kubernetes.io/name: cert-manager
26337 | name: cert-manager
26338 | namespace: cert-manager
26339 | spec:
26340 | replicas: 1
26341 | selector:
26342 | matchLabels:
26343 | app.kubernetes.io/component: controller
26344 | app.kubernetes.io/instance: cert-manager
26345 | app.kubernetes.io/name: cert-manager
26346 | template:
26347 | metadata:
26348 | annotations:
26349 | prometheus.io/path: /metrics
26350 | prometheus.io/port: "9402"
26351 | prometheus.io/scrape: "true"
26352 | labels:
26353 | app: cert-manager
26354 | app.kubernetes.io/component: controller
26355 | app.kubernetes.io/instance: cert-manager
26356 | app.kubernetes.io/name: cert-manager
26357 | spec:
26358 | containers:
26359 | - args:
26360 | - --v=2
26361 | - --cluster-resource-namespace=$(POD_NAMESPACE)
26362 | - --leader-election-namespace=kube-system
26363 | env:
26364 | - name: POD_NAMESPACE
26365 | valueFrom:
26366 | fieldRef:
26367 | fieldPath: metadata.namespace
26368 | image: quay.io/jetstack/cert-manager-controller:v1.2.0
26369 | imagePullPolicy: IfNotPresent
26370 | name: cert-manager
26371 | ports:
26372 | - containerPort: 9402
26373 | protocol: TCP
26374 | resources: {}
26375 | serviceAccountName: cert-manager
26376 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /lessons/046/k8s/4-cert-manager.yaml:26329-26376
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
26329 | apiVersion: apps/v1
26330 | kind: Deployment
26331 | metadata:
26332 | labels:
26333 | app: cert-manager
26334 | app.kubernetes.io/component: controller
26335 | app.kubernetes.io/instance: cert-manager
26336 | app.kubernetes.io/name: cert-manager
26337 | name: cert-manager
26338 | namespace: cert-manager
26339 | spec:
26340 | replicas: 1
26341 | selector:
26342 | matchLabels:
26343 | app.kubernetes.io/component: controller
26344 | app.kubernetes.io/instance: cert-manager
26345 | app.kubernetes.io/name: cert-manager
26346 | template:
26347 | metadata:
26348 | annotations:
26349 | prometheus.io/path: /metrics
26350 | prometheus.io/port: "9402"
26351 | prometheus.io/scrape: "true"
26352 | labels:
26353 | app: cert-manager
26354 | app.kubernetes.io/component: controller
26355 | app.kubernetes.io/instance: cert-manager
26356 | app.kubernetes.io/name: cert-manager
26357 | spec:
26358 | containers:
26359 | - args:
26360 | - --v=2
26361 | - --cluster-resource-namespace=$(POD_NAMESPACE)
26362 | - --leader-election-namespace=kube-system
26363 | env:
26364 | - name: POD_NAMESPACE
26365 | valueFrom:
26366 | fieldRef:
26367 | fieldPath: metadata.namespace
26368 | image: quay.io/jetstack/cert-manager-controller:v1.2.0
26369 | imagePullPolicy: IfNotPresent
26370 | name: cert-manager
26371 | ports:
26372 | - containerPort: 9402
26373 | protocol: TCP
26374 | resources: {}
26375 | serviceAccountName: cert-manager
26376 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /lessons/046/k8s/4-cert-manager.yaml:26329-26376
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
26329 | apiVersion: apps/v1
26330 | kind: Deployment
26331 | metadata:
26332 | labels:
26333 | app: cert-manager
26334 | app.kubernetes.io/component: controller
26335 | app.kubernetes.io/instance: cert-manager
26336 | app.kubernetes.io/name: cert-manager
26337 | name: cert-manager
26338 | namespace: cert-manager
26339 | spec:
26340 | replicas: 1
26341 | selector:
26342 | matchLabels:
26343 | app.kubernetes.io/component: controller
26344 | app.kubernetes.io/instance: cert-manager
26345 | app.kubernetes.io/name: cert-manager
26346 | template:
26347 | metadata:
26348 | annotations:
26349 | prometheus.io/path: /metrics
26350 | prometheus.io/port: "9402"
26351 | prometheus.io/scrape: "true"
26352 | labels:
26353 | app: cert-manager
26354 | app.kubernetes.io/component: controller
26355 | app.kubernetes.io/instance: cert-manager
26356 | app.kubernetes.io/name: cert-manager
26357 | spec:
26358 | containers:
26359 | - args:
26360 | - --v=2
26361 | - --cluster-resource-namespace=$(POD_NAMESPACE)
26362 | - --leader-election-namespace=kube-system
26363 | env:
26364 | - name: POD_NAMESPACE
26365 | valueFrom:
26366 | fieldRef:
26367 | fieldPath: metadata.namespace
26368 | image: quay.io/jetstack/cert-manager-controller:v1.2.0
26369 | imagePullPolicy: IfNotPresent
26370 | name: cert-manager
26371 | ports:
26372 | - containerPort: 9402
26373 | protocol: TCP
26374 | resources: {}
26375 | serviceAccountName: cert-manager
26376 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /lessons/046/k8s/4-cert-manager.yaml:26329-26376
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
26329 | apiVersion: apps/v1
26330 | kind: Deployment
26331 | metadata:
26332 | labels:
26333 | app: cert-manager
26334 | app.kubernetes.io/component: controller
26335 | app.kubernetes.io/instance: cert-manager
26336 | app.kubernetes.io/name: cert-manager
26337 | name: cert-manager
26338 | namespace: cert-manager
26339 | spec:
26340 | replicas: 1
26341 | selector:
26342 | matchLabels:
26343 | app.kubernetes.io/component: controller
26344 | app.kubernetes.io/instance: cert-manager
26345 | app.kubernetes.io/name: cert-manager
26346 | template:
26347 | metadata:
26348 | annotations:
26349 | prometheus.io/path: /metrics
26350 | prometheus.io/port: "9402"
26351 | prometheus.io/scrape: "true"
26352 | labels:
26353 | app: cert-manager
26354 | app.kubernetes.io/component: controller
26355 | app.kubernetes.io/instance: cert-manager
26356 | app.kubernetes.io/name: cert-manager
26357 | spec:
26358 | containers:
26359 | - args:
26360 | - --v=2
26361 | - --cluster-resource-namespace=$(POD_NAMESPACE)
26362 | - --leader-election-namespace=kube-system
26363 | env:
26364 | - name: POD_NAMESPACE
26365 | valueFrom:
26366 | fieldRef:
26367 | fieldPath: metadata.namespace
26368 | image: quay.io/jetstack/cert-manager-controller:v1.2.0
26369 | imagePullPolicy: IfNotPresent
26370 | name: cert-manager
26371 | ports:
26372 | - containerPort: 9402
26373 | protocol: TCP
26374 | resources: {}
26375 | serviceAccountName: cert-manager
26376 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /lessons/046/k8s/4-cert-manager.yaml:26329-26376
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
26329 | apiVersion: apps/v1
26330 | kind: Deployment
26331 | metadata:
26332 | labels:
26333 | app: cert-manager
26334 | app.kubernetes.io/component: controller
26335 | app.kubernetes.io/instance: cert-manager
26336 | app.kubernetes.io/name: cert-manager
26337 | name: cert-manager
26338 | namespace: cert-manager
26339 | spec:
26340 | replicas: 1
26341 | selector:
26342 | matchLabels:
26343 | app.kubernetes.io/component: controller
26344 | app.kubernetes.io/instance: cert-manager
26345 | app.kubernetes.io/name: cert-manager
26346 | template:
26347 | metadata:
26348 | annotations:
26349 | prometheus.io/path: /metrics
26350 | prometheus.io/port: "9402"
26351 | prometheus.io/scrape: "true"
26352 | labels:
26353 | app: cert-manager
26354 | app.kubernetes.io/component: controller
26355 | app.kubernetes.io/instance: cert-manager
26356 | app.kubernetes.io/name: cert-manager
26357 | spec:
26358 | containers:
26359 | - args:
26360 | - --v=2
26361 | - --cluster-resource-namespace=$(POD_NAMESPACE)
26362 | - --leader-election-namespace=kube-system
26363 | env:
26364 | - name: POD_NAMESPACE
26365 | valueFrom:
26366 | fieldRef:
26367 | fieldPath: metadata.namespace
26368 | image: quay.io/jetstack/cert-manager-controller:v1.2.0
26369 | imagePullPolicy: IfNotPresent
26370 | name: cert-manager
26371 | ports:
26372 | - containerPort: 9402
26373 | protocol: TCP
26374 | resources: {}
26375 | serviceAccountName: cert-manager
26376 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /lessons/046/k8s/4-cert-manager.yaml:26329-26376
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
26329 | apiVersion: apps/v1
26330 | kind: Deployment
26331 | metadata:
26332 | labels:
26333 | app: cert-manager
26334 | app.kubernetes.io/component: controller
26335 | app.kubernetes.io/instance: cert-manager
26336 | app.kubernetes.io/name: cert-manager
26337 | name: cert-manager
26338 | namespace: cert-manager
26339 | spec:
26340 | replicas: 1
26341 | selector:
26342 | matchLabels:
26343 | app.kubernetes.io/component: controller
26344 | app.kubernetes.io/instance: cert-manager
26345 | app.kubernetes.io/name: cert-manager
26346 | template:
26347 | metadata:
26348 | annotations:
26349 | prometheus.io/path: /metrics
26350 | prometheus.io/port: "9402"
26351 | prometheus.io/scrape: "true"
26352 | labels:
26353 | app: cert-manager
26354 | app.kubernetes.io/component: controller
26355 | app.kubernetes.io/instance: cert-manager
26356 | app.kubernetes.io/name: cert-manager
26357 | spec:
26358 | containers:
26359 | - args:
26360 | - --v=2
26361 | - --cluster-resource-namespace=$(POD_NAMESPACE)
26362 | - --leader-election-namespace=kube-system
26363 | env:
26364 | - name: POD_NAMESPACE
26365 | valueFrom:
26366 | fieldRef:
26367 | fieldPath: metadata.namespace
26368 | image: quay.io/jetstack/cert-manager-controller:v1.2.0
26369 | imagePullPolicy: IfNotPresent
26370 | name: cert-manager
26371 | ports:
26372 | - containerPort: 9402
26373 | protocol: TCP
26374 | resources: {}
26375 | serviceAccountName: cert-manager
26376 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /lessons/046/k8s/4-cert-manager.yaml:26377-26442
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /lessons/046/k8s/4-cert-manager.yaml:26377-26442
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /lessons/046/k8s/4-cert-manager.yaml:26377-26442
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /lessons/046/k8s/4-cert-manager.yaml:26377-26442
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /lessons/046/k8s/4-cert-manager.yaml:26377-26442
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /lessons/046/k8s/4-cert-manager.yaml:26377-26442
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /lessons/046/k8s/4-cert-manager.yaml:26377-26442
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /lessons/046/k8s/4-cert-manager.yaml:26377-26442
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /lessons/046/k8s/4-cert-manager.yaml:26377-26442
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /lessons/046/k8s/4-cert-manager.yaml:26377-26442
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /lessons/046/k8s/4-cert-manager.yaml:26377-26442
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /lessons/046/k8s/4-cert-manager.yaml:26377-26442
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /lessons/046/k8s/4-cert-manager.yaml:26377-26442
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /lessons/046/k8s/4-cert-manager.yaml:26377-26442
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.php-apache
File: /lessons/113/k8s/simple-deployment.yaml:7-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: php-apache
11 | namespace: staging
12 | spec:
13 | selector:
14 | matchLabels:
15 | run: php-apache
16 | # remove replica if using gitops
17 | replicas: 1
18 | template:
19 | metadata:
20 | labels:
21 | run: php-apache
22 | spec:
23 | containers:
24 | - name: php-apache
25 | image: k8s.gcr.io/hpa-example
26 | ports:
27 | - containerPort: 80
28 | resources:
29 | limits:
30 | cpu: 200m
31 | memory: 256Mi
32 | requests:
33 | cpu: 200m
34 | memory: 256Mi
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.php-apache
File: /lessons/113/k8s/simple-deployment.yaml:7-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: php-apache
11 | namespace: staging
12 | spec:
13 | selector:
14 | matchLabels:
15 | run: php-apache
16 | # remove replica if using gitops
17 | replicas: 1
18 | template:
19 | metadata:
20 | labels:
21 | run: php-apache
22 | spec:
23 | containers:
24 | - name: php-apache
25 | image: k8s.gcr.io/hpa-example
26 | ports:
27 | - containerPort: 80
28 | resources:
29 | limits:
30 | cpu: 200m
31 | memory: 256Mi
32 | requests:
33 | cpu: 200m
34 | memory: 256Mi
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.php-apache
File: /lessons/113/k8s/simple-deployment.yaml:7-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: php-apache
11 | namespace: staging
12 | spec:
13 | selector:
14 | matchLabels:
15 | run: php-apache
16 | # remove replica if using gitops
17 | replicas: 1
18 | template:
19 | metadata:
20 | labels:
21 | run: php-apache
22 | spec:
23 | containers:
24 | - name: php-apache
25 | image: k8s.gcr.io/hpa-example
26 | ports:
27 | - containerPort: 80
28 | resources:
29 | limits:
30 | cpu: 200m
31 | memory: 256Mi
32 | requests:
33 | cpu: 200m
34 | memory: 256Mi
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.staging.php-apache
File: /lessons/113/k8s/simple-deployment.yaml:7-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: php-apache
11 | namespace: staging
12 | spec:
13 | selector:
14 | matchLabels:
15 | run: php-apache
16 | # remove replica if using gitops
17 | replicas: 1
18 | template:
19 | metadata:
20 | labels:
21 | run: php-apache
22 | spec:
23 | containers:
24 | - name: php-apache
25 | image: k8s.gcr.io/hpa-example
26 | ports:
27 | - containerPort: 80
28 | resources:
29 | limits:
30 | cpu: 200m
31 | memory: 256Mi
32 | requests:
33 | cpu: 200m
34 | memory: 256Mi
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.php-apache
File: /lessons/113/k8s/simple-deployment.yaml:7-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: php-apache
11 | namespace: staging
12 | spec:
13 | selector:
14 | matchLabels:
15 | run: php-apache
16 | # remove replica if using gitops
17 | replicas: 1
18 | template:
19 | metadata:
20 | labels:
21 | run: php-apache
22 | spec:
23 | containers:
24 | - name: php-apache
25 | image: k8s.gcr.io/hpa-example
26 | ports:
27 | - containerPort: 80
28 | resources:
29 | limits:
30 | cpu: 200m
31 | memory: 256Mi
32 | requests:
33 | cpu: 200m
34 | memory: 256Mi
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.php-apache
File: /lessons/113/k8s/simple-deployment.yaml:7-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: php-apache
11 | namespace: staging
12 | spec:
13 | selector:
14 | matchLabels:
15 | run: php-apache
16 | # remove replica if using gitops
17 | replicas: 1
18 | template:
19 | metadata:
20 | labels:
21 | run: php-apache
22 | spec:
23 | containers:
24 | - name: php-apache
25 | image: k8s.gcr.io/hpa-example
26 | ports:
27 | - containerPort: 80
28 | resources:
29 | limits:
30 | cpu: 200m
31 | memory: 256Mi
32 | requests:
33 | cpu: 200m
34 | memory: 256Mi
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.php-apache
File: /lessons/113/k8s/simple-deployment.yaml:7-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: php-apache
11 | namespace: staging
12 | spec:
13 | selector:
14 | matchLabels:
15 | run: php-apache
16 | # remove replica if using gitops
17 | replicas: 1
18 | template:
19 | metadata:
20 | labels:
21 | run: php-apache
22 | spec:
23 | containers:
24 | - name: php-apache
25 | image: k8s.gcr.io/hpa-example
26 | ports:
27 | - containerPort: 80
28 | resources:
29 | limits:
30 | cpu: 200m
31 | memory: 256Mi
32 | requests:
33 | cpu: 200m
34 | memory: 256Mi
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.staging.php-apache
File: /lessons/113/k8s/simple-deployment.yaml:7-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: php-apache
11 | namespace: staging
12 | spec:
13 | selector:
14 | matchLabels:
15 | run: php-apache
16 | # remove replica if using gitops
17 | replicas: 1
18 | template:
19 | metadata:
20 | labels:
21 | run: php-apache
22 | spec:
23 | containers:
24 | - name: php-apache
25 | image: k8s.gcr.io/hpa-example
26 | ports:
27 | - containerPort: 80
28 | resources:
29 | limits:
30 | cpu: 200m
31 | memory: 256Mi
32 | requests:
33 | cpu: 200m
34 | memory: 256Mi
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.php-apache
File: /lessons/113/k8s/simple-deployment.yaml:7-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: php-apache
11 | namespace: staging
12 | spec:
13 | selector:
14 | matchLabels:
15 | run: php-apache
16 | # remove replica if using gitops
17 | replicas: 1
18 | template:
19 | metadata:
20 | labels:
21 | run: php-apache
22 | spec:
23 | containers:
24 | - name: php-apache
25 | image: k8s.gcr.io/hpa-example
26 | ports:
27 | - containerPort: 80
28 | resources:
29 | limits:
30 | cpu: 200m
31 | memory: 256Mi
32 | requests:
33 | cpu: 200m
34 | memory: 256Mi
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.php-apache
File: /lessons/113/k8s/simple-deployment.yaml:7-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: php-apache
11 | namespace: staging
12 | spec:
13 | selector:
14 | matchLabels:
15 | run: php-apache
16 | # remove replica if using gitops
17 | replicas: 1
18 | template:
19 | metadata:
20 | labels:
21 | run: php-apache
22 | spec:
23 | containers:
24 | - name: php-apache
25 | image: k8s.gcr.io/hpa-example
26 | ports:
27 | - containerPort: 80
28 | resources:
29 | limits:
30 | cpu: 200m
31 | memory: 256Mi
32 | requests:
33 | cpu: 200m
34 | memory: 256Mi
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.php-apache
File: /lessons/113/k8s/simple-deployment.yaml:7-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: php-apache
11 | namespace: staging
12 | spec:
13 | selector:
14 | matchLabels:
15 | run: php-apache
16 | # remove replica if using gitops
17 | replicas: 1
18 | template:
19 | metadata:
20 | labels:
21 | run: php-apache
22 | spec:
23 | containers:
24 | - name: php-apache
25 | image: k8s.gcr.io/hpa-example
26 | ports:
27 | - containerPort: 80
28 | resources:
29 | limits:
30 | cpu: 200m
31 | memory: 256Mi
32 | requests:
33 | cpu: 200m
34 | memory: 256Mi
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.php-apache
File: /lessons/113/k8s/simple-deployment.yaml:7-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: php-apache
11 | namespace: staging
12 | spec:
13 | selector:
14 | matchLabels:
15 | run: php-apache
16 | # remove replica if using gitops
17 | replicas: 1
18 | template:
19 | metadata:
20 | labels:
21 | run: php-apache
22 | spec:
23 | containers:
24 | - name: php-apache
25 | image: k8s.gcr.io/hpa-example
26 | ports:
27 | - containerPort: 80
28 | resources:
29 | limits:
30 | cpu: 200m
31 | memory: 256Mi
32 | requests:
33 | cpu: 200m
34 | memory: 256Mi
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.staging.php-apache
File: /lessons/113/k8s/simple-deployment.yaml:7-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: php-apache
11 | namespace: staging
12 | spec:
13 | selector:
14 | matchLabels:
15 | run: php-apache
16 | # remove replica if using gitops
17 | replicas: 1
18 | template:
19 | metadata:
20 | labels:
21 | run: php-apache
22 | spec:
23 | containers:
24 | - name: php-apache
25 | image: k8s.gcr.io/hpa-example
26 | ports:
27 | - containerPort: 80
28 | resources:
29 | limits:
30 | cpu: 200m
31 | memory: 256Mi
32 | requests:
33 | cpu: 200m
34 | memory: 256Mi
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.php-apache
File: /lessons/113/k8s/simple-deployment.yaml:7-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: php-apache
11 | namespace: staging
12 | spec:
13 | selector:
14 | matchLabels:
15 | run: php-apache
16 | # remove replica if using gitops
17 | replicas: 1
18 | template:
19 | metadata:
20 | labels:
21 | run: php-apache
22 | spec:
23 | containers:
24 | - name: php-apache
25 | image: k8s.gcr.io/hpa-example
26 | ports:
27 | - containerPort: 80
28 | resources:
29 | limits:
30 | cpu: 200m
31 | memory: 256Mi
32 | requests:
33 | cpu: 200m
34 | memory: 256Mi
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.staging.app
File: /lessons/113/k8s/efs.yaml:37-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
37 | apiVersion: v1
38 | kind: Pod
39 | metadata:
40 | name: app
41 | namespace: staging
42 | spec:
43 | containers:
44 | - name: app1
45 | image: busybox
46 | command: ["/bin/sh"]
47 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
48 | volumeMounts:
49 | - name: persistent-storage
50 | mountPath: /data
51 | volumes:
52 | - name: persistent-storage
53 | persistentVolumeClaim:
54 | claimName: efs-claim
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.staging.app
File: /lessons/113/k8s/efs.yaml:37-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
37 | apiVersion: v1
38 | kind: Pod
39 | metadata:
40 | name: app
41 | namespace: staging
42 | spec:
43 | containers:
44 | - name: app1
45 | image: busybox
46 | command: ["/bin/sh"]
47 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
48 | volumeMounts:
49 | - name: persistent-storage
50 | mountPath: /data
51 | volumes:
52 | - name: persistent-storage
53 | persistentVolumeClaim:
54 | claimName: efs-claim
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Pod.staging.app
File: /lessons/113/k8s/efs.yaml:37-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
37 | apiVersion: v1
38 | kind: Pod
39 | metadata:
40 | name: app
41 | namespace: staging
42 | spec:
43 | containers:
44 | - name: app1
45 | image: busybox
46 | command: ["/bin/sh"]
47 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
48 | volumeMounts:
49 | - name: persistent-storage
50 | mountPath: /data
51 | volumes:
52 | - name: persistent-storage
53 | persistentVolumeClaim:
54 | claimName: efs-claim
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.staging.app
File: /lessons/113/k8s/efs.yaml:37-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
37 | apiVersion: v1
38 | kind: Pod
39 | metadata:
40 | name: app
41 | namespace: staging
42 | spec:
43 | containers:
44 | - name: app1
45 | image: busybox
46 | command: ["/bin/sh"]
47 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
48 | volumeMounts:
49 | - name: persistent-storage
50 | mountPath: /data
51 | volumes:
52 | - name: persistent-storage
53 | persistentVolumeClaim:
54 | claimName: efs-claim
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.staging.app
File: /lessons/113/k8s/efs.yaml:37-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
37 | apiVersion: v1
38 | kind: Pod
39 | metadata:
40 | name: app
41 | namespace: staging
42 | spec:
43 | containers:
44 | - name: app1
45 | image: busybox
46 | command: ["/bin/sh"]
47 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
48 | volumeMounts:
49 | - name: persistent-storage
50 | mountPath: /data
51 | volumes:
52 | - name: persistent-storage
53 | persistentVolumeClaim:
54 | claimName: efs-claim
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.staging.app
File: /lessons/113/k8s/efs.yaml:37-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
37 | apiVersion: v1
38 | kind: Pod
39 | metadata:
40 | name: app
41 | namespace: staging
42 | spec:
43 | containers:
44 | - name: app1
45 | image: busybox
46 | command: ["/bin/sh"]
47 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
48 | volumeMounts:
49 | - name: persistent-storage
50 | mountPath: /data
51 | volumes:
52 | - name: persistent-storage
53 | persistentVolumeClaim:
54 | claimName: efs-claim
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.staging.app
File: /lessons/113/k8s/efs.yaml:37-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
37 | apiVersion: v1
38 | kind: Pod
39 | metadata:
40 | name: app
41 | namespace: staging
42 | spec:
43 | containers:
44 | - name: app1
45 | image: busybox
46 | command: ["/bin/sh"]
47 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
48 | volumeMounts:
49 | - name: persistent-storage
50 | mountPath: /data
51 | volumes:
52 | - name: persistent-storage
53 | persistentVolumeClaim:
54 | claimName: efs-claim
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.staging.app
File: /lessons/113/k8s/efs.yaml:37-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
37 | apiVersion: v1
38 | kind: Pod
39 | metadata:
40 | name: app
41 | namespace: staging
42 | spec:
43 | containers:
44 | - name: app1
45 | image: busybox
46 | command: ["/bin/sh"]
47 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
48 | volumeMounts:
49 | - name: persistent-storage
50 | mountPath: /data
51 | volumes:
52 | - name: persistent-storage
53 | persistentVolumeClaim:
54 | claimName: efs-claim
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.staging.app
File: /lessons/113/k8s/efs.yaml:37-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
37 | apiVersion: v1
38 | kind: Pod
39 | metadata:
40 | name: app
41 | namespace: staging
42 | spec:
43 | containers:
44 | - name: app1
45 | image: busybox
46 | command: ["/bin/sh"]
47 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
48 | volumeMounts:
49 | - name: persistent-storage
50 | mountPath: /data
51 | volumes:
52 | - name: persistent-storage
53 | persistentVolumeClaim:
54 | claimName: efs-claim
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.staging.app
File: /lessons/113/k8s/efs.yaml:37-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
37 | apiVersion: v1
38 | kind: Pod
39 | metadata:
40 | name: app
41 | namespace: staging
42 | spec:
43 | containers:
44 | - name: app1
45 | image: busybox
46 | command: ["/bin/sh"]
47 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
48 | volumeMounts:
49 | - name: persistent-storage
50 | mountPath: /data
51 | volumes:
52 | - name: persistent-storage
53 | persistentVolumeClaim:
54 | claimName: efs-claim
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.staging.app
File: /lessons/113/k8s/efs.yaml:37-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
37 | apiVersion: v1
38 | kind: Pod
39 | metadata:
40 | name: app
41 | namespace: staging
42 | spec:
43 | containers:
44 | - name: app1
45 | image: busybox
46 | command: ["/bin/sh"]
47 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
48 | volumeMounts:
49 | - name: persistent-storage
50 | mountPath: /data
51 | volumes:
52 | - name: persistent-storage
53 | persistentVolumeClaim:
54 | claimName: efs-claim
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.staging.app
File: /lessons/113/k8s/efs.yaml:37-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
37 | apiVersion: v1
38 | kind: Pod
39 | metadata:
40 | name: app
41 | namespace: staging
42 | spec:
43 | containers:
44 | - name: app1
45 | image: busybox
46 | command: ["/bin/sh"]
47 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
48 | volumeMounts:
49 | - name: persistent-storage
50 | mountPath: /data
51 | volumes:
52 | - name: persistent-storage
53 | persistentVolumeClaim:
54 | claimName: efs-claim
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.staging.app
File: /lessons/113/k8s/efs.yaml:37-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
37 | apiVersion: v1
38 | kind: Pod
39 | metadata:
40 | name: app
41 | namespace: staging
42 | spec:
43 | containers:
44 | - name: app1
45 | image: busybox
46 | command: ["/bin/sh"]
47 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
48 | volumeMounts:
49 | - name: persistent-storage
50 | mountPath: /data
51 | volumes:
52 | - name: persistent-storage
53 | persistentVolumeClaim:
54 | claimName: efs-claim
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.staging.app
File: /lessons/113/k8s/efs.yaml:37-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
37 | apiVersion: v1
38 | kind: Pod
39 | metadata:
40 | name: app
41 | namespace: staging
42 | spec:
43 | containers:
44 | - name: app1
45 | image: busybox
46 | command: ["/bin/sh"]
47 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
48 | volumeMounts:
49 | - name: persistent-storage
50 | mountPath: /data
51 | volumes:
52 | - name: persistent-storage
53 | persistentVolumeClaim:
54 | claimName: efs-claim
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.staging.app
File: /lessons/113/k8s/efs.yaml:37-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
37 | apiVersion: v1
38 | kind: Pod
39 | metadata:
40 | name: app
41 | namespace: staging
42 | spec:
43 | containers:
44 | - name: app1
45 | image: busybox
46 | command: ["/bin/sh"]
47 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
48 | volumeMounts:
49 | - name: persistent-storage
50 | mountPath: /data
51 | volumes:
52 | - name: persistent-storage
53 | persistentVolumeClaim:
54 | claimName: efs-claim
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Pod.staging.app
File: /lessons/113/k8s/efs.yaml:37-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
37 | apiVersion: v1
38 | kind: Pod
39 | metadata:
40 | name: app
41 | namespace: staging
42 | spec:
43 | containers:
44 | - name: app1
45 | image: busybox
46 | command: ["/bin/sh"]
47 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
48 | volumeMounts:
49 | - name: persistent-storage
50 | mountPath: /data
51 | volumes:
52 | - name: persistent-storage
53 | persistentVolumeClaim:
54 | claimName: efs-claim
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.staging.app
File: /lessons/113/k8s/efs.yaml:37-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
37 | apiVersion: v1
38 | kind: Pod
39 | metadata:
40 | name: app
41 | namespace: staging
42 | spec:
43 | containers:
44 | - name: app1
45 | image: busybox
46 | command: ["/bin/sh"]
47 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
48 | volumeMounts:
49 | - name: persistent-storage
50 | mountPath: /data
51 | volumes:
52 | - name: persistent-storage
53 | persistentVolumeClaim:
54 | claimName: efs-claim
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.staging.app
File: /lessons/113/k8s/efs.yaml:37-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
37 | apiVersion: v1
38 | kind: Pod
39 | metadata:
40 | name: app
41 | namespace: staging
42 | spec:
43 | containers:
44 | - name: app1
45 | image: busybox
46 | command: ["/bin/sh"]
47 | args: ["-c", "while true; do echo $(date -u) >> /data/out1.txt; sleep 5; done"]
48 | volumeMounts:
49 | - name: persistent-storage
50 | mountPath: /data
51 | volumes:
52 | - name: persistent-storage
53 | persistentVolumeClaim:
54 | claimName: efs-claim
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/132/k8s/grafana/3-deployment.yaml:2-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/132/k8s/grafana/3-deployment.yaml:2-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/132/k8s/grafana/3-deployment.yaml:2-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/132/k8s/grafana/3-deployment.yaml:2-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/132/k8s/grafana/3-deployment.yaml:2-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/132/k8s/grafana/3-deployment.yaml:2-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/132/k8s/grafana/3-deployment.yaml:2-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/132/k8s/grafana/3-deployment.yaml:2-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/132/k8s/grafana/3-deployment.yaml:2-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/132/k8s/grafana/3-deployment.yaml:2-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/132/k8s/grafana/3-deployment.yaml:2-73
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/132/k8s/node-exporter/4-daemonset.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/132/k8s/node-exporter/4-daemonset.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_19: "Containers should not share the host network namespace"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/132/k8s/node-exporter/4-daemonset.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-18.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/132/k8s/node-exporter/4-daemonset.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/132/k8s/node-exporter/4-daemonset.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_17: "Containers should not share the host process ID namespace"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/132/k8s/node-exporter/4-daemonset.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-16.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/132/k8s/node-exporter/4-daemonset.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/132/k8s/node-exporter/4-daemonset.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/132/k8s/node-exporter/4-daemonset.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/132/k8s/node-exporter/4-daemonset.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/132/k8s/node-exporter/4-daemonset.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.monitoring.frontend
File: /lessons/132/k8s/prometheus-ui/1-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: frontend
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: frontend
12 | template:
13 | metadata:
14 | labels:
15 | app: frontend
16 | spec:
17 | serviceAccountName: prometheus-ui
18 | containers:
19 | - name: frontend
20 | image: gke.gcr.io/prometheus-engine/frontend:v0.5.0-gke.0
21 | args:
22 | - --web.listen-address=:9090
23 | - --query.project-id=devops-367201 # TODO: replace project-id
24 | ports:
25 | - name: web
26 | containerPort: 9090
27 | readinessProbe:
28 | httpGet:
29 | path: /-/ready
30 | port: web
31 | livenessProbe:
32 | httpGet:
33 | path: /-/healthy
34 | port: web
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.frontend
File: /lessons/132/k8s/prometheus-ui/1-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: frontend
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: frontend
12 | template:
13 | metadata:
14 | labels:
15 | app: frontend
16 | spec:
17 | serviceAccountName: prometheus-ui
18 | containers:
19 | - name: frontend
20 | image: gke.gcr.io/prometheus-engine/frontend:v0.5.0-gke.0
21 | args:
22 | - --web.listen-address=:9090
23 | - --query.project-id=devops-367201 # TODO: replace project-id
24 | ports:
25 | - name: web
26 | containerPort: 9090
27 | readinessProbe:
28 | httpGet:
29 | path: /-/ready
30 | port: web
31 | livenessProbe:
32 | httpGet:
33 | path: /-/healthy
34 | port: web
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.monitoring.frontend
File: /lessons/132/k8s/prometheus-ui/1-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: frontend
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: frontend
12 | template:
13 | metadata:
14 | labels:
15 | app: frontend
16 | spec:
17 | serviceAccountName: prometheus-ui
18 | containers:
19 | - name: frontend
20 | image: gke.gcr.io/prometheus-engine/frontend:v0.5.0-gke.0
21 | args:
22 | - --web.listen-address=:9090
23 | - --query.project-id=devops-367201 # TODO: replace project-id
24 | ports:
25 | - name: web
26 | containerPort: 9090
27 | readinessProbe:
28 | httpGet:
29 | path: /-/ready
30 | port: web
31 | livenessProbe:
32 | httpGet:
33 | path: /-/healthy
34 | port: web
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.monitoring.frontend
File: /lessons/132/k8s/prometheus-ui/1-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: frontend
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: frontend
12 | template:
13 | metadata:
14 | labels:
15 | app: frontend
16 | spec:
17 | serviceAccountName: prometheus-ui
18 | containers:
19 | - name: frontend
20 | image: gke.gcr.io/prometheus-engine/frontend:v0.5.0-gke.0
21 | args:
22 | - --web.listen-address=:9090
23 | - --query.project-id=devops-367201 # TODO: replace project-id
24 | ports:
25 | - name: web
26 | containerPort: 9090
27 | readinessProbe:
28 | httpGet:
29 | path: /-/ready
30 | port: web
31 | livenessProbe:
32 | httpGet:
33 | path: /-/healthy
34 | port: web
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.monitoring.frontend
File: /lessons/132/k8s/prometheus-ui/1-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: frontend
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: frontend
12 | template:
13 | metadata:
14 | labels:
15 | app: frontend
16 | spec:
17 | serviceAccountName: prometheus-ui
18 | containers:
19 | - name: frontend
20 | image: gke.gcr.io/prometheus-engine/frontend:v0.5.0-gke.0
21 | args:
22 | - --web.listen-address=:9090
23 | - --query.project-id=devops-367201 # TODO: replace project-id
24 | ports:
25 | - name: web
26 | containerPort: 9090
27 | readinessProbe:
28 | httpGet:
29 | path: /-/ready
30 | port: web
31 | livenessProbe:
32 | httpGet:
33 | path: /-/healthy
34 | port: web
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.monitoring.frontend
File: /lessons/132/k8s/prometheus-ui/1-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: frontend
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: frontend
12 | template:
13 | metadata:
14 | labels:
15 | app: frontend
16 | spec:
17 | serviceAccountName: prometheus-ui
18 | containers:
19 | - name: frontend
20 | image: gke.gcr.io/prometheus-engine/frontend:v0.5.0-gke.0
21 | args:
22 | - --web.listen-address=:9090
23 | - --query.project-id=devops-367201 # TODO: replace project-id
24 | ports:
25 | - name: web
26 | containerPort: 9090
27 | readinessProbe:
28 | httpGet:
29 | path: /-/ready
30 | port: web
31 | livenessProbe:
32 | httpGet:
33 | path: /-/healthy
34 | port: web
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.frontend
File: /lessons/132/k8s/prometheus-ui/1-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: frontend
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: frontend
12 | template:
13 | metadata:
14 | labels:
15 | app: frontend
16 | spec:
17 | serviceAccountName: prometheus-ui
18 | containers:
19 | - name: frontend
20 | image: gke.gcr.io/prometheus-engine/frontend:v0.5.0-gke.0
21 | args:
22 | - --web.listen-address=:9090
23 | - --query.project-id=devops-367201 # TODO: replace project-id
24 | ports:
25 | - name: web
26 | containerPort: 9090
27 | readinessProbe:
28 | httpGet:
29 | path: /-/ready
30 | port: web
31 | livenessProbe:
32 | httpGet:
33 | path: /-/healthy
34 | port: web
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.monitoring.frontend
File: /lessons/132/k8s/prometheus-ui/1-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: frontend
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: frontend
12 | template:
13 | metadata:
14 | labels:
15 | app: frontend
16 | spec:
17 | serviceAccountName: prometheus-ui
18 | containers:
19 | - name: frontend
20 | image: gke.gcr.io/prometheus-engine/frontend:v0.5.0-gke.0
21 | args:
22 | - --web.listen-address=:9090
23 | - --query.project-id=devops-367201 # TODO: replace project-id
24 | ports:
25 | - name: web
26 | containerPort: 9090
27 | readinessProbe:
28 | httpGet:
29 | path: /-/ready
30 | port: web
31 | livenessProbe:
32 | httpGet:
33 | path: /-/healthy
34 | port: web
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.monitoring.frontend
File: /lessons/132/k8s/prometheus-ui/1-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: frontend
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: frontend
12 | template:
13 | metadata:
14 | labels:
15 | app: frontend
16 | spec:
17 | serviceAccountName: prometheus-ui
18 | containers:
19 | - name: frontend
20 | image: gke.gcr.io/prometheus-engine/frontend:v0.5.0-gke.0
21 | args:
22 | - --web.listen-address=:9090
23 | - --query.project-id=devops-367201 # TODO: replace project-id
24 | ports:
25 | - name: web
26 | containerPort: 9090
27 | readinessProbe:
28 | httpGet:
29 | path: /-/ready
30 | port: web
31 | livenessProbe:
32 | httpGet:
33 | path: /-/healthy
34 | port: web
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.monitoring.frontend
File: /lessons/132/k8s/prometheus-ui/1-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: frontend
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: frontend
12 | template:
13 | metadata:
14 | labels:
15 | app: frontend
16 | spec:
17 | serviceAccountName: prometheus-ui
18 | containers:
19 | - name: frontend
20 | image: gke.gcr.io/prometheus-engine/frontend:v0.5.0-gke.0
21 | args:
22 | - --web.listen-address=:9090
23 | - --query.project-id=devops-367201 # TODO: replace project-id
24 | ports:
25 | - name: web
26 | containerPort: 9090
27 | readinessProbe:
28 | httpGet:
29 | path: /-/ready
30 | port: web
31 | livenessProbe:
32 | httpGet:
33 | path: /-/healthy
34 | port: web
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.monitoring.frontend
File: /lessons/132/k8s/prometheus-ui/1-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: frontend
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: frontend
12 | template:
13 | metadata:
14 | labels:
15 | app: frontend
16 | spec:
17 | serviceAccountName: prometheus-ui
18 | containers:
19 | - name: frontend
20 | image: gke.gcr.io/prometheus-engine/frontend:v0.5.0-gke.0
21 | args:
22 | - --web.listen-address=:9090
23 | - --query.project-id=devops-367201 # TODO: replace project-id
24 | ports:
25 | - name: web
26 | containerPort: 9090
27 | readinessProbe:
28 | httpGet:
29 | path: /-/ready
30 | port: web
31 | livenessProbe:
32 | httpGet:
33 | path: /-/healthy
34 | port: web
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.monitoring.frontend
File: /lessons/132/k8s/prometheus-ui/1-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: frontend
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: frontend
12 | template:
13 | metadata:
14 | labels:
15 | app: frontend
16 | spec:
17 | serviceAccountName: prometheus-ui
18 | containers:
19 | - name: frontend
20 | image: gke.gcr.io/prometheus-engine/frontend:v0.5.0-gke.0
21 | args:
22 | - --web.listen-address=:9090
23 | - --query.project-id=devops-367201 # TODO: replace project-id
24 | ports:
25 | - name: web
26 | containerPort: 9090
27 | readinessProbe:
28 | httpGet:
29 | path: /-/ready
30 | port: web
31 | livenessProbe:
32 | httpGet:
33 | path: /-/healthy
34 | port: web
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.monitoring.frontend
File: /lessons/132/k8s/prometheus-ui/1-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: frontend
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: frontend
12 | template:
13 | metadata:
14 | labels:
15 | app: frontend
16 | spec:
17 | serviceAccountName: prometheus-ui
18 | containers:
19 | - name: frontend
20 | image: gke.gcr.io/prometheus-engine/frontend:v0.5.0-gke.0
21 | args:
22 | - --web.listen-address=:9090
23 | - --query.project-id=devops-367201 # TODO: replace project-id
24 | ports:
25 | - name: web
26 | containerPort: 9090
27 | readinessProbe:
28 | httpGet:
29 | path: /-/ready
30 | port: web
31 | livenessProbe:
32 | httpGet:
33 | path: /-/healthy
34 | port: web
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.monitoring.frontend
File: /lessons/132/k8s/prometheus-ui/1-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: frontend
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: frontend
12 | template:
13 | metadata:
14 | labels:
15 | app: frontend
16 | spec:
17 | serviceAccountName: prometheus-ui
18 | containers:
19 | - name: frontend
20 | image: gke.gcr.io/prometheus-engine/frontend:v0.5.0-gke.0
21 | args:
22 | - --web.listen-address=:9090
23 | - --query.project-id=devops-367201 # TODO: replace project-id
24 | ports:
25 | - name: web
26 | containerPort: 9090
27 | readinessProbe:
28 | httpGet:
29 | path: /-/ready
30 | port: web
31 | livenessProbe:
32 | httpGet:
33 | path: /-/healthy
34 | port: web
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.frontend
File: /lessons/132/k8s/prometheus-ui/1-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: frontend
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: frontend
12 | template:
13 | metadata:
14 | labels:
15 | app: frontend
16 | spec:
17 | serviceAccountName: prometheus-ui
18 | containers:
19 | - name: frontend
20 | image: gke.gcr.io/prometheus-engine/frontend:v0.5.0-gke.0
21 | args:
22 | - --web.listen-address=:9090
23 | - --query.project-id=devops-367201 # TODO: replace project-id
24 | ports:
25 | - name: web
26 | containerPort: 9090
27 | readinessProbe:
28 | httpGet:
29 | path: /-/ready
30 | port: web
31 | livenessProbe:
32 | httpGet:
33 | path: /-/healthy
34 | port: web
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.frontend
File: /lessons/132/k8s/prometheus-ui/1-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: frontend
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: frontend
12 | template:
13 | metadata:
14 | labels:
15 | app: frontend
16 | spec:
17 | serviceAccountName: prometheus-ui
18 | containers:
19 | - name: frontend
20 | image: gke.gcr.io/prometheus-engine/frontend:v0.5.0-gke.0
21 | args:
22 | - --web.listen-address=:9090
23 | - --query.project-id=devops-367201 # TODO: replace project-id
24 | ports:
25 | - name: web
26 | containerPort: 9090
27 | readinessProbe:
28 | httpGet:
29 | path: /-/ready
30 | port: web
31 | livenessProbe:
32 | httpGet:
33 | path: /-/healthy
34 | port: web
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.public-lb
File: /lessons/102/k8s/public-lb.yaml:2-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: Service
4 | metadata:
5 | name: public-lb
6 | annotations:
7 | service.beta.kubernetes.io/aws-load-balancer-type: nlb
8 | spec:
9 | type: LoadBalancer
10 | selector:
11 | app: nginx
12 | ports:
13 | - protocol: TCP
14 | port: 80
15 | targetPort: web
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /lessons/102/k8s/cluster-autoscaler.yaml:122-182
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /lessons/102/k8s/cluster-autoscaler.yaml:122-182
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /lessons/102/k8s/cluster-autoscaler.yaml:122-182
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /lessons/102/k8s/cluster-autoscaler.yaml:122-182
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.private-lb
File: /lessons/102/k8s/private-lb.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: Service
4 | metadata:
5 | name: private-lb
6 | annotations:
7 | service.beta.kubernetes.io/aws-load-balancer-type: nlb
8 | service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
9 | spec:
10 | type: LoadBalancer
11 | selector:
12 | app: nginx
13 | ports:
14 | - protocol: TCP
15 | port: 80
16 | targetPort: web
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ServiceAccount.default.aws-test
File: /lessons/102/k8s/aws-test.yaml:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: ServiceAccount
4 | metadata:
5 | name: aws-test
6 | namespace: default
7 | annotations:
8 | eks.amazonaws.com/role-arn: arn:aws:iam::424432388155:role/test-oidc
9 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.default.aws-cli
File: /lessons/102/k8s/aws-test.yaml:10-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
10 | apiVersion: v1
11 | kind: Pod
12 | metadata:
13 | name: aws-cli
14 | namespace: default
15 | spec:
16 | serviceAccountName: aws-test
17 | containers:
18 | - name: aws-cli
19 | image: amazon/aws-cli
20 | command: [ "/bin/bash", "-c", "--" ]
21 | args: [ "while true; do sleep 30; done;" ]
22 | tolerations:
23 | - operator: Exists
24 | effect: NoSchedule
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.default.aws-cli
File: /lessons/102/k8s/aws-test.yaml:10-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
10 | apiVersion: v1
11 | kind: Pod
12 | metadata:
13 | name: aws-cli
14 | namespace: default
15 | spec:
16 | serviceAccountName: aws-test
17 | containers:
18 | - name: aws-cli
19 | image: amazon/aws-cli
20 | command: [ "/bin/bash", "-c", "--" ]
21 | args: [ "while true; do sleep 30; done;" ]
22 | tolerations:
23 | - operator: Exists
24 | effect: NoSchedule
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Pod.default.aws-cli
File: /lessons/102/k8s/aws-test.yaml:10-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
10 | apiVersion: v1
11 | kind: Pod
12 | metadata:
13 | name: aws-cli
14 | namespace: default
15 | spec:
16 | serviceAccountName: aws-test
17 | containers:
18 | - name: aws-cli
19 | image: amazon/aws-cli
20 | command: [ "/bin/bash", "-c", "--" ]
21 | args: [ "while true; do sleep 30; done;" ]
22 | tolerations:
23 | - operator: Exists
24 | effect: NoSchedule
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Pod.default.aws-cli
File: /lessons/102/k8s/aws-test.yaml:10-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
10 | apiVersion: v1
11 | kind: Pod
12 | metadata:
13 | name: aws-cli
14 | namespace: default
15 | spec:
16 | serviceAccountName: aws-test
17 | containers:
18 | - name: aws-cli
19 | image: amazon/aws-cli
20 | command: [ "/bin/bash", "-c", "--" ]
21 | args: [ "while true; do sleep 30; done;" ]
22 | tolerations:
23 | - operator: Exists
24 | effect: NoSchedule
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.default.aws-cli
File: /lessons/102/k8s/aws-test.yaml:10-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
10 | apiVersion: v1
11 | kind: Pod
12 | metadata:
13 | name: aws-cli
14 | namespace: default
15 | spec:
16 | serviceAccountName: aws-test
17 | containers:
18 | - name: aws-cli
19 | image: amazon/aws-cli
20 | command: [ "/bin/bash", "-c", "--" ]
21 | args: [ "while true; do sleep 30; done;" ]
22 | tolerations:
23 | - operator: Exists
24 | effect: NoSchedule
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.default.aws-cli
File: /lessons/102/k8s/aws-test.yaml:10-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
10 | apiVersion: v1
11 | kind: Pod
12 | metadata:
13 | name: aws-cli
14 | namespace: default
15 | spec:
16 | serviceAccountName: aws-test
17 | containers:
18 | - name: aws-cli
19 | image: amazon/aws-cli
20 | command: [ "/bin/bash", "-c", "--" ]
21 | args: [ "while true; do sleep 30; done;" ]
22 | tolerations:
23 | - operator: Exists
24 | effect: NoSchedule
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.default.aws-cli
File: /lessons/102/k8s/aws-test.yaml:10-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
10 | apiVersion: v1
11 | kind: Pod
12 | metadata:
13 | name: aws-cli
14 | namespace: default
15 | spec:
16 | serviceAccountName: aws-test
17 | containers:
18 | - name: aws-cli
19 | image: amazon/aws-cli
20 | command: [ "/bin/bash", "-c", "--" ]
21 | args: [ "while true; do sleep 30; done;" ]
22 | tolerations:
23 | - operator: Exists
24 | effect: NoSchedule
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.default.aws-cli
File: /lessons/102/k8s/aws-test.yaml:10-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
10 | apiVersion: v1
11 | kind: Pod
12 | metadata:
13 | name: aws-cli
14 | namespace: default
15 | spec:
16 | serviceAccountName: aws-test
17 | containers:
18 | - name: aws-cli
19 | image: amazon/aws-cli
20 | command: [ "/bin/bash", "-c", "--" ]
21 | args: [ "while true; do sleep 30; done;" ]
22 | tolerations:
23 | - operator: Exists
24 | effect: NoSchedule
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.default.aws-cli
File: /lessons/102/k8s/aws-test.yaml:10-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
10 | apiVersion: v1
11 | kind: Pod
12 | metadata:
13 | name: aws-cli
14 | namespace: default
15 | spec:
16 | serviceAccountName: aws-test
17 | containers:
18 | - name: aws-cli
19 | image: amazon/aws-cli
20 | command: [ "/bin/bash", "-c", "--" ]
21 | args: [ "while true; do sleep 30; done;" ]
22 | tolerations:
23 | - operator: Exists
24 | effect: NoSchedule
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.default.aws-cli
File: /lessons/102/k8s/aws-test.yaml:10-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
10 | apiVersion: v1
11 | kind: Pod
12 | metadata:
13 | name: aws-cli
14 | namespace: default
15 | spec:
16 | serviceAccountName: aws-test
17 | containers:
18 | - name: aws-cli
19 | image: amazon/aws-cli
20 | command: [ "/bin/bash", "-c", "--" ]
21 | args: [ "while true; do sleep 30; done;" ]
22 | tolerations:
23 | - operator: Exists
24 | effect: NoSchedule
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.default.aws-cli
File: /lessons/102/k8s/aws-test.yaml:10-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
10 | apiVersion: v1
11 | kind: Pod
12 | metadata:
13 | name: aws-cli
14 | namespace: default
15 | spec:
16 | serviceAccountName: aws-test
17 | containers:
18 | - name: aws-cli
19 | image: amazon/aws-cli
20 | command: [ "/bin/bash", "-c", "--" ]
21 | args: [ "while true; do sleep 30; done;" ]
22 | tolerations:
23 | - operator: Exists
24 | effect: NoSchedule
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.default.aws-cli
File: /lessons/102/k8s/aws-test.yaml:10-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
10 | apiVersion: v1
11 | kind: Pod
12 | metadata:
13 | name: aws-cli
14 | namespace: default
15 | spec:
16 | serviceAccountName: aws-test
17 | containers:
18 | - name: aws-cli
19 | image: amazon/aws-cli
20 | command: [ "/bin/bash", "-c", "--" ]
21 | args: [ "while true; do sleep 30; done;" ]
22 | tolerations:
23 | - operator: Exists
24 | effect: NoSchedule
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.default.aws-cli
File: /lessons/102/k8s/aws-test.yaml:10-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
10 | apiVersion: v1
11 | kind: Pod
12 | metadata:
13 | name: aws-cli
14 | namespace: default
15 | spec:
16 | serviceAccountName: aws-test
17 | containers:
18 | - name: aws-cli
19 | image: amazon/aws-cli
20 | command: [ "/bin/bash", "-c", "--" ]
21 | args: [ "while true; do sleep 30; done;" ]
22 | tolerations:
23 | - operator: Exists
24 | effect: NoSchedule
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.default.aws-cli
File: /lessons/102/k8s/aws-test.yaml:10-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
10 | apiVersion: v1
11 | kind: Pod
12 | metadata:
13 | name: aws-cli
14 | namespace: default
15 | spec:
16 | serviceAccountName: aws-test
17 | containers:
18 | - name: aws-cli
19 | image: amazon/aws-cli
20 | command: [ "/bin/bash", "-c", "--" ]
21 | args: [ "while true; do sleep 30; done;" ]
22 | tolerations:
23 | - operator: Exists
24 | effect: NoSchedule
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.default.aws-cli
File: /lessons/102/k8s/aws-test.yaml:10-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
10 | apiVersion: v1
11 | kind: Pod
12 | metadata:
13 | name: aws-cli
14 | namespace: default
15 | spec:
16 | serviceAccountName: aws-test
17 | containers:
18 | - name: aws-cli
19 | image: amazon/aws-cli
20 | command: [ "/bin/bash", "-c", "--" ]
21 | args: [ "while true; do sleep 30; done;" ]
22 | tolerations:
23 | - operator: Exists
24 | effect: NoSchedule
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.default.aws-cli
File: /lessons/102/k8s/aws-test.yaml:10-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
10 | apiVersion: v1
11 | kind: Pod
12 | metadata:
13 | name: aws-cli
14 | namespace: default
15 | spec:
16 | serviceAccountName: aws-test
17 | containers:
18 | - name: aws-cli
19 | image: amazon/aws-cli
20 | command: [ "/bin/bash", "-c", "--" ]
21 | args: [ "while true; do sleep 30; done;" ]
22 | tolerations:
23 | - operator: Exists
24 | effect: NoSchedule
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Pod.default.aws-cli
File: /lessons/102/k8s/aws-test.yaml:10-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
10 | apiVersion: v1
11 | kind: Pod
12 | metadata:
13 | name: aws-cli
14 | namespace: default
15 | spec:
16 | serviceAccountName: aws-test
17 | containers:
18 | - name: aws-cli
19 | image: amazon/aws-cli
20 | command: [ "/bin/bash", "-c", "--" ]
21 | args: [ "while true; do sleep 30; done;" ]
22 | tolerations:
23 | - operator: Exists
24 | effect: NoSchedule
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.default.aws-cli
File: /lessons/102/k8s/aws-test.yaml:10-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
10 | apiVersion: v1
11 | kind: Pod
12 | metadata:
13 | name: aws-cli
14 | namespace: default
15 | spec:
16 | serviceAccountName: aws-test
17 | containers:
18 | - name: aws-cli
19 | image: amazon/aws-cli
20 | command: [ "/bin/bash", "-c", "--" ]
21 | args: [ "while true; do sleep 30; done;" ]
22 | tolerations:
23 | - operator: Exists
24 | effect: NoSchedule
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.default.aws-cli
File: /lessons/102/k8s/aws-test.yaml:10-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
10 | apiVersion: v1
11 | kind: Pod
12 | metadata:
13 | name: aws-cli
14 | namespace: default
15 | spec:
16 | serviceAccountName: aws-test
17 | containers:
18 | - name: aws-cli
19 | image: amazon/aws-cli
20 | command: [ "/bin/bash", "-c", "--" ]
21 | args: [ "while true; do sleep 30; done;" ]
22 | tolerations:
23 | - operator: Exists
24 | effect: NoSchedule
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx
File: /lessons/102/k8s/deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.23.4
19 | ports:
20 | - name: web
21 | containerPort: 80
22 | resources:
23 | requests:
24 | memory: 256Mi
25 | cpu: 250m
26 | limits:
27 | memory: 256Mi
28 | cpu: 250m
29 | affinity:
30 | nodeAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | nodeSelectorTerms:
33 | - matchExpressions:
34 | - key: role
35 | operator: In
36 | values:
37 | - general
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx
File: /lessons/102/k8s/deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.23.4
19 | ports:
20 | - name: web
21 | containerPort: 80
22 | resources:
23 | requests:
24 | memory: 256Mi
25 | cpu: 250m
26 | limits:
27 | memory: 256Mi
28 | cpu: 250m
29 | affinity:
30 | nodeAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | nodeSelectorTerms:
33 | - matchExpressions:
34 | - key: role
35 | operator: In
36 | values:
37 | - general
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/102/k8s/deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.23.4
19 | ports:
20 | - name: web
21 | containerPort: 80
22 | resources:
23 | requests:
24 | memory: 256Mi
25 | cpu: 250m
26 | limits:
27 | memory: 256Mi
28 | cpu: 250m
29 | affinity:
30 | nodeAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | nodeSelectorTerms:
33 | - matchExpressions:
34 | - key: role
35 | operator: In
36 | values:
37 | - general
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/102/k8s/deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.23.4
19 | ports:
20 | - name: web
21 | containerPort: 80
22 | resources:
23 | requests:
24 | memory: 256Mi
25 | cpu: 250m
26 | limits:
27 | memory: 256Mi
28 | cpu: 250m
29 | affinity:
30 | nodeAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | nodeSelectorTerms:
33 | - matchExpressions:
34 | - key: role
35 | operator: In
36 | values:
37 | - general
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /lessons/102/k8s/deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.23.4
19 | ports:
20 | - name: web
21 | containerPort: 80
22 | resources:
23 | requests:
24 | memory: 256Mi
25 | cpu: 250m
26 | limits:
27 | memory: 256Mi
28 | cpu: 250m
29 | affinity:
30 | nodeAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | nodeSelectorTerms:
33 | - matchExpressions:
34 | - key: role
35 | operator: In
36 | values:
37 | - general
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx
File: /lessons/102/k8s/deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.23.4
19 | ports:
20 | - name: web
21 | containerPort: 80
22 | resources:
23 | requests:
24 | memory: 256Mi
25 | cpu: 250m
26 | limits:
27 | memory: 256Mi
28 | cpu: 250m
29 | affinity:
30 | nodeAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | nodeSelectorTerms:
33 | - matchExpressions:
34 | - key: role
35 | operator: In
36 | values:
37 | - general
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx
File: /lessons/102/k8s/deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.23.4
19 | ports:
20 | - name: web
21 | containerPort: 80
22 | resources:
23 | requests:
24 | memory: 256Mi
25 | cpu: 250m
26 | limits:
27 | memory: 256Mi
28 | cpu: 250m
29 | affinity:
30 | nodeAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | nodeSelectorTerms:
33 | - matchExpressions:
34 | - key: role
35 | operator: In
36 | values:
37 | - general
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/102/k8s/deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.23.4
19 | ports:
20 | - name: web
21 | containerPort: 80
22 | resources:
23 | requests:
24 | memory: 256Mi
25 | cpu: 250m
26 | limits:
27 | memory: 256Mi
28 | cpu: 250m
29 | affinity:
30 | nodeAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | nodeSelectorTerms:
33 | - matchExpressions:
34 | - key: role
35 | operator: In
36 | values:
37 | - general
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /lessons/102/k8s/deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.23.4
19 | ports:
20 | - name: web
21 | containerPort: 80
22 | resources:
23 | requests:
24 | memory: 256Mi
25 | cpu: 250m
26 | limits:
27 | memory: 256Mi
28 | cpu: 250m
29 | affinity:
30 | nodeAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | nodeSelectorTerms:
33 | - matchExpressions:
34 | - key: role
35 | operator: In
36 | values:
37 | - general
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx
File: /lessons/102/k8s/deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.23.4
19 | ports:
20 | - name: web
21 | containerPort: 80
22 | resources:
23 | requests:
24 | memory: 256Mi
25 | cpu: 250m
26 | limits:
27 | memory: 256Mi
28 | cpu: 250m
29 | affinity:
30 | nodeAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | nodeSelectorTerms:
33 | - matchExpressions:
34 | - key: role
35 | operator: In
36 | values:
37 | - general
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx
File: /lessons/102/k8s/deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.23.4
19 | ports:
20 | - name: web
21 | containerPort: 80
22 | resources:
23 | requests:
24 | memory: 256Mi
25 | cpu: 250m
26 | limits:
27 | memory: 256Mi
28 | cpu: 250m
29 | affinity:
30 | nodeAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | nodeSelectorTerms:
33 | - matchExpressions:
34 | - key: role
35 | operator: In
36 | values:
37 | - general
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx
File: /lessons/102/k8s/deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.23.4
19 | ports:
20 | - name: web
21 | containerPort: 80
22 | resources:
23 | requests:
24 | memory: 256Mi
25 | cpu: 250m
26 | limits:
27 | memory: 256Mi
28 | cpu: 250m
29 | affinity:
30 | nodeAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | nodeSelectorTerms:
33 | - matchExpressions:
34 | - key: role
35 | operator: In
36 | values:
37 | - general
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx
File: /lessons/102/k8s/deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.23.4
19 | ports:
20 | - name: web
21 | containerPort: 80
22 | resources:
23 | requests:
24 | memory: 256Mi
25 | cpu: 250m
26 | limits:
27 | memory: 256Mi
28 | cpu: 250m
29 | affinity:
30 | nodeAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | nodeSelectorTerms:
33 | - matchExpressions:
34 | - key: role
35 | operator: In
36 | values:
37 | - general
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.nginx
File: /lessons/102/k8s/deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.23.4
19 | ports:
20 | - name: web
21 | containerPort: 80
22 | resources:
23 | requests:
24 | memory: 256Mi
25 | cpu: 250m
26 | limits:
27 | memory: 256Mi
28 | cpu: 250m
29 | affinity:
30 | nodeAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | nodeSelectorTerms:
33 | - matchExpressions:
34 | - key: role
35 | operator: In
36 | values:
37 | - general
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx
File: /lessons/102/k8s/deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.23.4
19 | ports:
20 | - name: web
21 | containerPort: 80
22 | resources:
23 | requests:
24 | memory: 256Mi
25 | cpu: 250m
26 | limits:
27 | memory: 256Mi
28 | cpu: 250m
29 | affinity:
30 | nodeAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | nodeSelectorTerms:
33 | - matchExpressions:
34 | - key: role
35 | operator: In
36 | values:
37 | - general
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/069/k8s/0-deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | namespace: default
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/069/k8s/0-deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | namespace: default
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/069/k8s/0-deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | namespace: default
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/069/k8s/0-deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | namespace: default
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/069/k8s/0-deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | namespace: default
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/069/k8s/0-deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | namespace: default
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/069/k8s/0-deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | namespace: default
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/069/k8s/0-deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | namespace: default
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/069/k8s/0-deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | namespace: default
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/069/k8s/0-deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | namespace: default
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/069/k8s/0-deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | namespace: default
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/069/k8s/0-deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | namespace: default
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/069/k8s/0-deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | namespace: default
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/069/k8s/0-deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | namespace: default
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/069/k8s/0-deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | namespace: default
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/069/k8s/0-deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | namespace: default
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/069/k8s/0-deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | namespace: default
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/069/k8s/0-deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | namespace: default
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/069/k8s/0-deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | namespace: default
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.nginx
File: /lessons/069/k8s/1-service.yaml:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: Service
4 | metadata:
5 | name: nginx
6 | namespace: default
7 | spec:
8 | type: LoadBalancer
9 | ports:
10 | - protocol: TCP
11 | port: 80
12 | selector:
13 | app: nginx
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/082/grafana/1-deployment.yaml:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: monitoring
6 | name: grafana
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grafana
12 | strategy:
13 | type: Recreate
14 | template:
15 | metadata:
16 | labels:
17 | app: grafana
18 | spec:
19 | containers:
20 | - name: grafana
21 | image: grafana/grafana:8.1.1
22 | imagePullPolicy: IfNotPresent
23 | ports:
24 | - name: grafana
25 | containerPort: 3000
26 | protocol: TCP
27 | env:
28 | - name: GF_SECURITY_ADMIN_USER
29 | valueFrom:
30 | secretKeyRef:
31 | name: grafana
32 | key: admin-user
33 | - name: GF_SECURITY_ADMIN_PASSWORD
34 | valueFrom:
35 | secretKeyRef:
36 | name: grafana
37 | key: admin-password
38 | livenessProbe:
39 | failureThreshold: 10
40 | httpGet:
41 | path: /api/health
42 | port: grafana
43 | initialDelaySeconds: 30
44 | timeoutSeconds: 15
45 | readinessProbe:
46 | httpGet:
47 | path: /api/health
48 | port: grafana
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/082/grafana/1-deployment.yaml:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: monitoring
6 | name: grafana
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grafana
12 | strategy:
13 | type: Recreate
14 | template:
15 | metadata:
16 | labels:
17 | app: grafana
18 | spec:
19 | containers:
20 | - name: grafana
21 | image: grafana/grafana:8.1.1
22 | imagePullPolicy: IfNotPresent
23 | ports:
24 | - name: grafana
25 | containerPort: 3000
26 | protocol: TCP
27 | env:
28 | - name: GF_SECURITY_ADMIN_USER
29 | valueFrom:
30 | secretKeyRef:
31 | name: grafana
32 | key: admin-user
33 | - name: GF_SECURITY_ADMIN_PASSWORD
34 | valueFrom:
35 | secretKeyRef:
36 | name: grafana
37 | key: admin-password
38 | livenessProbe:
39 | failureThreshold: 10
40 | httpGet:
41 | path: /api/health
42 | port: grafana
43 | initialDelaySeconds: 30
44 | timeoutSeconds: 15
45 | readinessProbe:
46 | httpGet:
47 | path: /api/health
48 | port: grafana
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/082/grafana/1-deployment.yaml:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: monitoring
6 | name: grafana
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grafana
12 | strategy:
13 | type: Recreate
14 | template:
15 | metadata:
16 | labels:
17 | app: grafana
18 | spec:
19 | containers:
20 | - name: grafana
21 | image: grafana/grafana:8.1.1
22 | imagePullPolicy: IfNotPresent
23 | ports:
24 | - name: grafana
25 | containerPort: 3000
26 | protocol: TCP
27 | env:
28 | - name: GF_SECURITY_ADMIN_USER
29 | valueFrom:
30 | secretKeyRef:
31 | name: grafana
32 | key: admin-user
33 | - name: GF_SECURITY_ADMIN_PASSWORD
34 | valueFrom:
35 | secretKeyRef:
36 | name: grafana
37 | key: admin-password
38 | livenessProbe:
39 | failureThreshold: 10
40 | httpGet:
41 | path: /api/health
42 | port: grafana
43 | initialDelaySeconds: 30
44 | timeoutSeconds: 15
45 | readinessProbe:
46 | httpGet:
47 | path: /api/health
48 | port: grafana
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/082/grafana/1-deployment.yaml:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: monitoring
6 | name: grafana
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grafana
12 | strategy:
13 | type: Recreate
14 | template:
15 | metadata:
16 | labels:
17 | app: grafana
18 | spec:
19 | containers:
20 | - name: grafana
21 | image: grafana/grafana:8.1.1
22 | imagePullPolicy: IfNotPresent
23 | ports:
24 | - name: grafana
25 | containerPort: 3000
26 | protocol: TCP
27 | env:
28 | - name: GF_SECURITY_ADMIN_USER
29 | valueFrom:
30 | secretKeyRef:
31 | name: grafana
32 | key: admin-user
33 | - name: GF_SECURITY_ADMIN_PASSWORD
34 | valueFrom:
35 | secretKeyRef:
36 | name: grafana
37 | key: admin-password
38 | livenessProbe:
39 | failureThreshold: 10
40 | httpGet:
41 | path: /api/health
42 | port: grafana
43 | initialDelaySeconds: 30
44 | timeoutSeconds: 15
45 | readinessProbe:
46 | httpGet:
47 | path: /api/health
48 | port: grafana
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/082/grafana/1-deployment.yaml:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: monitoring
6 | name: grafana
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grafana
12 | strategy:
13 | type: Recreate
14 | template:
15 | metadata:
16 | labels:
17 | app: grafana
18 | spec:
19 | containers:
20 | - name: grafana
21 | image: grafana/grafana:8.1.1
22 | imagePullPolicy: IfNotPresent
23 | ports:
24 | - name: grafana
25 | containerPort: 3000
26 | protocol: TCP
27 | env:
28 | - name: GF_SECURITY_ADMIN_USER
29 | valueFrom:
30 | secretKeyRef:
31 | name: grafana
32 | key: admin-user
33 | - name: GF_SECURITY_ADMIN_PASSWORD
34 | valueFrom:
35 | secretKeyRef:
36 | name: grafana
37 | key: admin-password
38 | livenessProbe:
39 | failureThreshold: 10
40 | httpGet:
41 | path: /api/health
42 | port: grafana
43 | initialDelaySeconds: 30
44 | timeoutSeconds: 15
45 | readinessProbe:
46 | httpGet:
47 | path: /api/health
48 | port: grafana
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/082/grafana/1-deployment.yaml:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: monitoring
6 | name: grafana
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grafana
12 | strategy:
13 | type: Recreate
14 | template:
15 | metadata:
16 | labels:
17 | app: grafana
18 | spec:
19 | containers:
20 | - name: grafana
21 | image: grafana/grafana:8.1.1
22 | imagePullPolicy: IfNotPresent
23 | ports:
24 | - name: grafana
25 | containerPort: 3000
26 | protocol: TCP
27 | env:
28 | - name: GF_SECURITY_ADMIN_USER
29 | valueFrom:
30 | secretKeyRef:
31 | name: grafana
32 | key: admin-user
33 | - name: GF_SECURITY_ADMIN_PASSWORD
34 | valueFrom:
35 | secretKeyRef:
36 | name: grafana
37 | key: admin-password
38 | livenessProbe:
39 | failureThreshold: 10
40 | httpGet:
41 | path: /api/health
42 | port: grafana
43 | initialDelaySeconds: 30
44 | timeoutSeconds: 15
45 | readinessProbe:
46 | httpGet:
47 | path: /api/health
48 | port: grafana
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/082/grafana/1-deployment.yaml:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: monitoring
6 | name: grafana
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grafana
12 | strategy:
13 | type: Recreate
14 | template:
15 | metadata:
16 | labels:
17 | app: grafana
18 | spec:
19 | containers:
20 | - name: grafana
21 | image: grafana/grafana:8.1.1
22 | imagePullPolicy: IfNotPresent
23 | ports:
24 | - name: grafana
25 | containerPort: 3000
26 | protocol: TCP
27 | env:
28 | - name: GF_SECURITY_ADMIN_USER
29 | valueFrom:
30 | secretKeyRef:
31 | name: grafana
32 | key: admin-user
33 | - name: GF_SECURITY_ADMIN_PASSWORD
34 | valueFrom:
35 | secretKeyRef:
36 | name: grafana
37 | key: admin-password
38 | livenessProbe:
39 | failureThreshold: 10
40 | httpGet:
41 | path: /api/health
42 | port: grafana
43 | initialDelaySeconds: 30
44 | timeoutSeconds: 15
45 | readinessProbe:
46 | httpGet:
47 | path: /api/health
48 | port: grafana
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/082/grafana/1-deployment.yaml:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: monitoring
6 | name: grafana
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grafana
12 | strategy:
13 | type: Recreate
14 | template:
15 | metadata:
16 | labels:
17 | app: grafana
18 | spec:
19 | containers:
20 | - name: grafana
21 | image: grafana/grafana:8.1.1
22 | imagePullPolicy: IfNotPresent
23 | ports:
24 | - name: grafana
25 | containerPort: 3000
26 | protocol: TCP
27 | env:
28 | - name: GF_SECURITY_ADMIN_USER
29 | valueFrom:
30 | secretKeyRef:
31 | name: grafana
32 | key: admin-user
33 | - name: GF_SECURITY_ADMIN_PASSWORD
34 | valueFrom:
35 | secretKeyRef:
36 | name: grafana
37 | key: admin-password
38 | livenessProbe:
39 | failureThreshold: 10
40 | httpGet:
41 | path: /api/health
42 | port: grafana
43 | initialDelaySeconds: 30
44 | timeoutSeconds: 15
45 | readinessProbe:
46 | httpGet:
47 | path: /api/health
48 | port: grafana
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/082/grafana/1-deployment.yaml:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: monitoring
6 | name: grafana
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grafana
12 | strategy:
13 | type: Recreate
14 | template:
15 | metadata:
16 | labels:
17 | app: grafana
18 | spec:
19 | containers:
20 | - name: grafana
21 | image: grafana/grafana:8.1.1
22 | imagePullPolicy: IfNotPresent
23 | ports:
24 | - name: grafana
25 | containerPort: 3000
26 | protocol: TCP
27 | env:
28 | - name: GF_SECURITY_ADMIN_USER
29 | valueFrom:
30 | secretKeyRef:
31 | name: grafana
32 | key: admin-user
33 | - name: GF_SECURITY_ADMIN_PASSWORD
34 | valueFrom:
35 | secretKeyRef:
36 | name: grafana
37 | key: admin-password
38 | livenessProbe:
39 | failureThreshold: 10
40 | httpGet:
41 | path: /api/health
42 | port: grafana
43 | initialDelaySeconds: 30
44 | timeoutSeconds: 15
45 | readinessProbe:
46 | httpGet:
47 | path: /api/health
48 | port: grafana
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/082/grafana/1-deployment.yaml:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: monitoring
6 | name: grafana
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grafana
12 | strategy:
13 | type: Recreate
14 | template:
15 | metadata:
16 | labels:
17 | app: grafana
18 | spec:
19 | containers:
20 | - name: grafana
21 | image: grafana/grafana:8.1.1
22 | imagePullPolicy: IfNotPresent
23 | ports:
24 | - name: grafana
25 | containerPort: 3000
26 | protocol: TCP
27 | env:
28 | - name: GF_SECURITY_ADMIN_USER
29 | valueFrom:
30 | secretKeyRef:
31 | name: grafana
32 | key: admin-user
33 | - name: GF_SECURITY_ADMIN_PASSWORD
34 | valueFrom:
35 | secretKeyRef:
36 | name: grafana
37 | key: admin-password
38 | livenessProbe:
39 | failureThreshold: 10
40 | httpGet:
41 | path: /api/health
42 | port: grafana
43 | initialDelaySeconds: 30
44 | timeoutSeconds: 15
45 | readinessProbe:
46 | httpGet:
47 | path: /api/health
48 | port: grafana
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/082/grafana/1-deployment.yaml:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: monitoring
6 | name: grafana
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grafana
12 | strategy:
13 | type: Recreate
14 | template:
15 | metadata:
16 | labels:
17 | app: grafana
18 | spec:
19 | containers:
20 | - name: grafana
21 | image: grafana/grafana:8.1.1
22 | imagePullPolicy: IfNotPresent
23 | ports:
24 | - name: grafana
25 | containerPort: 3000
26 | protocol: TCP
27 | env:
28 | - name: GF_SECURITY_ADMIN_USER
29 | valueFrom:
30 | secretKeyRef:
31 | name: grafana
32 | key: admin-user
33 | - name: GF_SECURITY_ADMIN_PASSWORD
34 | valueFrom:
35 | secretKeyRef:
36 | name: grafana
37 | key: admin-password
38 | livenessProbe:
39 | failureThreshold: 10
40 | httpGet:
41 | path: /api/health
42 | port: grafana
43 | initialDelaySeconds: 30
44 | timeoutSeconds: 15
45 | readinessProbe:
46 | httpGet:
47 | path: /api/health
48 | port: grafana
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/082/grafana/1-deployment.yaml:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: monitoring
6 | name: grafana
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grafana
12 | strategy:
13 | type: Recreate
14 | template:
15 | metadata:
16 | labels:
17 | app: grafana
18 | spec:
19 | containers:
20 | - name: grafana
21 | image: grafana/grafana:8.1.1
22 | imagePullPolicy: IfNotPresent
23 | ports:
24 | - name: grafana
25 | containerPort: 3000
26 | protocol: TCP
27 | env:
28 | - name: GF_SECURITY_ADMIN_USER
29 | valueFrom:
30 | secretKeyRef:
31 | name: grafana
32 | key: admin-user
33 | - name: GF_SECURITY_ADMIN_PASSWORD
34 | valueFrom:
35 | secretKeyRef:
36 | name: grafana
37 | key: admin-password
38 | livenessProbe:
39 | failureThreshold: 10
40 | httpGet:
41 | path: /api/health
42 | port: grafana
43 | initialDelaySeconds: 30
44 | timeoutSeconds: 15
45 | readinessProbe:
46 | httpGet:
47 | path: /api/health
48 | port: grafana
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/082/grafana/1-deployment.yaml:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: monitoring
6 | name: grafana
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grafana
12 | strategy:
13 | type: Recreate
14 | template:
15 | metadata:
16 | labels:
17 | app: grafana
18 | spec:
19 | containers:
20 | - name: grafana
21 | image: grafana/grafana:8.1.1
22 | imagePullPolicy: IfNotPresent
23 | ports:
24 | - name: grafana
25 | containerPort: 3000
26 | protocol: TCP
27 | env:
28 | - name: GF_SECURITY_ADMIN_USER
29 | valueFrom:
30 | secretKeyRef:
31 | name: grafana
32 | key: admin-user
33 | - name: GF_SECURITY_ADMIN_PASSWORD
34 | valueFrom:
35 | secretKeyRef:
36 | name: grafana
37 | key: admin-password
38 | livenessProbe:
39 | failureThreshold: 10
40 | httpGet:
41 | path: /api/health
42 | port: grafana
43 | initialDelaySeconds: 30
44 | timeoutSeconds: 15
45 | readinessProbe:
46 | httpGet:
47 | path: /api/health
48 | port: grafana
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/082/grafana/1-deployment.yaml:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: monitoring
6 | name: grafana
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grafana
12 | strategy:
13 | type: Recreate
14 | template:
15 | metadata:
16 | labels:
17 | app: grafana
18 | spec:
19 | containers:
20 | - name: grafana
21 | image: grafana/grafana:8.1.1
22 | imagePullPolicy: IfNotPresent
23 | ports:
24 | - name: grafana
25 | containerPort: 3000
26 | protocol: TCP
27 | env:
28 | - name: GF_SECURITY_ADMIN_USER
29 | valueFrom:
30 | secretKeyRef:
31 | name: grafana
32 | key: admin-user
33 | - name: GF_SECURITY_ADMIN_PASSWORD
34 | valueFrom:
35 | secretKeyRef:
36 | name: grafana
37 | key: admin-password
38 | livenessProbe:
39 | failureThreshold: 10
40 | httpGet:
41 | path: /api/health
42 | port: grafana
43 | initialDelaySeconds: 30
44 | timeoutSeconds: 15
45 | readinessProbe:
46 | httpGet:
47 | path: /api/health
48 | port: grafana
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/082/grafana/1-deployment.yaml:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: monitoring
6 | name: grafana
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grafana
12 | strategy:
13 | type: Recreate
14 | template:
15 | metadata:
16 | labels:
17 | app: grafana
18 | spec:
19 | containers:
20 | - name: grafana
21 | image: grafana/grafana:8.1.1
22 | imagePullPolicy: IfNotPresent
23 | ports:
24 | - name: grafana
25 | containerPort: 3000
26 | protocol: TCP
27 | env:
28 | - name: GF_SECURITY_ADMIN_USER
29 | valueFrom:
30 | secretKeyRef:
31 | name: grafana
32 | key: admin-user
33 | - name: GF_SECURITY_ADMIN_PASSWORD
34 | valueFrom:
35 | secretKeyRef:
36 | name: grafana
37 | key: admin-password
38 | livenessProbe:
39 | failureThreshold: 10
40 | httpGet:
41 | path: /api/health
42 | port: grafana
43 | initialDelaySeconds: 30
44 | timeoutSeconds: 15
45 | readinessProbe:
46 | httpGet:
47 | path: /api/health
48 | port: grafana
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/082/grafana/1-deployment.yaml:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: monitoring
6 | name: grafana
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grafana
12 | strategy:
13 | type: Recreate
14 | template:
15 | metadata:
16 | labels:
17 | app: grafana
18 | spec:
19 | containers:
20 | - name: grafana
21 | image: grafana/grafana:8.1.1
22 | imagePullPolicy: IfNotPresent
23 | ports:
24 | - name: grafana
25 | containerPort: 3000
26 | protocol: TCP
27 | env:
28 | - name: GF_SECURITY_ADMIN_USER
29 | valueFrom:
30 | secretKeyRef:
31 | name: grafana
32 | key: admin-user
33 | - name: GF_SECURITY_ADMIN_PASSWORD
34 | valueFrom:
35 | secretKeyRef:
36 | name: grafana
37 | key: admin-password
38 | livenessProbe:
39 | failureThreshold: 10
40 | httpGet:
41 | path: /api/health
42 | port: grafana
43 | initialDelaySeconds: 30
44 | timeoutSeconds: 15
45 | readinessProbe:
46 | httpGet:
47 | path: /api/health
48 | port: grafana
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/082/grafana/1-deployment.yaml:2-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: monitoring
6 | name: grafana
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grafana
12 | strategy:
13 | type: Recreate
14 | template:
15 | metadata:
16 | labels:
17 | app: grafana
18 | spec:
19 | containers:
20 | - name: grafana
21 | image: grafana/grafana:8.1.1
22 | imagePullPolicy: IfNotPresent
23 | ports:
24 | - name: grafana
25 | containerPort: 3000
26 | protocol: TCP
27 | env:
28 | - name: GF_SECURITY_ADMIN_USER
29 | valueFrom:
30 | secretKeyRef:
31 | name: grafana
32 | key: admin-user
33 | - name: GF_SECURITY_ADMIN_PASSWORD
34 | valueFrom:
35 | secretKeyRef:
36 | name: grafana
37 | key: admin-password
38 | livenessProbe:
39 | failureThreshold: 10
40 | httpGet:
41 | path: /api/health
42 | port: grafana
43 | initialDelaySeconds: 30
44 | timeoutSeconds: 15
45 | readinessProbe:
46 | httpGet:
47 | path: /api/health
48 | port: grafana
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.staging.foo
File: /lessons/082/example-3/1-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: staging
6 | name: foo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - foo
23 | - -port
24 | - "5698"
25 | ports:
26 | - name: http
27 | containerPort: 5698
28 | protocol: TCP
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.foo
File: /lessons/082/example-3/1-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: staging
6 | name: foo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - foo
23 | - -port
24 | - "5698"
25 | ports:
26 | - name: http
27 | containerPort: 5698
28 | protocol: TCP
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.staging.foo
File: /lessons/082/example-3/1-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: staging
6 | name: foo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - foo
23 | - -port
24 | - "5698"
25 | ports:
26 | - name: http
27 | containerPort: 5698
28 | protocol: TCP
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.foo
File: /lessons/082/example-3/1-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: staging
6 | name: foo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - foo
23 | - -port
24 | - "5698"
25 | ports:
26 | - name: http
27 | containerPort: 5698
28 | protocol: TCP
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.foo
File: /lessons/082/example-3/1-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: staging
6 | name: foo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - foo
23 | - -port
24 | - "5698"
25 | ports:
26 | - name: http
27 | containerPort: 5698
28 | protocol: TCP
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.staging.foo
File: /lessons/082/example-3/1-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: staging
6 | name: foo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - foo
23 | - -port
24 | - "5698"
25 | ports:
26 | - name: http
27 | containerPort: 5698
28 | protocol: TCP
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.foo
File: /lessons/082/example-3/1-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: staging
6 | name: foo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - foo
23 | - -port
24 | - "5698"
25 | ports:
26 | - name: http
27 | containerPort: 5698
28 | protocol: TCP
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.foo
File: /lessons/082/example-3/1-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: staging
6 | name: foo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - foo
23 | - -port
24 | - "5698"
25 | ports:
26 | - name: http
27 | containerPort: 5698
28 | protocol: TCP
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.foo
File: /lessons/082/example-3/1-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: staging
6 | name: foo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - foo
23 | - -port
24 | - "5698"
25 | ports:
26 | - name: http
27 | containerPort: 5698
28 | protocol: TCP
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.staging.foo
File: /lessons/082/example-3/1-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: staging
6 | name: foo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - foo
23 | - -port
24 | - "5698"
25 | ports:
26 | - name: http
27 | containerPort: 5698
28 | protocol: TCP
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.foo
File: /lessons/082/example-3/1-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: staging
6 | name: foo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - foo
23 | - -port
24 | - "5698"
25 | ports:
26 | - name: http
27 | containerPort: 5698
28 | protocol: TCP
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.staging.foo
File: /lessons/082/example-3/1-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: staging
6 | name: foo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - foo
23 | - -port
24 | - "5698"
25 | ports:
26 | - name: http
27 | containerPort: 5698
28 | protocol: TCP
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.foo
File: /lessons/082/example-3/1-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: staging
6 | name: foo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - foo
23 | - -port
24 | - "5698"
25 | ports:
26 | - name: http
27 | containerPort: 5698
28 | protocol: TCP
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.foo
File: /lessons/082/example-3/1-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: staging
6 | name: foo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - foo
23 | - -port
24 | - "5698"
25 | ports:
26 | - name: http
27 | containerPort: 5698
28 | protocol: TCP
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.foo
File: /lessons/082/example-3/1-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: staging
6 | name: foo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - foo
23 | - -port
24 | - "5698"
25 | ports:
26 | - name: http
27 | containerPort: 5698
28 | protocol: TCP
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.staging.foo
File: /lessons/082/example-3/1-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: staging
6 | name: foo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - foo
23 | - -port
24 | - "5698"
25 | ports:
26 | - name: http
27 | containerPort: 5698
28 | protocol: TCP
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.staging.foo
File: /lessons/082/example-3/1-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: staging
6 | name: foo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - foo
23 | - -port
24 | - "5698"
25 | ports:
26 | - name: http
27 | containerPort: 5698
28 | protocol: TCP
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.foo
File: /lessons/082/example-3/1-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: staging
6 | name: foo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - foo
23 | - -port
24 | - "5698"
25 | ports:
26 | - name: http
27 | containerPort: 5698
28 | protocol: TCP
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.staging.bar
File: /lessons/082/example-3/3-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: staging
6 | name: bar
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - bar
23 | - -port
24 | - "8956"
25 | ports:
26 | - name: http
27 | containerPort: 8956
28 | protocol: TCP
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.bar
File: /lessons/082/example-3/3-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: staging
6 | name: bar
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - bar
23 | - -port
24 | - "8956"
25 | ports:
26 | - name: http
27 | containerPort: 8956
28 | protocol: TCP
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.staging.bar
File: /lessons/082/example-3/3-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: staging
6 | name: bar
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - bar
23 | - -port
24 | - "8956"
25 | ports:
26 | - name: http
27 | containerPort: 8956
28 | protocol: TCP
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.bar
File: /lessons/082/example-3/3-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: staging
6 | name: bar
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - bar
23 | - -port
24 | - "8956"
25 | ports:
26 | - name: http
27 | containerPort: 8956
28 | protocol: TCP
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.bar
File: /lessons/082/example-3/3-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: staging
6 | name: bar
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - bar
23 | - -port
24 | - "8956"
25 | ports:
26 | - name: http
27 | containerPort: 8956
28 | protocol: TCP
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.staging.bar
File: /lessons/082/example-3/3-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: staging
6 | name: bar
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - bar
23 | - -port
24 | - "8956"
25 | ports:
26 | - name: http
27 | containerPort: 8956
28 | protocol: TCP
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.bar
File: /lessons/082/example-3/3-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: staging
6 | name: bar
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - bar
23 | - -port
24 | - "8956"
25 | ports:
26 | - name: http
27 | containerPort: 8956
28 | protocol: TCP
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.bar
File: /lessons/082/example-3/3-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: staging
6 | name: bar
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - bar
23 | - -port
24 | - "8956"
25 | ports:
26 | - name: http
27 | containerPort: 8956
28 | protocol: TCP
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.bar
File: /lessons/082/example-3/3-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: staging
6 | name: bar
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - bar
23 | - -port
24 | - "8956"
25 | ports:
26 | - name: http
27 | containerPort: 8956
28 | protocol: TCP
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.staging.bar
File: /lessons/082/example-3/3-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: staging
6 | name: bar
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - bar
23 | - -port
24 | - "8956"
25 | ports:
26 | - name: http
27 | containerPort: 8956
28 | protocol: TCP
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.bar
File: /lessons/082/example-3/3-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: staging
6 | name: bar
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - bar
23 | - -port
24 | - "8956"
25 | ports:
26 | - name: http
27 | containerPort: 8956
28 | protocol: TCP
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.staging.bar
File: /lessons/082/example-3/3-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: staging
6 | name: bar
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - bar
23 | - -port
24 | - "8956"
25 | ports:
26 | - name: http
27 | containerPort: 8956
28 | protocol: TCP
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.bar
File: /lessons/082/example-3/3-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: staging
6 | name: bar
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - bar
23 | - -port
24 | - "8956"
25 | ports:
26 | - name: http
27 | containerPort: 8956
28 | protocol: TCP
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.bar
File: /lessons/082/example-3/3-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: staging
6 | name: bar
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - bar
23 | - -port
24 | - "8956"
25 | ports:
26 | - name: http
27 | containerPort: 8956
28 | protocol: TCP
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.bar
File: /lessons/082/example-3/3-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: staging
6 | name: bar
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - bar
23 | - -port
24 | - "8956"
25 | ports:
26 | - name: http
27 | containerPort: 8956
28 | protocol: TCP
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.staging.bar
File: /lessons/082/example-3/3-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: staging
6 | name: bar
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - bar
23 | - -port
24 | - "8956"
25 | ports:
26 | - name: http
27 | containerPort: 8956
28 | protocol: TCP
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.staging.bar
File: /lessons/082/example-3/3-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: staging
6 | name: bar
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - bar
23 | - -port
24 | - "8956"
25 | ports:
26 | - name: http
27 | containerPort: 8956
28 | protocol: TCP
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.bar
File: /lessons/082/example-3/3-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: staging
6 | name: bar
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - bar
23 | - -port
24 | - "8956"
25 | ports:
26 | - name: http
27 | containerPort: 8956
28 | protocol: TCP
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.ingress.my-ing-ingress-nginx-controller
File: /lessons/082/my-ing/ingress-nginx/templates/controller-deployment.yaml:3-127
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.ingress.my-ing-ingress-nginx-controller
File: /lessons/082/my-ing/ingress-nginx/templates/controller-deployment.yaml:3-127
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_25: "Minimize the admission of containers with added capability"
FAILED for resource: Deployment.ingress.my-ing-ingress-nginx-controller
File: /lessons/082/my-ing/ingress-nginx/templates/controller-deployment.yaml:3-127
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-24.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.ingress.my-ing-ingress-nginx-controller
File: /lessons/082/my-ing/ingress-nginx/templates/controller-deployment.yaml:3-127
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.ingress.my-ing-ingress-nginx-controller
File: /lessons/082/my-ing/ingress-nginx/templates/controller-deployment.yaml:3-127
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.ingress.my-ing-ingress-nginx-controller
File: /lessons/082/my-ing/ingress-nginx/templates/controller-deployment.yaml:3-127
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.ingress.my-ing-ingress-nginx-controller
File: /lessons/082/my-ing/ingress-nginx/templates/controller-deployment.yaml:3-127
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.ingress.my-ing-ingress-nginx-controller
File: /lessons/082/my-ing/ingress-nginx/templates/controller-deployment.yaml:3-127
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.ingress.my-ing-ingress-nginx-controller
File: /lessons/082/my-ing/ingress-nginx/templates/controller-deployment.yaml:3-127
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_155: "Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations"
FAILED for resource: ClusterRole.default.my-ing-ingress-nginx-admission
File: /lessons/082/my-ing/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml:3-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-control-over-validating-or-mutating-admission-webhook-configurations-are-minimized.html
3 | apiVersion: rbac.authorization.k8s.io/v1
4 | kind: ClusterRole
5 | metadata:
6 | name: my-ing-ingress-nginx-admission
7 | annotations:
8 | "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
9 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
10 | labels:
11 | helm.sh/chart: ingress-nginx-3.35.0
12 | app.kubernetes.io/name: ingress-nginx
13 | app.kubernetes.io/instance: my-ing
14 | app.kubernetes.io/version: "0.48.1"
15 | app.kubernetes.io/managed-by: Helm
16 | app.kubernetes.io/component: admission-webhook
17 | rules:
18 | - apiGroups:
19 | - admissionregistration.k8s.io
20 | resources:
21 | - validatingwebhookconfigurations
22 | verbs:
23 | - get
24 | - update
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Job.ingress.my-ing-ingress-nginx-admission-create
File: /lessons/082/my-ing/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml:3-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
3 | apiVersion: batch/v1
4 | kind: Job
5 | metadata:
6 | name: my-ing-ingress-nginx-admission-create
7 | namespace: ingress
8 | annotations:
9 | "helm.sh/hook": pre-install,pre-upgrade
10 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
11 | labels:
12 | helm.sh/chart: ingress-nginx-3.35.0
13 | app.kubernetes.io/name: ingress-nginx
14 | app.kubernetes.io/instance: my-ing
15 | app.kubernetes.io/version: "0.48.1"
16 | app.kubernetes.io/managed-by: Helm
17 | app.kubernetes.io/component: admission-webhook
18 | spec:
19 | template:
20 | metadata:
21 | name: my-ing-ingress-nginx-admission-create
22 | labels:
23 | helm.sh/chart: ingress-nginx-3.35.0
24 | app.kubernetes.io/name: ingress-nginx
25 | app.kubernetes.io/instance: my-ing
26 | app.kubernetes.io/version: "0.48.1"
27 | app.kubernetes.io/managed-by: Helm
28 | app.kubernetes.io/component: admission-webhook
29 | spec:
30 | containers:
31 | - name: create
32 | image: "docker.io/jettech/kube-webhook-certgen:v1.5.1"
33 | imagePullPolicy: IfNotPresent
34 | args:
35 | - create
36 | - --host=my-ing-ingress-nginx-controller-admission,my-ing-ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
37 | - --namespace=$(POD_NAMESPACE)
38 | - --secret-name=my-ing-ingress-nginx-admission
39 | env:
40 | - name: POD_NAMESPACE
41 | valueFrom:
42 | fieldRef:
43 | fieldPath: metadata.namespace
44 | restartPolicy: OnFailure
45 | serviceAccountName: my-ing-ingress-nginx-admission
46 | securityContext:
47 | runAsNonRoot: true
48 | runAsUser: 2000
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Job.ingress.my-ing-ingress-nginx-admission-create
File: /lessons/082/my-ing/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml:3-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
3 | apiVersion: batch/v1
4 | kind: Job
5 | metadata:
6 | name: my-ing-ingress-nginx-admission-create
7 | namespace: ingress
8 | annotations:
9 | "helm.sh/hook": pre-install,pre-upgrade
10 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
11 | labels:
12 | helm.sh/chart: ingress-nginx-3.35.0
13 | app.kubernetes.io/name: ingress-nginx
14 | app.kubernetes.io/instance: my-ing
15 | app.kubernetes.io/version: "0.48.1"
16 | app.kubernetes.io/managed-by: Helm
17 | app.kubernetes.io/component: admission-webhook
18 | spec:
19 | template:
20 | metadata:
21 | name: my-ing-ingress-nginx-admission-create
22 | labels:
23 | helm.sh/chart: ingress-nginx-3.35.0
24 | app.kubernetes.io/name: ingress-nginx
25 | app.kubernetes.io/instance: my-ing
26 | app.kubernetes.io/version: "0.48.1"
27 | app.kubernetes.io/managed-by: Helm
28 | app.kubernetes.io/component: admission-webhook
29 | spec:
30 | containers:
31 | - name: create
32 | image: "docker.io/jettech/kube-webhook-certgen:v1.5.1"
33 | imagePullPolicy: IfNotPresent
34 | args:
35 | - create
36 | - --host=my-ing-ingress-nginx-controller-admission,my-ing-ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
37 | - --namespace=$(POD_NAMESPACE)
38 | - --secret-name=my-ing-ingress-nginx-admission
39 | env:
40 | - name: POD_NAMESPACE
41 | valueFrom:
42 | fieldRef:
43 | fieldPath: metadata.namespace
44 | restartPolicy: OnFailure
45 | serviceAccountName: my-ing-ingress-nginx-admission
46 | securityContext:
47 | runAsNonRoot: true
48 | runAsUser: 2000
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Job.ingress.my-ing-ingress-nginx-admission-create
File: /lessons/082/my-ing/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml:3-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
3 | apiVersion: batch/v1
4 | kind: Job
5 | metadata:
6 | name: my-ing-ingress-nginx-admission-create
7 | namespace: ingress
8 | annotations:
9 | "helm.sh/hook": pre-install,pre-upgrade
10 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
11 | labels:
12 | helm.sh/chart: ingress-nginx-3.35.0
13 | app.kubernetes.io/name: ingress-nginx
14 | app.kubernetes.io/instance: my-ing
15 | app.kubernetes.io/version: "0.48.1"
16 | app.kubernetes.io/managed-by: Helm
17 | app.kubernetes.io/component: admission-webhook
18 | spec:
19 | template:
20 | metadata:
21 | name: my-ing-ingress-nginx-admission-create
22 | labels:
23 | helm.sh/chart: ingress-nginx-3.35.0
24 | app.kubernetes.io/name: ingress-nginx
25 | app.kubernetes.io/instance: my-ing
26 | app.kubernetes.io/version: "0.48.1"
27 | app.kubernetes.io/managed-by: Helm
28 | app.kubernetes.io/component: admission-webhook
29 | spec:
30 | containers:
31 | - name: create
32 | image: "docker.io/jettech/kube-webhook-certgen:v1.5.1"
33 | imagePullPolicy: IfNotPresent
34 | args:
35 | - create
36 | - --host=my-ing-ingress-nginx-controller-admission,my-ing-ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
37 | - --namespace=$(POD_NAMESPACE)
38 | - --secret-name=my-ing-ingress-nginx-admission
39 | env:
40 | - name: POD_NAMESPACE
41 | valueFrom:
42 | fieldRef:
43 | fieldPath: metadata.namespace
44 | restartPolicy: OnFailure
45 | serviceAccountName: my-ing-ingress-nginx-admission
46 | securityContext:
47 | runAsNonRoot: true
48 | runAsUser: 2000
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Job.ingress.my-ing-ingress-nginx-admission-create
File: /lessons/082/my-ing/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml:3-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
3 | apiVersion: batch/v1
4 | kind: Job
5 | metadata:
6 | name: my-ing-ingress-nginx-admission-create
7 | namespace: ingress
8 | annotations:
9 | "helm.sh/hook": pre-install,pre-upgrade
10 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
11 | labels:
12 | helm.sh/chart: ingress-nginx-3.35.0
13 | app.kubernetes.io/name: ingress-nginx
14 | app.kubernetes.io/instance: my-ing
15 | app.kubernetes.io/version: "0.48.1"
16 | app.kubernetes.io/managed-by: Helm
17 | app.kubernetes.io/component: admission-webhook
18 | spec:
19 | template:
20 | metadata:
21 | name: my-ing-ingress-nginx-admission-create
22 | labels:
23 | helm.sh/chart: ingress-nginx-3.35.0
24 | app.kubernetes.io/name: ingress-nginx
25 | app.kubernetes.io/instance: my-ing
26 | app.kubernetes.io/version: "0.48.1"
27 | app.kubernetes.io/managed-by: Helm
28 | app.kubernetes.io/component: admission-webhook
29 | spec:
30 | containers:
31 | - name: create
32 | image: "docker.io/jettech/kube-webhook-certgen:v1.5.1"
33 | imagePullPolicy: IfNotPresent
34 | args:
35 | - create
36 | - --host=my-ing-ingress-nginx-controller-admission,my-ing-ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
37 | - --namespace=$(POD_NAMESPACE)
38 | - --secret-name=my-ing-ingress-nginx-admission
39 | env:
40 | - name: POD_NAMESPACE
41 | valueFrom:
42 | fieldRef:
43 | fieldPath: metadata.namespace
44 | restartPolicy: OnFailure
45 | serviceAccountName: my-ing-ingress-nginx-admission
46 | securityContext:
47 | runAsNonRoot: true
48 | runAsUser: 2000
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Job.ingress.my-ing-ingress-nginx-admission-create
File: /lessons/082/my-ing/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml:3-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
3 | apiVersion: batch/v1
4 | kind: Job
5 | metadata:
6 | name: my-ing-ingress-nginx-admission-create
7 | namespace: ingress
8 | annotations:
9 | "helm.sh/hook": pre-install,pre-upgrade
10 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
11 | labels:
12 | helm.sh/chart: ingress-nginx-3.35.0
13 | app.kubernetes.io/name: ingress-nginx
14 | app.kubernetes.io/instance: my-ing
15 | app.kubernetes.io/version: "0.48.1"
16 | app.kubernetes.io/managed-by: Helm
17 | app.kubernetes.io/component: admission-webhook
18 | spec:
19 | template:
20 | metadata:
21 | name: my-ing-ingress-nginx-admission-create
22 | labels:
23 | helm.sh/chart: ingress-nginx-3.35.0
24 | app.kubernetes.io/name: ingress-nginx
25 | app.kubernetes.io/instance: my-ing
26 | app.kubernetes.io/version: "0.48.1"
27 | app.kubernetes.io/managed-by: Helm
28 | app.kubernetes.io/component: admission-webhook
29 | spec:
30 | containers:
31 | - name: create
32 | image: "docker.io/jettech/kube-webhook-certgen:v1.5.1"
33 | imagePullPolicy: IfNotPresent
34 | args:
35 | - create
36 | - --host=my-ing-ingress-nginx-controller-admission,my-ing-ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
37 | - --namespace=$(POD_NAMESPACE)
38 | - --secret-name=my-ing-ingress-nginx-admission
39 | env:
40 | - name: POD_NAMESPACE
41 | valueFrom:
42 | fieldRef:
43 | fieldPath: metadata.namespace
44 | restartPolicy: OnFailure
45 | serviceAccountName: my-ing-ingress-nginx-admission
46 | securityContext:
47 | runAsNonRoot: true
48 | runAsUser: 2000
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Job.ingress.my-ing-ingress-nginx-admission-create
File: /lessons/082/my-ing/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml:3-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
3 | apiVersion: batch/v1
4 | kind: Job
5 | metadata:
6 | name: my-ing-ingress-nginx-admission-create
7 | namespace: ingress
8 | annotations:
9 | "helm.sh/hook": pre-install,pre-upgrade
10 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
11 | labels:
12 | helm.sh/chart: ingress-nginx-3.35.0
13 | app.kubernetes.io/name: ingress-nginx
14 | app.kubernetes.io/instance: my-ing
15 | app.kubernetes.io/version: "0.48.1"
16 | app.kubernetes.io/managed-by: Helm
17 | app.kubernetes.io/component: admission-webhook
18 | spec:
19 | template:
20 | metadata:
21 | name: my-ing-ingress-nginx-admission-create
22 | labels:
23 | helm.sh/chart: ingress-nginx-3.35.0
24 | app.kubernetes.io/name: ingress-nginx
25 | app.kubernetes.io/instance: my-ing
26 | app.kubernetes.io/version: "0.48.1"
27 | app.kubernetes.io/managed-by: Helm
28 | app.kubernetes.io/component: admission-webhook
29 | spec:
30 | containers:
31 | - name: create
32 | image: "docker.io/jettech/kube-webhook-certgen:v1.5.1"
33 | imagePullPolicy: IfNotPresent
34 | args:
35 | - create
36 | - --host=my-ing-ingress-nginx-controller-admission,my-ing-ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
37 | - --namespace=$(POD_NAMESPACE)
38 | - --secret-name=my-ing-ingress-nginx-admission
39 | env:
40 | - name: POD_NAMESPACE
41 | valueFrom:
42 | fieldRef:
43 | fieldPath: metadata.namespace
44 | restartPolicy: OnFailure
45 | serviceAccountName: my-ing-ingress-nginx-admission
46 | securityContext:
47 | runAsNonRoot: true
48 | runAsUser: 2000
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Job.ingress.my-ing-ingress-nginx-admission-create
File: /lessons/082/my-ing/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml:3-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
3 | apiVersion: batch/v1
4 | kind: Job
5 | metadata:
6 | name: my-ing-ingress-nginx-admission-create
7 | namespace: ingress
8 | annotations:
9 | "helm.sh/hook": pre-install,pre-upgrade
10 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
11 | labels:
12 | helm.sh/chart: ingress-nginx-3.35.0
13 | app.kubernetes.io/name: ingress-nginx
14 | app.kubernetes.io/instance: my-ing
15 | app.kubernetes.io/version: "0.48.1"
16 | app.kubernetes.io/managed-by: Helm
17 | app.kubernetes.io/component: admission-webhook
18 | spec:
19 | template:
20 | metadata:
21 | name: my-ing-ingress-nginx-admission-create
22 | labels:
23 | helm.sh/chart: ingress-nginx-3.35.0
24 | app.kubernetes.io/name: ingress-nginx
25 | app.kubernetes.io/instance: my-ing
26 | app.kubernetes.io/version: "0.48.1"
27 | app.kubernetes.io/managed-by: Helm
28 | app.kubernetes.io/component: admission-webhook
29 | spec:
30 | containers:
31 | - name: create
32 | image: "docker.io/jettech/kube-webhook-certgen:v1.5.1"
33 | imagePullPolicy: IfNotPresent
34 | args:
35 | - create
36 | - --host=my-ing-ingress-nginx-controller-admission,my-ing-ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
37 | - --namespace=$(POD_NAMESPACE)
38 | - --secret-name=my-ing-ingress-nginx-admission
39 | env:
40 | - name: POD_NAMESPACE
41 | valueFrom:
42 | fieldRef:
43 | fieldPath: metadata.namespace
44 | restartPolicy: OnFailure
45 | serviceAccountName: my-ing-ingress-nginx-admission
46 | securityContext:
47 | runAsNonRoot: true
48 | runAsUser: 2000
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Job.ingress.my-ing-ingress-nginx-admission-create
File: /lessons/082/my-ing/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml:3-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
3 | apiVersion: batch/v1
4 | kind: Job
5 | metadata:
6 | name: my-ing-ingress-nginx-admission-create
7 | namespace: ingress
8 | annotations:
9 | "helm.sh/hook": pre-install,pre-upgrade
10 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
11 | labels:
12 | helm.sh/chart: ingress-nginx-3.35.0
13 | app.kubernetes.io/name: ingress-nginx
14 | app.kubernetes.io/instance: my-ing
15 | app.kubernetes.io/version: "0.48.1"
16 | app.kubernetes.io/managed-by: Helm
17 | app.kubernetes.io/component: admission-webhook
18 | spec:
19 | template:
20 | metadata:
21 | name: my-ing-ingress-nginx-admission-create
22 | labels:
23 | helm.sh/chart: ingress-nginx-3.35.0
24 | app.kubernetes.io/name: ingress-nginx
25 | app.kubernetes.io/instance: my-ing
26 | app.kubernetes.io/version: "0.48.1"
27 | app.kubernetes.io/managed-by: Helm
28 | app.kubernetes.io/component: admission-webhook
29 | spec:
30 | containers:
31 | - name: create
32 | image: "docker.io/jettech/kube-webhook-certgen:v1.5.1"
33 | imagePullPolicy: IfNotPresent
34 | args:
35 | - create
36 | - --host=my-ing-ingress-nginx-controller-admission,my-ing-ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
37 | - --namespace=$(POD_NAMESPACE)
38 | - --secret-name=my-ing-ingress-nginx-admission
39 | env:
40 | - name: POD_NAMESPACE
41 | valueFrom:
42 | fieldRef:
43 | fieldPath: metadata.namespace
44 | restartPolicy: OnFailure
45 | serviceAccountName: my-ing-ingress-nginx-admission
46 | securityContext:
47 | runAsNonRoot: true
48 | runAsUser: 2000
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Job.ingress.my-ing-ingress-nginx-admission-create
File: /lessons/082/my-ing/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml:3-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
3 | apiVersion: batch/v1
4 | kind: Job
5 | metadata:
6 | name: my-ing-ingress-nginx-admission-create
7 | namespace: ingress
8 | annotations:
9 | "helm.sh/hook": pre-install,pre-upgrade
10 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
11 | labels:
12 | helm.sh/chart: ingress-nginx-3.35.0
13 | app.kubernetes.io/name: ingress-nginx
14 | app.kubernetes.io/instance: my-ing
15 | app.kubernetes.io/version: "0.48.1"
16 | app.kubernetes.io/managed-by: Helm
17 | app.kubernetes.io/component: admission-webhook
18 | spec:
19 | template:
20 | metadata:
21 | name: my-ing-ingress-nginx-admission-create
22 | labels:
23 | helm.sh/chart: ingress-nginx-3.35.0
24 | app.kubernetes.io/name: ingress-nginx
25 | app.kubernetes.io/instance: my-ing
26 | app.kubernetes.io/version: "0.48.1"
27 | app.kubernetes.io/managed-by: Helm
28 | app.kubernetes.io/component: admission-webhook
29 | spec:
30 | containers:
31 | - name: create
32 | image: "docker.io/jettech/kube-webhook-certgen:v1.5.1"
33 | imagePullPolicy: IfNotPresent
34 | args:
35 | - create
36 | - --host=my-ing-ingress-nginx-controller-admission,my-ing-ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
37 | - --namespace=$(POD_NAMESPACE)
38 | - --secret-name=my-ing-ingress-nginx-admission
39 | env:
40 | - name: POD_NAMESPACE
41 | valueFrom:
42 | fieldRef:
43 | fieldPath: metadata.namespace
44 | restartPolicy: OnFailure
45 | serviceAccountName: my-ing-ingress-nginx-admission
46 | securityContext:
47 | runAsNonRoot: true
48 | runAsUser: 2000
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Job.ingress.my-ing-ingress-nginx-admission-create
File: /lessons/082/my-ing/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml:3-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
3 | apiVersion: batch/v1
4 | kind: Job
5 | metadata:
6 | name: my-ing-ingress-nginx-admission-create
7 | namespace: ingress
8 | annotations:
9 | "helm.sh/hook": pre-install,pre-upgrade
10 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
11 | labels:
12 | helm.sh/chart: ingress-nginx-3.35.0
13 | app.kubernetes.io/name: ingress-nginx
14 | app.kubernetes.io/instance: my-ing
15 | app.kubernetes.io/version: "0.48.1"
16 | app.kubernetes.io/managed-by: Helm
17 | app.kubernetes.io/component: admission-webhook
18 | spec:
19 | template:
20 | metadata:
21 | name: my-ing-ingress-nginx-admission-create
22 | labels:
23 | helm.sh/chart: ingress-nginx-3.35.0
24 | app.kubernetes.io/name: ingress-nginx
25 | app.kubernetes.io/instance: my-ing
26 | app.kubernetes.io/version: "0.48.1"
27 | app.kubernetes.io/managed-by: Helm
28 | app.kubernetes.io/component: admission-webhook
29 | spec:
30 | containers:
31 | - name: create
32 | image: "docker.io/jettech/kube-webhook-certgen:v1.5.1"
33 | imagePullPolicy: IfNotPresent
34 | args:
35 | - create
36 | - --host=my-ing-ingress-nginx-controller-admission,my-ing-ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
37 | - --namespace=$(POD_NAMESPACE)
38 | - --secret-name=my-ing-ingress-nginx-admission
39 | env:
40 | - name: POD_NAMESPACE
41 | valueFrom:
42 | fieldRef:
43 | fieldPath: metadata.namespace
44 | restartPolicy: OnFailure
45 | serviceAccountName: my-ing-ingress-nginx-admission
46 | securityContext:
47 | runAsNonRoot: true
48 | runAsUser: 2000
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Job.ingress.my-ing-ingress-nginx-admission-create
File: /lessons/082/my-ing/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml:3-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
3 | apiVersion: batch/v1
4 | kind: Job
5 | metadata:
6 | name: my-ing-ingress-nginx-admission-create
7 | namespace: ingress
8 | annotations:
9 | "helm.sh/hook": pre-install,pre-upgrade
10 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
11 | labels:
12 | helm.sh/chart: ingress-nginx-3.35.0
13 | app.kubernetes.io/name: ingress-nginx
14 | app.kubernetes.io/instance: my-ing
15 | app.kubernetes.io/version: "0.48.1"
16 | app.kubernetes.io/managed-by: Helm
17 | app.kubernetes.io/component: admission-webhook
18 | spec:
19 | template:
20 | metadata:
21 | name: my-ing-ingress-nginx-admission-create
22 | labels:
23 | helm.sh/chart: ingress-nginx-3.35.0
24 | app.kubernetes.io/name: ingress-nginx
25 | app.kubernetes.io/instance: my-ing
26 | app.kubernetes.io/version: "0.48.1"
27 | app.kubernetes.io/managed-by: Helm
28 | app.kubernetes.io/component: admission-webhook
29 | spec:
30 | containers:
31 | - name: create
32 | image: "docker.io/jettech/kube-webhook-certgen:v1.5.1"
33 | imagePullPolicy: IfNotPresent
34 | args:
35 | - create
36 | - --host=my-ing-ingress-nginx-controller-admission,my-ing-ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
37 | - --namespace=$(POD_NAMESPACE)
38 | - --secret-name=my-ing-ingress-nginx-admission
39 | env:
40 | - name: POD_NAMESPACE
41 | valueFrom:
42 | fieldRef:
43 | fieldPath: metadata.namespace
44 | restartPolicy: OnFailure
45 | serviceAccountName: my-ing-ingress-nginx-admission
46 | securityContext:
47 | runAsNonRoot: true
48 | runAsUser: 2000
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Job.ingress.my-ing-ingress-nginx-admission-create
File: /lessons/082/my-ing/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml:3-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
3 | apiVersion: batch/v1
4 | kind: Job
5 | metadata:
6 | name: my-ing-ingress-nginx-admission-create
7 | namespace: ingress
8 | annotations:
9 | "helm.sh/hook": pre-install,pre-upgrade
10 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
11 | labels:
12 | helm.sh/chart: ingress-nginx-3.35.0
13 | app.kubernetes.io/name: ingress-nginx
14 | app.kubernetes.io/instance: my-ing
15 | app.kubernetes.io/version: "0.48.1"
16 | app.kubernetes.io/managed-by: Helm
17 | app.kubernetes.io/component: admission-webhook
18 | spec:
19 | template:
20 | metadata:
21 | name: my-ing-ingress-nginx-admission-create
22 | labels:
23 | helm.sh/chart: ingress-nginx-3.35.0
24 | app.kubernetes.io/name: ingress-nginx
25 | app.kubernetes.io/instance: my-ing
26 | app.kubernetes.io/version: "0.48.1"
27 | app.kubernetes.io/managed-by: Helm
28 | app.kubernetes.io/component: admission-webhook
29 | spec:
30 | containers:
31 | - name: create
32 | image: "docker.io/jettech/kube-webhook-certgen:v1.5.1"
33 | imagePullPolicy: IfNotPresent
34 | args:
35 | - create
36 | - --host=my-ing-ingress-nginx-controller-admission,my-ing-ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
37 | - --namespace=$(POD_NAMESPACE)
38 | - --secret-name=my-ing-ingress-nginx-admission
39 | env:
40 | - name: POD_NAMESPACE
41 | valueFrom:
42 | fieldRef:
43 | fieldPath: metadata.namespace
44 | restartPolicy: OnFailure
45 | serviceAccountName: my-ing-ingress-nginx-admission
46 | securityContext:
47 | runAsNonRoot: true
48 | runAsUser: 2000
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Job.ingress.my-ing-ingress-nginx-admission-create
File: /lessons/082/my-ing/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml:3-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
3 | apiVersion: batch/v1
4 | kind: Job
5 | metadata:
6 | name: my-ing-ingress-nginx-admission-create
7 | namespace: ingress
8 | annotations:
9 | "helm.sh/hook": pre-install,pre-upgrade
10 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
11 | labels:
12 | helm.sh/chart: ingress-nginx-3.35.0
13 | app.kubernetes.io/name: ingress-nginx
14 | app.kubernetes.io/instance: my-ing
15 | app.kubernetes.io/version: "0.48.1"
16 | app.kubernetes.io/managed-by: Helm
17 | app.kubernetes.io/component: admission-webhook
18 | spec:
19 | template:
20 | metadata:
21 | name: my-ing-ingress-nginx-admission-create
22 | labels:
23 | helm.sh/chart: ingress-nginx-3.35.0
24 | app.kubernetes.io/name: ingress-nginx
25 | app.kubernetes.io/instance: my-ing
26 | app.kubernetes.io/version: "0.48.1"
27 | app.kubernetes.io/managed-by: Helm
28 | app.kubernetes.io/component: admission-webhook
29 | spec:
30 | containers:
31 | - name: create
32 | image: "docker.io/jettech/kube-webhook-certgen:v1.5.1"
33 | imagePullPolicy: IfNotPresent
34 | args:
35 | - create
36 | - --host=my-ing-ingress-nginx-controller-admission,my-ing-ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
37 | - --namespace=$(POD_NAMESPACE)
38 | - --secret-name=my-ing-ingress-nginx-admission
39 | env:
40 | - name: POD_NAMESPACE
41 | valueFrom:
42 | fieldRef:
43 | fieldPath: metadata.namespace
44 | restartPolicy: OnFailure
45 | serviceAccountName: my-ing-ingress-nginx-admission
46 | securityContext:
47 | runAsNonRoot: true
48 | runAsUser: 2000
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Job.ingress.my-ing-ingress-nginx-admission-create
File: /lessons/082/my-ing/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml:3-48
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
3 | apiVersion: batch/v1
4 | kind: Job
5 | metadata:
6 | name: my-ing-ingress-nginx-admission-create
7 | namespace: ingress
8 | annotations:
9 | "helm.sh/hook": pre-install,pre-upgrade
10 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
11 | labels:
12 | helm.sh/chart: ingress-nginx-3.35.0
13 | app.kubernetes.io/name: ingress-nginx
14 | app.kubernetes.io/instance: my-ing
15 | app.kubernetes.io/version: "0.48.1"
16 | app.kubernetes.io/managed-by: Helm
17 | app.kubernetes.io/component: admission-webhook
18 | spec:
19 | template:
20 | metadata:
21 | name: my-ing-ingress-nginx-admission-create
22 | labels:
23 | helm.sh/chart: ingress-nginx-3.35.0
24 | app.kubernetes.io/name: ingress-nginx
25 | app.kubernetes.io/instance: my-ing
26 | app.kubernetes.io/version: "0.48.1"
27 | app.kubernetes.io/managed-by: Helm
28 | app.kubernetes.io/component: admission-webhook
29 | spec:
30 | containers:
31 | - name: create
32 | image: "docker.io/jettech/kube-webhook-certgen:v1.5.1"
33 | imagePullPolicy: IfNotPresent
34 | args:
35 | - create
36 | - --host=my-ing-ingress-nginx-controller-admission,my-ing-ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
37 | - --namespace=$(POD_NAMESPACE)
38 | - --secret-name=my-ing-ingress-nginx-admission
39 | env:
40 | - name: POD_NAMESPACE
41 | valueFrom:
42 | fieldRef:
43 | fieldPath: metadata.namespace
44 | restartPolicy: OnFailure
45 | serviceAccountName: my-ing-ingress-nginx-admission
46 | securityContext:
47 | runAsNonRoot: true
48 | runAsUser: 2000
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Job.ingress.my-ing-ingress-nginx-admission-patch
File: /lessons/082/my-ing/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml:3-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
3 | apiVersion: batch/v1
4 | kind: Job
5 | metadata:
6 | name: my-ing-ingress-nginx-admission-patch
7 | namespace: ingress
8 | annotations:
9 | "helm.sh/hook": post-install,post-upgrade
10 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
11 | labels:
12 | helm.sh/chart: ingress-nginx-3.35.0
13 | app.kubernetes.io/name: ingress-nginx
14 | app.kubernetes.io/instance: my-ing
15 | app.kubernetes.io/version: "0.48.1"
16 | app.kubernetes.io/managed-by: Helm
17 | app.kubernetes.io/component: admission-webhook
18 | spec:
19 | template:
20 | metadata:
21 | name: my-ing-ingress-nginx-admission-patch
22 | labels:
23 | helm.sh/chart: ingress-nginx-3.35.0
24 | app.kubernetes.io/name: ingress-nginx
25 | app.kubernetes.io/instance: my-ing
26 | app.kubernetes.io/version: "0.48.1"
27 | app.kubernetes.io/managed-by: Helm
28 | app.kubernetes.io/component: admission-webhook
29 | spec:
30 | containers:
31 | - name: patch
32 | image: "docker.io/jettech/kube-webhook-certgen:v1.5.1"
33 | imagePullPolicy: IfNotPresent
34 | args:
35 | - patch
36 | - --webhook-name=my-ing-ingress-nginx-admission
37 | - --namespace=$(POD_NAMESPACE)
38 | - --patch-mutating=false
39 | - --secret-name=my-ing-ingress-nginx-admission
40 | - --patch-failure-policy=Fail
41 | env:
42 | - name: POD_NAMESPACE
43 | valueFrom:
44 | fieldRef:
45 | fieldPath: metadata.namespace
46 | restartPolicy: OnFailure
47 | serviceAccountName: my-ing-ingress-nginx-admission
48 | securityContext:
49 | runAsNonRoot: true
50 | runAsUser: 2000
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Job.ingress.my-ing-ingress-nginx-admission-patch
File: /lessons/082/my-ing/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml:3-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
3 | apiVersion: batch/v1
4 | kind: Job
5 | metadata:
6 | name: my-ing-ingress-nginx-admission-patch
7 | namespace: ingress
8 | annotations:
9 | "helm.sh/hook": post-install,post-upgrade
10 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
11 | labels:
12 | helm.sh/chart: ingress-nginx-3.35.0
13 | app.kubernetes.io/name: ingress-nginx
14 | app.kubernetes.io/instance: my-ing
15 | app.kubernetes.io/version: "0.48.1"
16 | app.kubernetes.io/managed-by: Helm
17 | app.kubernetes.io/component: admission-webhook
18 | spec:
19 | template:
20 | metadata:
21 | name: my-ing-ingress-nginx-admission-patch
22 | labels:
23 | helm.sh/chart: ingress-nginx-3.35.0
24 | app.kubernetes.io/name: ingress-nginx
25 | app.kubernetes.io/instance: my-ing
26 | app.kubernetes.io/version: "0.48.1"
27 | app.kubernetes.io/managed-by: Helm
28 | app.kubernetes.io/component: admission-webhook
29 | spec:
30 | containers:
31 | - name: patch
32 | image: "docker.io/jettech/kube-webhook-certgen:v1.5.1"
33 | imagePullPolicy: IfNotPresent
34 | args:
35 | - patch
36 | - --webhook-name=my-ing-ingress-nginx-admission
37 | - --namespace=$(POD_NAMESPACE)
38 | - --patch-mutating=false
39 | - --secret-name=my-ing-ingress-nginx-admission
40 | - --patch-failure-policy=Fail
41 | env:
42 | - name: POD_NAMESPACE
43 | valueFrom:
44 | fieldRef:
45 | fieldPath: metadata.namespace
46 | restartPolicy: OnFailure
47 | serviceAccountName: my-ing-ingress-nginx-admission
48 | securityContext:
49 | runAsNonRoot: true
50 | runAsUser: 2000
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Job.ingress.my-ing-ingress-nginx-admission-patch
File: /lessons/082/my-ing/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml:3-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
3 | apiVersion: batch/v1
4 | kind: Job
5 | metadata:
6 | name: my-ing-ingress-nginx-admission-patch
7 | namespace: ingress
8 | annotations:
9 | "helm.sh/hook": post-install,post-upgrade
10 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
11 | labels:
12 | helm.sh/chart: ingress-nginx-3.35.0
13 | app.kubernetes.io/name: ingress-nginx
14 | app.kubernetes.io/instance: my-ing
15 | app.kubernetes.io/version: "0.48.1"
16 | app.kubernetes.io/managed-by: Helm
17 | app.kubernetes.io/component: admission-webhook
18 | spec:
19 | template:
20 | metadata:
21 | name: my-ing-ingress-nginx-admission-patch
22 | labels:
23 | helm.sh/chart: ingress-nginx-3.35.0
24 | app.kubernetes.io/name: ingress-nginx
25 | app.kubernetes.io/instance: my-ing
26 | app.kubernetes.io/version: "0.48.1"
27 | app.kubernetes.io/managed-by: Helm
28 | app.kubernetes.io/component: admission-webhook
29 | spec:
30 | containers:
31 | - name: patch
32 | image: "docker.io/jettech/kube-webhook-certgen:v1.5.1"
33 | imagePullPolicy: IfNotPresent
34 | args:
35 | - patch
36 | - --webhook-name=my-ing-ingress-nginx-admission
37 | - --namespace=$(POD_NAMESPACE)
38 | - --patch-mutating=false
39 | - --secret-name=my-ing-ingress-nginx-admission
40 | - --patch-failure-policy=Fail
41 | env:
42 | - name: POD_NAMESPACE
43 | valueFrom:
44 | fieldRef:
45 | fieldPath: metadata.namespace
46 | restartPolicy: OnFailure
47 | serviceAccountName: my-ing-ingress-nginx-admission
48 | securityContext:
49 | runAsNonRoot: true
50 | runAsUser: 2000
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Job.ingress.my-ing-ingress-nginx-admission-patch
File: /lessons/082/my-ing/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml:3-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
3 | apiVersion: batch/v1
4 | kind: Job
5 | metadata:
6 | name: my-ing-ingress-nginx-admission-patch
7 | namespace: ingress
8 | annotations:
9 | "helm.sh/hook": post-install,post-upgrade
10 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
11 | labels:
12 | helm.sh/chart: ingress-nginx-3.35.0
13 | app.kubernetes.io/name: ingress-nginx
14 | app.kubernetes.io/instance: my-ing
15 | app.kubernetes.io/version: "0.48.1"
16 | app.kubernetes.io/managed-by: Helm
17 | app.kubernetes.io/component: admission-webhook
18 | spec:
19 | template:
20 | metadata:
21 | name: my-ing-ingress-nginx-admission-patch
22 | labels:
23 | helm.sh/chart: ingress-nginx-3.35.0
24 | app.kubernetes.io/name: ingress-nginx
25 | app.kubernetes.io/instance: my-ing
26 | app.kubernetes.io/version: "0.48.1"
27 | app.kubernetes.io/managed-by: Helm
28 | app.kubernetes.io/component: admission-webhook
29 | spec:
30 | containers:
31 | - name: patch
32 | image: "docker.io/jettech/kube-webhook-certgen:v1.5.1"
33 | imagePullPolicy: IfNotPresent
34 | args:
35 | - patch
36 | - --webhook-name=my-ing-ingress-nginx-admission
37 | - --namespace=$(POD_NAMESPACE)
38 | - --patch-mutating=false
39 | - --secret-name=my-ing-ingress-nginx-admission
40 | - --patch-failure-policy=Fail
41 | env:
42 | - name: POD_NAMESPACE
43 | valueFrom:
44 | fieldRef:
45 | fieldPath: metadata.namespace
46 | restartPolicy: OnFailure
47 | serviceAccountName: my-ing-ingress-nginx-admission
48 | securityContext:
49 | runAsNonRoot: true
50 | runAsUser: 2000
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Job.ingress.my-ing-ingress-nginx-admission-patch
File: /lessons/082/my-ing/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml:3-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
3 | apiVersion: batch/v1
4 | kind: Job
5 | metadata:
6 | name: my-ing-ingress-nginx-admission-patch
7 | namespace: ingress
8 | annotations:
9 | "helm.sh/hook": post-install,post-upgrade
10 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
11 | labels:
12 | helm.sh/chart: ingress-nginx-3.35.0
13 | app.kubernetes.io/name: ingress-nginx
14 | app.kubernetes.io/instance: my-ing
15 | app.kubernetes.io/version: "0.48.1"
16 | app.kubernetes.io/managed-by: Helm
17 | app.kubernetes.io/component: admission-webhook
18 | spec:
19 | template:
20 | metadata:
21 | name: my-ing-ingress-nginx-admission-patch
22 | labels:
23 | helm.sh/chart: ingress-nginx-3.35.0
24 | app.kubernetes.io/name: ingress-nginx
25 | app.kubernetes.io/instance: my-ing
26 | app.kubernetes.io/version: "0.48.1"
27 | app.kubernetes.io/managed-by: Helm
28 | app.kubernetes.io/component: admission-webhook
29 | spec:
30 | containers:
31 | - name: patch
32 | image: "docker.io/jettech/kube-webhook-certgen:v1.5.1"
33 | imagePullPolicy: IfNotPresent
34 | args:
35 | - patch
36 | - --webhook-name=my-ing-ingress-nginx-admission
37 | - --namespace=$(POD_NAMESPACE)
38 | - --patch-mutating=false
39 | - --secret-name=my-ing-ingress-nginx-admission
40 | - --patch-failure-policy=Fail
41 | env:
42 | - name: POD_NAMESPACE
43 | valueFrom:
44 | fieldRef:
45 | fieldPath: metadata.namespace
46 | restartPolicy: OnFailure
47 | serviceAccountName: my-ing-ingress-nginx-admission
48 | securityContext:
49 | runAsNonRoot: true
50 | runAsUser: 2000
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Job.ingress.my-ing-ingress-nginx-admission-patch
File: /lessons/082/my-ing/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml:3-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
3 | apiVersion: batch/v1
4 | kind: Job
5 | metadata:
6 | name: my-ing-ingress-nginx-admission-patch
7 | namespace: ingress
8 | annotations:
9 | "helm.sh/hook": post-install,post-upgrade
10 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
11 | labels:
12 | helm.sh/chart: ingress-nginx-3.35.0
13 | app.kubernetes.io/name: ingress-nginx
14 | app.kubernetes.io/instance: my-ing
15 | app.kubernetes.io/version: "0.48.1"
16 | app.kubernetes.io/managed-by: Helm
17 | app.kubernetes.io/component: admission-webhook
18 | spec:
19 | template:
20 | metadata:
21 | name: my-ing-ingress-nginx-admission-patch
22 | labels:
23 | helm.sh/chart: ingress-nginx-3.35.0
24 | app.kubernetes.io/name: ingress-nginx
25 | app.kubernetes.io/instance: my-ing
26 | app.kubernetes.io/version: "0.48.1"
27 | app.kubernetes.io/managed-by: Helm
28 | app.kubernetes.io/component: admission-webhook
29 | spec:
30 | containers:
31 | - name: patch
32 | image: "docker.io/jettech/kube-webhook-certgen:v1.5.1"
33 | imagePullPolicy: IfNotPresent
34 | args:
35 | - patch
36 | - --webhook-name=my-ing-ingress-nginx-admission
37 | - --namespace=$(POD_NAMESPACE)
38 | - --patch-mutating=false
39 | - --secret-name=my-ing-ingress-nginx-admission
40 | - --patch-failure-policy=Fail
41 | env:
42 | - name: POD_NAMESPACE
43 | valueFrom:
44 | fieldRef:
45 | fieldPath: metadata.namespace
46 | restartPolicy: OnFailure
47 | serviceAccountName: my-ing-ingress-nginx-admission
48 | securityContext:
49 | runAsNonRoot: true
50 | runAsUser: 2000
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Job.ingress.my-ing-ingress-nginx-admission-patch
File: /lessons/082/my-ing/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml:3-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
3 | apiVersion: batch/v1
4 | kind: Job
5 | metadata:
6 | name: my-ing-ingress-nginx-admission-patch
7 | namespace: ingress
8 | annotations:
9 | "helm.sh/hook": post-install,post-upgrade
10 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
11 | labels:
12 | helm.sh/chart: ingress-nginx-3.35.0
13 | app.kubernetes.io/name: ingress-nginx
14 | app.kubernetes.io/instance: my-ing
15 | app.kubernetes.io/version: "0.48.1"
16 | app.kubernetes.io/managed-by: Helm
17 | app.kubernetes.io/component: admission-webhook
18 | spec:
19 | template:
20 | metadata:
21 | name: my-ing-ingress-nginx-admission-patch
22 | labels:
23 | helm.sh/chart: ingress-nginx-3.35.0
24 | app.kubernetes.io/name: ingress-nginx
25 | app.kubernetes.io/instance: my-ing
26 | app.kubernetes.io/version: "0.48.1"
27 | app.kubernetes.io/managed-by: Helm
28 | app.kubernetes.io/component: admission-webhook
29 | spec:
30 | containers:
31 | - name: patch
32 | image: "docker.io/jettech/kube-webhook-certgen:v1.5.1"
33 | imagePullPolicy: IfNotPresent
34 | args:
35 | - patch
36 | - --webhook-name=my-ing-ingress-nginx-admission
37 | - --namespace=$(POD_NAMESPACE)
38 | - --patch-mutating=false
39 | - --secret-name=my-ing-ingress-nginx-admission
40 | - --patch-failure-policy=Fail
41 | env:
42 | - name: POD_NAMESPACE
43 | valueFrom:
44 | fieldRef:
45 | fieldPath: metadata.namespace
46 | restartPolicy: OnFailure
47 | serviceAccountName: my-ing-ingress-nginx-admission
48 | securityContext:
49 | runAsNonRoot: true
50 | runAsUser: 2000
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Job.ingress.my-ing-ingress-nginx-admission-patch
File: /lessons/082/my-ing/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml:3-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
3 | apiVersion: batch/v1
4 | kind: Job
5 | metadata:
6 | name: my-ing-ingress-nginx-admission-patch
7 | namespace: ingress
8 | annotations:
9 | "helm.sh/hook": post-install,post-upgrade
10 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
11 | labels:
12 | helm.sh/chart: ingress-nginx-3.35.0
13 | app.kubernetes.io/name: ingress-nginx
14 | app.kubernetes.io/instance: my-ing
15 | app.kubernetes.io/version: "0.48.1"
16 | app.kubernetes.io/managed-by: Helm
17 | app.kubernetes.io/component: admission-webhook
18 | spec:
19 | template:
20 | metadata:
21 | name: my-ing-ingress-nginx-admission-patch
22 | labels:
23 | helm.sh/chart: ingress-nginx-3.35.0
24 | app.kubernetes.io/name: ingress-nginx
25 | app.kubernetes.io/instance: my-ing
26 | app.kubernetes.io/version: "0.48.1"
27 | app.kubernetes.io/managed-by: Helm
28 | app.kubernetes.io/component: admission-webhook
29 | spec:
30 | containers:
31 | - name: patch
32 | image: "docker.io/jettech/kube-webhook-certgen:v1.5.1"
33 | imagePullPolicy: IfNotPresent
34 | args:
35 | - patch
36 | - --webhook-name=my-ing-ingress-nginx-admission
37 | - --namespace=$(POD_NAMESPACE)
38 | - --patch-mutating=false
39 | - --secret-name=my-ing-ingress-nginx-admission
40 | - --patch-failure-policy=Fail
41 | env:
42 | - name: POD_NAMESPACE
43 | valueFrom:
44 | fieldRef:
45 | fieldPath: metadata.namespace
46 | restartPolicy: OnFailure
47 | serviceAccountName: my-ing-ingress-nginx-admission
48 | securityContext:
49 | runAsNonRoot: true
50 | runAsUser: 2000
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Job.ingress.my-ing-ingress-nginx-admission-patch
File: /lessons/082/my-ing/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml:3-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
3 | apiVersion: batch/v1
4 | kind: Job
5 | metadata:
6 | name: my-ing-ingress-nginx-admission-patch
7 | namespace: ingress
8 | annotations:
9 | "helm.sh/hook": post-install,post-upgrade
10 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
11 | labels:
12 | helm.sh/chart: ingress-nginx-3.35.0
13 | app.kubernetes.io/name: ingress-nginx
14 | app.kubernetes.io/instance: my-ing
15 | app.kubernetes.io/version: "0.48.1"
16 | app.kubernetes.io/managed-by: Helm
17 | app.kubernetes.io/component: admission-webhook
18 | spec:
19 | template:
20 | metadata:
21 | name: my-ing-ingress-nginx-admission-patch
22 | labels:
23 | helm.sh/chart: ingress-nginx-3.35.0
24 | app.kubernetes.io/name: ingress-nginx
25 | app.kubernetes.io/instance: my-ing
26 | app.kubernetes.io/version: "0.48.1"
27 | app.kubernetes.io/managed-by: Helm
28 | app.kubernetes.io/component: admission-webhook
29 | spec:
30 | containers:
31 | - name: patch
32 | image: "docker.io/jettech/kube-webhook-certgen:v1.5.1"
33 | imagePullPolicy: IfNotPresent
34 | args:
35 | - patch
36 | - --webhook-name=my-ing-ingress-nginx-admission
37 | - --namespace=$(POD_NAMESPACE)
38 | - --patch-mutating=false
39 | - --secret-name=my-ing-ingress-nginx-admission
40 | - --patch-failure-policy=Fail
41 | env:
42 | - name: POD_NAMESPACE
43 | valueFrom:
44 | fieldRef:
45 | fieldPath: metadata.namespace
46 | restartPolicy: OnFailure
47 | serviceAccountName: my-ing-ingress-nginx-admission
48 | securityContext:
49 | runAsNonRoot: true
50 | runAsUser: 2000
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Job.ingress.my-ing-ingress-nginx-admission-patch
File: /lessons/082/my-ing/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml:3-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
3 | apiVersion: batch/v1
4 | kind: Job
5 | metadata:
6 | name: my-ing-ingress-nginx-admission-patch
7 | namespace: ingress
8 | annotations:
9 | "helm.sh/hook": post-install,post-upgrade
10 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
11 | labels:
12 | helm.sh/chart: ingress-nginx-3.35.0
13 | app.kubernetes.io/name: ingress-nginx
14 | app.kubernetes.io/instance: my-ing
15 | app.kubernetes.io/version: "0.48.1"
16 | app.kubernetes.io/managed-by: Helm
17 | app.kubernetes.io/component: admission-webhook
18 | spec:
19 | template:
20 | metadata:
21 | name: my-ing-ingress-nginx-admission-patch
22 | labels:
23 | helm.sh/chart: ingress-nginx-3.35.0
24 | app.kubernetes.io/name: ingress-nginx
25 | app.kubernetes.io/instance: my-ing
26 | app.kubernetes.io/version: "0.48.1"
27 | app.kubernetes.io/managed-by: Helm
28 | app.kubernetes.io/component: admission-webhook
29 | spec:
30 | containers:
31 | - name: patch
32 | image: "docker.io/jettech/kube-webhook-certgen:v1.5.1"
33 | imagePullPolicy: IfNotPresent
34 | args:
35 | - patch
36 | - --webhook-name=my-ing-ingress-nginx-admission
37 | - --namespace=$(POD_NAMESPACE)
38 | - --patch-mutating=false
39 | - --secret-name=my-ing-ingress-nginx-admission
40 | - --patch-failure-policy=Fail
41 | env:
42 | - name: POD_NAMESPACE
43 | valueFrom:
44 | fieldRef:
45 | fieldPath: metadata.namespace
46 | restartPolicy: OnFailure
47 | serviceAccountName: my-ing-ingress-nginx-admission
48 | securityContext:
49 | runAsNonRoot: true
50 | runAsUser: 2000
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Job.ingress.my-ing-ingress-nginx-admission-patch
File: /lessons/082/my-ing/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml:3-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
3 | apiVersion: batch/v1
4 | kind: Job
5 | metadata:
6 | name: my-ing-ingress-nginx-admission-patch
7 | namespace: ingress
8 | annotations:
9 | "helm.sh/hook": post-install,post-upgrade
10 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
11 | labels:
12 | helm.sh/chart: ingress-nginx-3.35.0
13 | app.kubernetes.io/name: ingress-nginx
14 | app.kubernetes.io/instance: my-ing
15 | app.kubernetes.io/version: "0.48.1"
16 | app.kubernetes.io/managed-by: Helm
17 | app.kubernetes.io/component: admission-webhook
18 | spec:
19 | template:
20 | metadata:
21 | name: my-ing-ingress-nginx-admission-patch
22 | labels:
23 | helm.sh/chart: ingress-nginx-3.35.0
24 | app.kubernetes.io/name: ingress-nginx
25 | app.kubernetes.io/instance: my-ing
26 | app.kubernetes.io/version: "0.48.1"
27 | app.kubernetes.io/managed-by: Helm
28 | app.kubernetes.io/component: admission-webhook
29 | spec:
30 | containers:
31 | - name: patch
32 | image: "docker.io/jettech/kube-webhook-certgen:v1.5.1"
33 | imagePullPolicy: IfNotPresent
34 | args:
35 | - patch
36 | - --webhook-name=my-ing-ingress-nginx-admission
37 | - --namespace=$(POD_NAMESPACE)
38 | - --patch-mutating=false
39 | - --secret-name=my-ing-ingress-nginx-admission
40 | - --patch-failure-policy=Fail
41 | env:
42 | - name: POD_NAMESPACE
43 | valueFrom:
44 | fieldRef:
45 | fieldPath: metadata.namespace
46 | restartPolicy: OnFailure
47 | serviceAccountName: my-ing-ingress-nginx-admission
48 | securityContext:
49 | runAsNonRoot: true
50 | runAsUser: 2000
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Job.ingress.my-ing-ingress-nginx-admission-patch
File: /lessons/082/my-ing/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml:3-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
3 | apiVersion: batch/v1
4 | kind: Job
5 | metadata:
6 | name: my-ing-ingress-nginx-admission-patch
7 | namespace: ingress
8 | annotations:
9 | "helm.sh/hook": post-install,post-upgrade
10 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
11 | labels:
12 | helm.sh/chart: ingress-nginx-3.35.0
13 | app.kubernetes.io/name: ingress-nginx
14 | app.kubernetes.io/instance: my-ing
15 | app.kubernetes.io/version: "0.48.1"
16 | app.kubernetes.io/managed-by: Helm
17 | app.kubernetes.io/component: admission-webhook
18 | spec:
19 | template:
20 | metadata:
21 | name: my-ing-ingress-nginx-admission-patch
22 | labels:
23 | helm.sh/chart: ingress-nginx-3.35.0
24 | app.kubernetes.io/name: ingress-nginx
25 | app.kubernetes.io/instance: my-ing
26 | app.kubernetes.io/version: "0.48.1"
27 | app.kubernetes.io/managed-by: Helm
28 | app.kubernetes.io/component: admission-webhook
29 | spec:
30 | containers:
31 | - name: patch
32 | image: "docker.io/jettech/kube-webhook-certgen:v1.5.1"
33 | imagePullPolicy: IfNotPresent
34 | args:
35 | - patch
36 | - --webhook-name=my-ing-ingress-nginx-admission
37 | - --namespace=$(POD_NAMESPACE)
38 | - --patch-mutating=false
39 | - --secret-name=my-ing-ingress-nginx-admission
40 | - --patch-failure-policy=Fail
41 | env:
42 | - name: POD_NAMESPACE
43 | valueFrom:
44 | fieldRef:
45 | fieldPath: metadata.namespace
46 | restartPolicy: OnFailure
47 | serviceAccountName: my-ing-ingress-nginx-admission
48 | securityContext:
49 | runAsNonRoot: true
50 | runAsUser: 2000
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Job.ingress.my-ing-ingress-nginx-admission-patch
File: /lessons/082/my-ing/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml:3-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
3 | apiVersion: batch/v1
4 | kind: Job
5 | metadata:
6 | name: my-ing-ingress-nginx-admission-patch
7 | namespace: ingress
8 | annotations:
9 | "helm.sh/hook": post-install,post-upgrade
10 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
11 | labels:
12 | helm.sh/chart: ingress-nginx-3.35.0
13 | app.kubernetes.io/name: ingress-nginx
14 | app.kubernetes.io/instance: my-ing
15 | app.kubernetes.io/version: "0.48.1"
16 | app.kubernetes.io/managed-by: Helm
17 | app.kubernetes.io/component: admission-webhook
18 | spec:
19 | template:
20 | metadata:
21 | name: my-ing-ingress-nginx-admission-patch
22 | labels:
23 | helm.sh/chart: ingress-nginx-3.35.0
24 | app.kubernetes.io/name: ingress-nginx
25 | app.kubernetes.io/instance: my-ing
26 | app.kubernetes.io/version: "0.48.1"
27 | app.kubernetes.io/managed-by: Helm
28 | app.kubernetes.io/component: admission-webhook
29 | spec:
30 | containers:
31 | - name: patch
32 | image: "docker.io/jettech/kube-webhook-certgen:v1.5.1"
33 | imagePullPolicy: IfNotPresent
34 | args:
35 | - patch
36 | - --webhook-name=my-ing-ingress-nginx-admission
37 | - --namespace=$(POD_NAMESPACE)
38 | - --patch-mutating=false
39 | - --secret-name=my-ing-ingress-nginx-admission
40 | - --patch-failure-policy=Fail
41 | env:
42 | - name: POD_NAMESPACE
43 | valueFrom:
44 | fieldRef:
45 | fieldPath: metadata.namespace
46 | restartPolicy: OnFailure
47 | serviceAccountName: my-ing-ingress-nginx-admission
48 | securityContext:
49 | runAsNonRoot: true
50 | runAsUser: 2000
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Job.ingress.my-ing-ingress-nginx-admission-patch
File: /lessons/082/my-ing/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml:3-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
3 | apiVersion: batch/v1
4 | kind: Job
5 | metadata:
6 | name: my-ing-ingress-nginx-admission-patch
7 | namespace: ingress
8 | annotations:
9 | "helm.sh/hook": post-install,post-upgrade
10 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
11 | labels:
12 | helm.sh/chart: ingress-nginx-3.35.0
13 | app.kubernetes.io/name: ingress-nginx
14 | app.kubernetes.io/instance: my-ing
15 | app.kubernetes.io/version: "0.48.1"
16 | app.kubernetes.io/managed-by: Helm
17 | app.kubernetes.io/component: admission-webhook
18 | spec:
19 | template:
20 | metadata:
21 | name: my-ing-ingress-nginx-admission-patch
22 | labels:
23 | helm.sh/chart: ingress-nginx-3.35.0
24 | app.kubernetes.io/name: ingress-nginx
25 | app.kubernetes.io/instance: my-ing
26 | app.kubernetes.io/version: "0.48.1"
27 | app.kubernetes.io/managed-by: Helm
28 | app.kubernetes.io/component: admission-webhook
29 | spec:
30 | containers:
31 | - name: patch
32 | image: "docker.io/jettech/kube-webhook-certgen:v1.5.1"
33 | imagePullPolicy: IfNotPresent
34 | args:
35 | - patch
36 | - --webhook-name=my-ing-ingress-nginx-admission
37 | - --namespace=$(POD_NAMESPACE)
38 | - --patch-mutating=false
39 | - --secret-name=my-ing-ingress-nginx-admission
40 | - --patch-failure-policy=Fail
41 | env:
42 | - name: POD_NAMESPACE
43 | valueFrom:
44 | fieldRef:
45 | fieldPath: metadata.namespace
46 | restartPolicy: OnFailure
47 | serviceAccountName: my-ing-ingress-nginx-admission
48 | securityContext:
49 | runAsNonRoot: true
50 | runAsUser: 2000
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: StatefulSet.database.postgres-postgresql
File: /lessons/082/example-7/2-statefulset.yaml:2-117
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: StatefulSet.database.postgres-postgresql
File: /lessons/082/example-7/2-statefulset.yaml:2-117
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: StatefulSet.database.postgres-postgresql
File: /lessons/082/example-7/2-statefulset.yaml:2-117
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: StatefulSet.database.postgres-postgresql
File: /lessons/082/example-7/2-statefulset.yaml:2-117
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: StatefulSet.database.postgres-postgresql
File: /lessons/082/example-7/2-statefulset.yaml:2-117
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: StatefulSet.database.postgres-postgresql
File: /lessons/082/example-7/2-statefulset.yaml:2-117
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: StatefulSet.database.postgres-postgresql
File: /lessons/082/example-7/2-statefulset.yaml:2-117
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: StatefulSet.database.postgres-postgresql
File: /lessons/082/example-7/2-statefulset.yaml:2-117
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: StatefulSet.database.postgres-postgresql
File: /lessons/082/example-7/2-statefulset.yaml:2-117
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: StatefulSet.database.postgres-postgresql
File: /lessons/082/example-7/2-statefulset.yaml:2-117
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: StatefulSet.database.postgres-postgresql
File: /lessons/082/example-7/2-statefulset.yaml:2-117
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.foo.foo
File: /lessons/082/example-6/2-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: foo
6 | name: foo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - foo
23 | - -port
24 | - "5698"
25 | ports:
26 | - name: http
27 | containerPort: 5698
28 | protocol: TCP
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.foo.foo
File: /lessons/082/example-6/2-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: foo
6 | name: foo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - foo
23 | - -port
24 | - "5698"
25 | ports:
26 | - name: http
27 | containerPort: 5698
28 | protocol: TCP
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.foo.foo
File: /lessons/082/example-6/2-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: foo
6 | name: foo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - foo
23 | - -port
24 | - "5698"
25 | ports:
26 | - name: http
27 | containerPort: 5698
28 | protocol: TCP
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.foo.foo
File: /lessons/082/example-6/2-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: foo
6 | name: foo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - foo
23 | - -port
24 | - "5698"
25 | ports:
26 | - name: http
27 | containerPort: 5698
28 | protocol: TCP
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.foo.foo
File: /lessons/082/example-6/2-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: foo
6 | name: foo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - foo
23 | - -port
24 | - "5698"
25 | ports:
26 | - name: http
27 | containerPort: 5698
28 | protocol: TCP
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.foo.foo
File: /lessons/082/example-6/2-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: foo
6 | name: foo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - foo
23 | - -port
24 | - "5698"
25 | ports:
26 | - name: http
27 | containerPort: 5698
28 | protocol: TCP
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.foo.foo
File: /lessons/082/example-6/2-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: foo
6 | name: foo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - foo
23 | - -port
24 | - "5698"
25 | ports:
26 | - name: http
27 | containerPort: 5698
28 | protocol: TCP
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.foo.foo
File: /lessons/082/example-6/2-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: foo
6 | name: foo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - foo
23 | - -port
24 | - "5698"
25 | ports:
26 | - name: http
27 | containerPort: 5698
28 | protocol: TCP
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.foo.foo
File: /lessons/082/example-6/2-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: foo
6 | name: foo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - foo
23 | - -port
24 | - "5698"
25 | ports:
26 | - name: http
27 | containerPort: 5698
28 | protocol: TCP
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.foo.foo
File: /lessons/082/example-6/2-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: foo
6 | name: foo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - foo
23 | - -port
24 | - "5698"
25 | ports:
26 | - name: http
27 | containerPort: 5698
28 | protocol: TCP
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.foo.foo
File: /lessons/082/example-6/2-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: foo
6 | name: foo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - foo
23 | - -port
24 | - "5698"
25 | ports:
26 | - name: http
27 | containerPort: 5698
28 | protocol: TCP
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.foo.foo
File: /lessons/082/example-6/2-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: foo
6 | name: foo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - foo
23 | - -port
24 | - "5698"
25 | ports:
26 | - name: http
27 | containerPort: 5698
28 | protocol: TCP
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.foo.foo
File: /lessons/082/example-6/2-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: foo
6 | name: foo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - foo
23 | - -port
24 | - "5698"
25 | ports:
26 | - name: http
27 | containerPort: 5698
28 | protocol: TCP
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.foo.foo
File: /lessons/082/example-6/2-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: foo
6 | name: foo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - foo
23 | - -port
24 | - "5698"
25 | ports:
26 | - name: http
27 | containerPort: 5698
28 | protocol: TCP
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.foo.foo
File: /lessons/082/example-6/2-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: foo
6 | name: foo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - foo
23 | - -port
24 | - "5698"
25 | ports:
26 | - name: http
27 | containerPort: 5698
28 | protocol: TCP
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.foo.foo
File: /lessons/082/example-6/2-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: foo
6 | name: foo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - foo
23 | - -port
24 | - "5698"
25 | ports:
26 | - name: http
27 | containerPort: 5698
28 | protocol: TCP
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.foo.foo
File: /lessons/082/example-6/2-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: foo
6 | name: foo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - foo
23 | - -port
24 | - "5698"
25 | ports:
26 | - name: http
27 | containerPort: 5698
28 | protocol: TCP
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.foo.foo
File: /lessons/082/example-6/2-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: foo
6 | name: foo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - foo
23 | - -port
24 | - "5698"
25 | ports:
26 | - name: http
27 | containerPort: 5698
28 | protocol: TCP
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.bar.bar
File: /lessons/082/example-6/3-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: bar
6 | name: bar
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - bar
23 | - -port
24 | - "8956"
25 | ports:
26 | - name: http
27 | containerPort: 8956
28 | protocol: TCP
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.bar.bar
File: /lessons/082/example-6/3-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: bar
6 | name: bar
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - bar
23 | - -port
24 | - "8956"
25 | ports:
26 | - name: http
27 | containerPort: 8956
28 | protocol: TCP
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.bar.bar
File: /lessons/082/example-6/3-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: bar
6 | name: bar
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - bar
23 | - -port
24 | - "8956"
25 | ports:
26 | - name: http
27 | containerPort: 8956
28 | protocol: TCP
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.bar.bar
File: /lessons/082/example-6/3-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: bar
6 | name: bar
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - bar
23 | - -port
24 | - "8956"
25 | ports:
26 | - name: http
27 | containerPort: 8956
28 | protocol: TCP
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.bar.bar
File: /lessons/082/example-6/3-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: bar
6 | name: bar
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - bar
23 | - -port
24 | - "8956"
25 | ports:
26 | - name: http
27 | containerPort: 8956
28 | protocol: TCP
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.bar.bar
File: /lessons/082/example-6/3-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: bar
6 | name: bar
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - bar
23 | - -port
24 | - "8956"
25 | ports:
26 | - name: http
27 | containerPort: 8956
28 | protocol: TCP
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.bar.bar
File: /lessons/082/example-6/3-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: bar
6 | name: bar
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - bar
23 | - -port
24 | - "8956"
25 | ports:
26 | - name: http
27 | containerPort: 8956
28 | protocol: TCP
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.bar.bar
File: /lessons/082/example-6/3-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: bar
6 | name: bar
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - bar
23 | - -port
24 | - "8956"
25 | ports:
26 | - name: http
27 | containerPort: 8956
28 | protocol: TCP
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.bar.bar
File: /lessons/082/example-6/3-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: bar
6 | name: bar
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - bar
23 | - -port
24 | - "8956"
25 | ports:
26 | - name: http
27 | containerPort: 8956
28 | protocol: TCP
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.bar.bar
File: /lessons/082/example-6/3-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: bar
6 | name: bar
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - bar
23 | - -port
24 | - "8956"
25 | ports:
26 | - name: http
27 | containerPort: 8956
28 | protocol: TCP
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.bar.bar
File: /lessons/082/example-6/3-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: bar
6 | name: bar
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - bar
23 | - -port
24 | - "8956"
25 | ports:
26 | - name: http
27 | containerPort: 8956
28 | protocol: TCP
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.bar.bar
File: /lessons/082/example-6/3-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: bar
6 | name: bar
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - bar
23 | - -port
24 | - "8956"
25 | ports:
26 | - name: http
27 | containerPort: 8956
28 | protocol: TCP
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.bar.bar
File: /lessons/082/example-6/3-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: bar
6 | name: bar
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - bar
23 | - -port
24 | - "8956"
25 | ports:
26 | - name: http
27 | containerPort: 8956
28 | protocol: TCP
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.bar.bar
File: /lessons/082/example-6/3-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: bar
6 | name: bar
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - bar
23 | - -port
24 | - "8956"
25 | ports:
26 | - name: http
27 | containerPort: 8956
28 | protocol: TCP
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.bar.bar
File: /lessons/082/example-6/3-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: bar
6 | name: bar
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - bar
23 | - -port
24 | - "8956"
25 | ports:
26 | - name: http
27 | containerPort: 8956
28 | protocol: TCP
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.bar.bar
File: /lessons/082/example-6/3-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: bar
6 | name: bar
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - bar
23 | - -port
24 | - "8956"
25 | ports:
26 | - name: http
27 | containerPort: 8956
28 | protocol: TCP
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.bar.bar
File: /lessons/082/example-6/3-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: bar
6 | name: bar
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - bar
23 | - -port
24 | - "8956"
25 | ports:
26 | - name: http
27 | containerPort: 8956
28 | protocol: TCP
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.bar.bar
File: /lessons/082/example-6/3-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: bar
6 | name: bar
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: aputrabay/lesson-082:v0.1.6
20 | args:
21 | - -name
22 | - bar
23 | - -port
24 | - "8956"
25 | ports:
26 | - name: http
27 | containerPort: 8956
28 | protocol: TCP
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: ClusterRole.default.prometheus-operator
File: /lessons/082/prometheus/1-prometheus-operator/3-cluster-role.yaml:2-76
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/082/prometheus/1-prometheus-operator/5-deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: prometheus-operator
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: prometheus-operator
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: prometheus-operator
16 | spec:
17 | containers:
18 | - args:
19 | - --kubelet-service=kube-system/kubelet
20 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.50.0
21 | image: quay.io/prometheus-operator/prometheus-operator:v0.50.0
22 | name: prometheus-operator
23 | ports:
24 | - containerPort: 8080
25 | name: http
26 | resources:
27 | limits:
28 | cpu: 200m
29 | memory: 200Mi
30 | requests:
31 | cpu: 100m
32 | memory: 100Mi
33 | securityContext:
34 | allowPrivilegeEscalation: false
35 | nodeSelector:
36 | kubernetes.io/os: linux
37 | securityContext:
38 | runAsNonRoot: true
39 | runAsUser: 65534
40 | serviceAccountName: prometheus-operator
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/082/prometheus/1-prometheus-operator/5-deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: prometheus-operator
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: prometheus-operator
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: prometheus-operator
16 | spec:
17 | containers:
18 | - args:
19 | - --kubelet-service=kube-system/kubelet
20 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.50.0
21 | image: quay.io/prometheus-operator/prometheus-operator:v0.50.0
22 | name: prometheus-operator
23 | ports:
24 | - containerPort: 8080
25 | name: http
26 | resources:
27 | limits:
28 | cpu: 200m
29 | memory: 200Mi
30 | requests:
31 | cpu: 100m
32 | memory: 100Mi
33 | securityContext:
34 | allowPrivilegeEscalation: false
35 | nodeSelector:
36 | kubernetes.io/os: linux
37 | securityContext:
38 | runAsNonRoot: true
39 | runAsUser: 65534
40 | serviceAccountName: prometheus-operator
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/082/prometheus/1-prometheus-operator/5-deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: prometheus-operator
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: prometheus-operator
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: prometheus-operator
16 | spec:
17 | containers:
18 | - args:
19 | - --kubelet-service=kube-system/kubelet
20 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.50.0
21 | image: quay.io/prometheus-operator/prometheus-operator:v0.50.0
22 | name: prometheus-operator
23 | ports:
24 | - containerPort: 8080
25 | name: http
26 | resources:
27 | limits:
28 | cpu: 200m
29 | memory: 200Mi
30 | requests:
31 | cpu: 100m
32 | memory: 100Mi
33 | securityContext:
34 | allowPrivilegeEscalation: false
35 | nodeSelector:
36 | kubernetes.io/os: linux
37 | securityContext:
38 | runAsNonRoot: true
39 | runAsUser: 65534
40 | serviceAccountName: prometheus-operator
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/082/prometheus/1-prometheus-operator/5-deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: prometheus-operator
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: prometheus-operator
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: prometheus-operator
16 | spec:
17 | containers:
18 | - args:
19 | - --kubelet-service=kube-system/kubelet
20 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.50.0
21 | image: quay.io/prometheus-operator/prometheus-operator:v0.50.0
22 | name: prometheus-operator
23 | ports:
24 | - containerPort: 8080
25 | name: http
26 | resources:
27 | limits:
28 | cpu: 200m
29 | memory: 200Mi
30 | requests:
31 | cpu: 100m
32 | memory: 100Mi
33 | securityContext:
34 | allowPrivilegeEscalation: false
35 | nodeSelector:
36 | kubernetes.io/os: linux
37 | securityContext:
38 | runAsNonRoot: true
39 | runAsUser: 65534
40 | serviceAccountName: prometheus-operator
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/082/prometheus/1-prometheus-operator/5-deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: prometheus-operator
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: prometheus-operator
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: prometheus-operator
16 | spec:
17 | containers:
18 | - args:
19 | - --kubelet-service=kube-system/kubelet
20 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.50.0
21 | image: quay.io/prometheus-operator/prometheus-operator:v0.50.0
22 | name: prometheus-operator
23 | ports:
24 | - containerPort: 8080
25 | name: http
26 | resources:
27 | limits:
28 | cpu: 200m
29 | memory: 200Mi
30 | requests:
31 | cpu: 100m
32 | memory: 100Mi
33 | securityContext:
34 | allowPrivilegeEscalation: false
35 | nodeSelector:
36 | kubernetes.io/os: linux
37 | securityContext:
38 | runAsNonRoot: true
39 | runAsUser: 65534
40 | serviceAccountName: prometheus-operator
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/082/prometheus/1-prometheus-operator/5-deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: prometheus-operator
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: prometheus-operator
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: prometheus-operator
16 | spec:
17 | containers:
18 | - args:
19 | - --kubelet-service=kube-system/kubelet
20 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.50.0
21 | image: quay.io/prometheus-operator/prometheus-operator:v0.50.0
22 | name: prometheus-operator
23 | ports:
24 | - containerPort: 8080
25 | name: http
26 | resources:
27 | limits:
28 | cpu: 200m
29 | memory: 200Mi
30 | requests:
31 | cpu: 100m
32 | memory: 100Mi
33 | securityContext:
34 | allowPrivilegeEscalation: false
35 | nodeSelector:
36 | kubernetes.io/os: linux
37 | securityContext:
38 | runAsNonRoot: true
39 | runAsUser: 65534
40 | serviceAccountName: prometheus-operator
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/082/prometheus/1-prometheus-operator/5-deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: prometheus-operator
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: prometheus-operator
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: prometheus-operator
16 | spec:
17 | containers:
18 | - args:
19 | - --kubelet-service=kube-system/kubelet
20 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.50.0
21 | image: quay.io/prometheus-operator/prometheus-operator:v0.50.0
22 | name: prometheus-operator
23 | ports:
24 | - containerPort: 8080
25 | name: http
26 | resources:
27 | limits:
28 | cpu: 200m
29 | memory: 200Mi
30 | requests:
31 | cpu: 100m
32 | memory: 100Mi
33 | securityContext:
34 | allowPrivilegeEscalation: false
35 | nodeSelector:
36 | kubernetes.io/os: linux
37 | securityContext:
38 | runAsNonRoot: true
39 | runAsUser: 65534
40 | serviceAccountName: prometheus-operator
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/082/prometheus/1-prometheus-operator/5-deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: prometheus-operator
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: prometheus-operator
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: prometheus-operator
16 | spec:
17 | containers:
18 | - args:
19 | - --kubelet-service=kube-system/kubelet
20 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.50.0
21 | image: quay.io/prometheus-operator/prometheus-operator:v0.50.0
22 | name: prometheus-operator
23 | ports:
24 | - containerPort: 8080
25 | name: http
26 | resources:
27 | limits:
28 | cpu: 200m
29 | memory: 200Mi
30 | requests:
31 | cpu: 100m
32 | memory: 100Mi
33 | securityContext:
34 | allowPrivilegeEscalation: false
35 | nodeSelector:
36 | kubernetes.io/os: linux
37 | securityContext:
38 | runAsNonRoot: true
39 | runAsUser: 65534
40 | serviceAccountName: prometheus-operator
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/082/prometheus/1-prometheus-operator/5-deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: prometheus-operator
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: prometheus-operator
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: prometheus-operator
16 | spec:
17 | containers:
18 | - args:
19 | - --kubelet-service=kube-system/kubelet
20 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.50.0
21 | image: quay.io/prometheus-operator/prometheus-operator:v0.50.0
22 | name: prometheus-operator
23 | ports:
24 | - containerPort: 8080
25 | name: http
26 | resources:
27 | limits:
28 | cpu: 200m
29 | memory: 200Mi
30 | requests:
31 | cpu: 100m
32 | memory: 100Mi
33 | securityContext:
34 | allowPrivilegeEscalation: false
35 | nodeSelector:
36 | kubernetes.io/os: linux
37 | securityContext:
38 | runAsNonRoot: true
39 | runAsUser: 65534
40 | serviceAccountName: prometheus-operator
Check: CKV_K8S_153: "Prevent All NGINX Ingress annotation snippets. See CVE-2021-25742"
FAILED for resource: Ingress.monitoring.prometheus
File: /lessons/082/example-1/prometheus.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/prevent-all-nginx-ingress-annotation-snippets.html
2 | apiVersion: networking.k8s.io/v1
3 | kind: Ingress
4 | metadata:
5 | name: prometheus
6 | namespace: monitoring
7 | annotations:
8 | nginx.ingress.kubernetes.io/configuration-snippet: |
9 | more_set_headers 'Foo: bar';
10 | spec:
11 | ingressClassName: external-nginx
12 | rules:
13 | - host: prometheus.devopsbyexample.io
14 | http:
15 | paths:
16 | - path: /
17 | pathType: Prefix
18 | backend:
19 | service:
20 | name: prometheus-operated
21 | port:
22 | number: 9090
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/130/k8s/cadvisor/3-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/130/k8s/cadvisor/3-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/130/k8s/cadvisor/3-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/130/k8s/cadvisor/3-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/130/k8s/cadvisor/3-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/130/k8s/cadvisor/3-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/130/k8s/cadvisor/3-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/130/k8s/cadvisor/3-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/130/k8s/cadvisor/3-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/130/k8s/cadvisor/3-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/130/k8s/cadvisor/3-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/130/k8s/cadvisor/3-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/130/k8s/cadvisor/3-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/130/k8s/grafana/5-deployment.yaml:2-95
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/130/k8s/grafana/5-deployment.yaml:2-95
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/130/k8s/grafana/5-deployment.yaml:2-95
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/130/k8s/grafana/5-deployment.yaml:2-95
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/130/k8s/grafana/5-deployment.yaml:2-95
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/130/k8s/grafana/5-deployment.yaml:2-95
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/130/k8s/grafana/5-deployment.yaml:2-95
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/130/k8s/grafana/5-deployment.yaml:2-95
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/130/k8s/grafana/5-deployment.yaml:2-95
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/130/k8s/grafana/5-deployment.yaml:2-95
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/130/k8s/grafana/5-deployment.yaml:2-95
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: ClusterRole.default.prometheus-operator
File: /lessons/130/k8s/prometheus-operator/2-cluster-role.yaml:2-81
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/130/k8s/prometheus-operator/4-deployment.yaml:1-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/130/k8s/prometheus-operator/4-deployment.yaml:1-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/130/k8s/prometheus-operator/4-deployment.yaml:1-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/130/k8s/prometheus-operator/4-deployment.yaml:1-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/130/k8s/prometheus-operator/4-deployment.yaml:1-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/130/k8s/prometheus-operator/4-deployment.yaml:1-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/130/k8s/kube-state-metrics/3-deployment.yaml:2-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/130/k8s/kube-state-metrics/3-deployment.yaml:2-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/130/k8s/kube-state-metrics/3-deployment.yaml:2-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/130/k8s/kube-state-metrics/3-deployment.yaml:2-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/130/k8s/kube-state-metrics/3-deployment.yaml:2-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/130/k8s/kube-state-metrics/3-deployment.yaml:2-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/130/k8s/kube-state-metrics/3-deployment.yaml:2-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/130/k8s/kube-state-metrics/3-deployment.yaml:2-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/130/k8s/kube-state-metrics/3-deployment.yaml:2-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/130/k8s/node-exporter/3-daemonset.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/130/k8s/node-exporter/3-daemonset.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_19: "Containers should not share the host network namespace"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/130/k8s/node-exporter/3-daemonset.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-18.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/130/k8s/node-exporter/3-daemonset.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/130/k8s/node-exporter/3-daemonset.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_17: "Containers should not share the host process ID namespace"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/130/k8s/node-exporter/3-daemonset.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-16.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/130/k8s/node-exporter/3-daemonset.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/130/k8s/node-exporter/3-daemonset.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/130/k8s/node-exporter/3-daemonset.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/130/k8s/node-exporter/3-daemonset.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/130/k8s/node-exporter/3-daemonset.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/061/infra/nginx.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/nginx:1.19.8 # {"$imagepolicy": "flux-system:nginx"}
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx
File: /lessons/061/infra/nginx.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/nginx:1.19.8 # {"$imagepolicy": "flux-system:nginx"}
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/061/infra/nginx.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/nginx:1.19.8 # {"$imagepolicy": "flux-system:nginx"}
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx
File: /lessons/061/infra/nginx.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/nginx:1.19.8 # {"$imagepolicy": "flux-system:nginx"}
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/061/infra/nginx.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/nginx:1.19.8 # {"$imagepolicy": "flux-system:nginx"}
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/061/infra/nginx.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/nginx:1.19.8 # {"$imagepolicy": "flux-system:nginx"}
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /lessons/061/infra/nginx.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/nginx:1.19.8 # {"$imagepolicy": "flux-system:nginx"}
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx
File: /lessons/061/infra/nginx.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/nginx:1.19.8 # {"$imagepolicy": "flux-system:nginx"}
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx
File: /lessons/061/infra/nginx.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/nginx:1.19.8 # {"$imagepolicy": "flux-system:nginx"}
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/061/infra/nginx.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/nginx:1.19.8 # {"$imagepolicy": "flux-system:nginx"}
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /lessons/061/infra/nginx.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/nginx:1.19.8 # {"$imagepolicy": "flux-system:nginx"}
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx
File: /lessons/061/infra/nginx.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/nginx:1.19.8 # {"$imagepolicy": "flux-system:nginx"}
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/061/infra/nginx.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/nginx:1.19.8 # {"$imagepolicy": "flux-system:nginx"}
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx
File: /lessons/061/infra/nginx.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/nginx:1.19.8 # {"$imagepolicy": "flux-system:nginx"}
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx
File: /lessons/061/infra/nginx.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/nginx:1.19.8 # {"$imagepolicy": "flux-system:nginx"}
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx
File: /lessons/061/infra/nginx.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/nginx:1.19.8 # {"$imagepolicy": "flux-system:nginx"}
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/061/infra/nginx.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/nginx:1.19.8 # {"$imagepolicy": "flux-system:nginx"}
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.nginx
File: /lessons/061/infra/nginx.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/nginx:1.19.8 # {"$imagepolicy": "flux-system:nginx"}
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx
File: /lessons/061/infra/nginx.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: default
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/nginx:1.19.8 # {"$imagepolicy": "flux-system:nginx"}
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: CronJob.flux-system.ecr-credentials-sync
File: /lessons/061/infra/ecr-job.yaml:36-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: CronJob.flux-system.ecr-credentials-sync
File: /lessons/061/infra/ecr-job.yaml:36-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: CronJob.flux-system.ecr-credentials-sync
File: /lessons/061/infra/ecr-job.yaml:36-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: CronJob.flux-system.ecr-credentials-sync
File: /lessons/061/infra/ecr-job.yaml:36-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: CronJob.flux-system.ecr-credentials-sync
File: /lessons/061/infra/ecr-job.yaml:36-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: CronJob.flux-system.ecr-credentials-sync
File: /lessons/061/infra/ecr-job.yaml:36-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: CronJob.flux-system.ecr-credentials-sync
File: /lessons/061/infra/ecr-job.yaml:36-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: CronJob.flux-system.ecr-credentials-sync
File: /lessons/061/infra/ecr-job.yaml:36-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: CronJob.flux-system.ecr-credentials-sync
File: /lessons/061/infra/ecr-job.yaml:36-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: CronJob.flux-system.ecr-credentials-sync
File: /lessons/061/infra/ecr-job.yaml:36-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: CronJob.flux-system.ecr-credentials-sync
File: /lessons/061/infra/ecr-job.yaml:36-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: CronJob.flux-system.ecr-credentials-sync
File: /lessons/061/infra/ecr-job.yaml:36-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: CronJob.flux-system.ecr-credentials-sync
File: /lessons/061/infra/ecr-job.yaml:36-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: CronJob.flux-system.ecr-credentials-sync
File: /lessons/061/infra/ecr-job.yaml:36-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: CronJob.flux-system.ecr-credentials-sync
File: /lessons/061/infra/ecr-job.yaml:36-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: CronJob.flux-system.ecr-credentials-sync
File: /lessons/061/infra/ecr-job.yaml:36-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: CronJob.flux-system.ecr-credentials-sync
File: /lessons/061/infra/ecr-job.yaml:36-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.go-app
File: /lessons/153/go-app/deploy/deployment.yaml:2-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.go-app
File: /lessons/153/go-app/deploy/deployment.yaml:2-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.go-app
File: /lessons/153/go-app/deploy/deployment.yaml:2-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.staging.go-app
File: /lessons/153/go-app/deploy/deployment.yaml:2-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.go-app
File: /lessons/153/go-app/deploy/deployment.yaml:2-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.go-app
File: /lessons/153/go-app/deploy/deployment.yaml:2-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.go-app
File: /lessons/153/go-app/deploy/deployment.yaml:2-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.staging.go-app
File: /lessons/153/go-app/deploy/deployment.yaml:2-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.go-app
File: /lessons/153/go-app/deploy/deployment.yaml:2-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.go-app
File: /lessons/153/go-app/deploy/deployment.yaml:2-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.go-app
File: /lessons/153/go-app/deploy/deployment.yaml:2-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.go-app
File: /lessons/153/go-app/deploy/deployment.yaml:2-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.staging.go-app
File: /lessons/153/go-app/deploy/deployment.yaml:2-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.go-app
File: /lessons/153/go-app/deploy/deployment.yaml:2-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/173/monitoring/grafana/deployment.yaml:2-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/173/monitoring/grafana/deployment.yaml:2-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/173/monitoring/grafana/deployment.yaml:2-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/173/monitoring/grafana/deployment.yaml:2-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/173/monitoring/grafana/deployment.yaml:2-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/173/monitoring/grafana/deployment.yaml:2-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/173/monitoring/grafana/deployment.yaml:2-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/173/monitoring/grafana/deployment.yaml:2-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/173/monitoring/grafana/deployment.yaml:2-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/173/monitoring/grafana/deployment.yaml:2-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/173/monitoring/grafana/deployment.yaml:2-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: ClusterRole.default.prometheus-operator
File: /lessons/173/monitoring/prometheus-operator/rbac.yaml:13-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/173/monitoring/prometheus-operator/deployment.yaml:2-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/173/monitoring/prometheus-operator/deployment.yaml:2-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/173/monitoring/prometheus-operator/deployment.yaml:2-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/173/monitoring/prometheus-operator/deployment.yaml:2-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/173/monitoring/prometheus-operator/deployment.yaml:2-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.myapp
File: /lessons/173/1-example/3-service.yaml:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: Service
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | selector:
9 | app: myapp
10 | ports:
11 | - protocol: TCP
12 | port: 8080
13 | targetPort: http
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.myapp-control
File: /lessons/173/1-example/1-control-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-control
6 | namespace: default
7 | spec:
8 | replicas: 0
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | type: control
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | type: control
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v1
22 | imagePullPolicy: Always
23 | ports:
24 | - name: http
25 | containerPort: 8080
26 | startupProbe:
27 | tcpSocket:
28 | port: http
29 | initialDelaySeconds: 20
30 | periodSeconds: 5
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.myapp-control
File: /lessons/173/1-example/1-control-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-control
6 | namespace: default
7 | spec:
8 | replicas: 0
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | type: control
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | type: control
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v1
22 | imagePullPolicy: Always
23 | ports:
24 | - name: http
25 | containerPort: 8080
26 | startupProbe:
27 | tcpSocket:
28 | port: http
29 | initialDelaySeconds: 20
30 | periodSeconds: 5
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.myapp-control
File: /lessons/173/1-example/1-control-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-control
6 | namespace: default
7 | spec:
8 | replicas: 0
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | type: control
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | type: control
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v1
22 | imagePullPolicy: Always
23 | ports:
24 | - name: http
25 | containerPort: 8080
26 | startupProbe:
27 | tcpSocket:
28 | port: http
29 | initialDelaySeconds: 20
30 | periodSeconds: 5
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.myapp-control
File: /lessons/173/1-example/1-control-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-control
6 | namespace: default
7 | spec:
8 | replicas: 0
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | type: control
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | type: control
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v1
22 | imagePullPolicy: Always
23 | ports:
24 | - name: http
25 | containerPort: 8080
26 | startupProbe:
27 | tcpSocket:
28 | port: http
29 | initialDelaySeconds: 20
30 | periodSeconds: 5
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.myapp-control
File: /lessons/173/1-example/1-control-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-control
6 | namespace: default
7 | spec:
8 | replicas: 0
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | type: control
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | type: control
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v1
22 | imagePullPolicy: Always
23 | ports:
24 | - name: http
25 | containerPort: 8080
26 | startupProbe:
27 | tcpSocket:
28 | port: http
29 | initialDelaySeconds: 20
30 | periodSeconds: 5
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.myapp-control
File: /lessons/173/1-example/1-control-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-control
6 | namespace: default
7 | spec:
8 | replicas: 0
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | type: control
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | type: control
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v1
22 | imagePullPolicy: Always
23 | ports:
24 | - name: http
25 | containerPort: 8080
26 | startupProbe:
27 | tcpSocket:
28 | port: http
29 | initialDelaySeconds: 20
30 | periodSeconds: 5
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.myapp-control
File: /lessons/173/1-example/1-control-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-control
6 | namespace: default
7 | spec:
8 | replicas: 0
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | type: control
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | type: control
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v1
22 | imagePullPolicy: Always
23 | ports:
24 | - name: http
25 | containerPort: 8080
26 | startupProbe:
27 | tcpSocket:
28 | port: http
29 | initialDelaySeconds: 20
30 | periodSeconds: 5
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.myapp-control
File: /lessons/173/1-example/1-control-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-control
6 | namespace: default
7 | spec:
8 | replicas: 0
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | type: control
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | type: control
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v1
22 | imagePullPolicy: Always
23 | ports:
24 | - name: http
25 | containerPort: 8080
26 | startupProbe:
27 | tcpSocket:
28 | port: http
29 | initialDelaySeconds: 20
30 | periodSeconds: 5
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.myapp-control
File: /lessons/173/1-example/1-control-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-control
6 | namespace: default
7 | spec:
8 | replicas: 0
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | type: control
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | type: control
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v1
22 | imagePullPolicy: Always
23 | ports:
24 | - name: http
25 | containerPort: 8080
26 | startupProbe:
27 | tcpSocket:
28 | port: http
29 | initialDelaySeconds: 20
30 | periodSeconds: 5
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.myapp-control
File: /lessons/173/1-example/1-control-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-control
6 | namespace: default
7 | spec:
8 | replicas: 0
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | type: control
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | type: control
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v1
22 | imagePullPolicy: Always
23 | ports:
24 | - name: http
25 | containerPort: 8080
26 | startupProbe:
27 | tcpSocket:
28 | port: http
29 | initialDelaySeconds: 20
30 | periodSeconds: 5
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.myapp-control
File: /lessons/173/1-example/1-control-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-control
6 | namespace: default
7 | spec:
8 | replicas: 0
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | type: control
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | type: control
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v1
22 | imagePullPolicy: Always
23 | ports:
24 | - name: http
25 | containerPort: 8080
26 | startupProbe:
27 | tcpSocket:
28 | port: http
29 | initialDelaySeconds: 20
30 | periodSeconds: 5
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.myapp-control
File: /lessons/173/1-example/1-control-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-control
6 | namespace: default
7 | spec:
8 | replicas: 0
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | type: control
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | type: control
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v1
22 | imagePullPolicy: Always
23 | ports:
24 | - name: http
25 | containerPort: 8080
26 | startupProbe:
27 | tcpSocket:
28 | port: http
29 | initialDelaySeconds: 20
30 | periodSeconds: 5
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.myapp-control
File: /lessons/173/1-example/1-control-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-control
6 | namespace: default
7 | spec:
8 | replicas: 0
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | type: control
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | type: control
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v1
22 | imagePullPolicy: Always
23 | ports:
24 | - name: http
25 | containerPort: 8080
26 | startupProbe:
27 | tcpSocket:
28 | port: http
29 | initialDelaySeconds: 20
30 | periodSeconds: 5
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.myapp-control
File: /lessons/173/1-example/1-control-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-control
6 | namespace: default
7 | spec:
8 | replicas: 0
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | type: control
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | type: control
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v1
22 | imagePullPolicy: Always
23 | ports:
24 | - name: http
25 | containerPort: 8080
26 | startupProbe:
27 | tcpSocket:
28 | port: http
29 | initialDelaySeconds: 20
30 | periodSeconds: 5
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.myapp-control
File: /lessons/173/1-example/1-control-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-control
6 | namespace: default
7 | spec:
8 | replicas: 0
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | type: control
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | type: control
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v1
22 | imagePullPolicy: Always
23 | ports:
24 | - name: http
25 | containerPort: 8080
26 | startupProbe:
27 | tcpSocket:
28 | port: http
29 | initialDelaySeconds: 20
30 | periodSeconds: 5
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.myapp-control
File: /lessons/173/1-example/1-control-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-control
6 | namespace: default
7 | spec:
8 | replicas: 0
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | type: control
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | type: control
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v1
22 | imagePullPolicy: Always
23 | ports:
24 | - name: http
25 | containerPort: 8080
26 | startupProbe:
27 | tcpSocket:
28 | port: http
29 | initialDelaySeconds: 20
30 | periodSeconds: 5
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.myapp-control
File: /lessons/173/1-example/1-control-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-control
6 | namespace: default
7 | spec:
8 | replicas: 0
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | type: control
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | type: control
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v1
22 | imagePullPolicy: Always
23 | ports:
24 | - name: http
25 | containerPort: 8080
26 | startupProbe:
27 | tcpSocket:
28 | port: http
29 | initialDelaySeconds: 20
30 | periodSeconds: 5
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.myapp-control
File: /lessons/173/1-example/1-control-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-control
6 | namespace: default
7 | spec:
8 | replicas: 0
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | type: control
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | type: control
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v1
22 | imagePullPolicy: Always
23 | ports:
24 | - name: http
25 | containerPort: 8080
26 | startupProbe:
27 | tcpSocket:
28 | port: http
29 | initialDelaySeconds: 20
30 | periodSeconds: 5
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.myapp-canary
File: /lessons/173/1-example/4-canary-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-canary
6 | namespace: default
7 | spec:
8 | replicas: 10
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | type: canary
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | type: canary
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v2
22 | imagePullPolicy: Always
23 | ports:
24 | - name: http
25 | containerPort: 8080
26 | startupProbe:
27 | tcpSocket:
28 | port: http
29 | initialDelaySeconds: 20
30 | periodSeconds: 5
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.myapp-canary
File: /lessons/173/1-example/4-canary-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-canary
6 | namespace: default
7 | spec:
8 | replicas: 10
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | type: canary
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | type: canary
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v2
22 | imagePullPolicy: Always
23 | ports:
24 | - name: http
25 | containerPort: 8080
26 | startupProbe:
27 | tcpSocket:
28 | port: http
29 | initialDelaySeconds: 20
30 | periodSeconds: 5
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.myapp-canary
File: /lessons/173/1-example/4-canary-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-canary
6 | namespace: default
7 | spec:
8 | replicas: 10
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | type: canary
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | type: canary
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v2
22 | imagePullPolicy: Always
23 | ports:
24 | - name: http
25 | containerPort: 8080
26 | startupProbe:
27 | tcpSocket:
28 | port: http
29 | initialDelaySeconds: 20
30 | periodSeconds: 5
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.myapp-canary
File: /lessons/173/1-example/4-canary-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-canary
6 | namespace: default
7 | spec:
8 | replicas: 10
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | type: canary
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | type: canary
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v2
22 | imagePullPolicy: Always
23 | ports:
24 | - name: http
25 | containerPort: 8080
26 | startupProbe:
27 | tcpSocket:
28 | port: http
29 | initialDelaySeconds: 20
30 | periodSeconds: 5
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.myapp-canary
File: /lessons/173/1-example/4-canary-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-canary
6 | namespace: default
7 | spec:
8 | replicas: 10
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | type: canary
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | type: canary
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v2
22 | imagePullPolicy: Always
23 | ports:
24 | - name: http
25 | containerPort: 8080
26 | startupProbe:
27 | tcpSocket:
28 | port: http
29 | initialDelaySeconds: 20
30 | periodSeconds: 5
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.myapp-canary
File: /lessons/173/1-example/4-canary-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-canary
6 | namespace: default
7 | spec:
8 | replicas: 10
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | type: canary
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | type: canary
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v2
22 | imagePullPolicy: Always
23 | ports:
24 | - name: http
25 | containerPort: 8080
26 | startupProbe:
27 | tcpSocket:
28 | port: http
29 | initialDelaySeconds: 20
30 | periodSeconds: 5
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.myapp-canary
File: /lessons/173/1-example/4-canary-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-canary
6 | namespace: default
7 | spec:
8 | replicas: 10
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | type: canary
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | type: canary
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v2
22 | imagePullPolicy: Always
23 | ports:
24 | - name: http
25 | containerPort: 8080
26 | startupProbe:
27 | tcpSocket:
28 | port: http
29 | initialDelaySeconds: 20
30 | periodSeconds: 5
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.myapp-canary
File: /lessons/173/1-example/4-canary-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-canary
6 | namespace: default
7 | spec:
8 | replicas: 10
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | type: canary
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | type: canary
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v2
22 | imagePullPolicy: Always
23 | ports:
24 | - name: http
25 | containerPort: 8080
26 | startupProbe:
27 | tcpSocket:
28 | port: http
29 | initialDelaySeconds: 20
30 | periodSeconds: 5
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.myapp-canary
File: /lessons/173/1-example/4-canary-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-canary
6 | namespace: default
7 | spec:
8 | replicas: 10
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | type: canary
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | type: canary
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v2
22 | imagePullPolicy: Always
23 | ports:
24 | - name: http
25 | containerPort: 8080
26 | startupProbe:
27 | tcpSocket:
28 | port: http
29 | initialDelaySeconds: 20
30 | periodSeconds: 5
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.myapp-canary
File: /lessons/173/1-example/4-canary-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-canary
6 | namespace: default
7 | spec:
8 | replicas: 10
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | type: canary
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | type: canary
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v2
22 | imagePullPolicy: Always
23 | ports:
24 | - name: http
25 | containerPort: 8080
26 | startupProbe:
27 | tcpSocket:
28 | port: http
29 | initialDelaySeconds: 20
30 | periodSeconds: 5
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.myapp-canary
File: /lessons/173/1-example/4-canary-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-canary
6 | namespace: default
7 | spec:
8 | replicas: 10
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | type: canary
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | type: canary
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v2
22 | imagePullPolicy: Always
23 | ports:
24 | - name: http
25 | containerPort: 8080
26 | startupProbe:
27 | tcpSocket:
28 | port: http
29 | initialDelaySeconds: 20
30 | periodSeconds: 5
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.myapp-canary
File: /lessons/173/1-example/4-canary-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-canary
6 | namespace: default
7 | spec:
8 | replicas: 10
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | type: canary
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | type: canary
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v2
22 | imagePullPolicy: Always
23 | ports:
24 | - name: http
25 | containerPort: 8080
26 | startupProbe:
27 | tcpSocket:
28 | port: http
29 | initialDelaySeconds: 20
30 | periodSeconds: 5
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.myapp-canary
File: /lessons/173/1-example/4-canary-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-canary
6 | namespace: default
7 | spec:
8 | replicas: 10
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | type: canary
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | type: canary
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v2
22 | imagePullPolicy: Always
23 | ports:
24 | - name: http
25 | containerPort: 8080
26 | startupProbe:
27 | tcpSocket:
28 | port: http
29 | initialDelaySeconds: 20
30 | periodSeconds: 5
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.myapp-canary
File: /lessons/173/1-example/4-canary-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-canary
6 | namespace: default
7 | spec:
8 | replicas: 10
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | type: canary
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | type: canary
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v2
22 | imagePullPolicy: Always
23 | ports:
24 | - name: http
25 | containerPort: 8080
26 | startupProbe:
27 | tcpSocket:
28 | port: http
29 | initialDelaySeconds: 20
30 | periodSeconds: 5
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.myapp-canary
File: /lessons/173/1-example/4-canary-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-canary
6 | namespace: default
7 | spec:
8 | replicas: 10
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | type: canary
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | type: canary
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v2
22 | imagePullPolicy: Always
23 | ports:
24 | - name: http
25 | containerPort: 8080
26 | startupProbe:
27 | tcpSocket:
28 | port: http
29 | initialDelaySeconds: 20
30 | periodSeconds: 5
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.myapp-canary
File: /lessons/173/1-example/4-canary-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-canary
6 | namespace: default
7 | spec:
8 | replicas: 10
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | type: canary
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | type: canary
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v2
22 | imagePullPolicy: Always
23 | ports:
24 | - name: http
25 | containerPort: 8080
26 | startupProbe:
27 | tcpSocket:
28 | port: http
29 | initialDelaySeconds: 20
30 | periodSeconds: 5
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.myapp-canary
File: /lessons/173/1-example/4-canary-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-canary
6 | namespace: default
7 | spec:
8 | replicas: 10
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | type: canary
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | type: canary
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v2
22 | imagePullPolicy: Always
23 | ports:
24 | - name: http
25 | containerPort: 8080
26 | startupProbe:
27 | tcpSocket:
28 | port: http
29 | initialDelaySeconds: 20
30 | periodSeconds: 5
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.myapp-canary
File: /lessons/173/1-example/4-canary-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-canary
6 | namespace: default
7 | spec:
8 | replicas: 10
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | type: canary
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | type: canary
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v2
22 | imagePullPolicy: Always
23 | ports:
24 | - name: http
25 | containerPort: 8080
26 | startupProbe:
27 | tcpSocket:
28 | port: http
29 | initialDelaySeconds: 20
30 | periodSeconds: 5
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.staging.myapp
File: /lessons/173/2-example/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v1
22 | ports:
23 | - name: http
24 | containerPort: 8080
25 | startupProbe:
26 | tcpSocket:
27 | port: http
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.myapp
File: /lessons/173/2-example/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v1
22 | ports:
23 | - name: http
24 | containerPort: 8080
25 | startupProbe:
26 | tcpSocket:
27 | port: http
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.staging.myapp
File: /lessons/173/2-example/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v1
22 | ports:
23 | - name: http
24 | containerPort: 8080
25 | startupProbe:
26 | tcpSocket:
27 | port: http
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.myapp
File: /lessons/173/2-example/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v1
22 | ports:
23 | - name: http
24 | containerPort: 8080
25 | startupProbe:
26 | tcpSocket:
27 | port: http
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.myapp
File: /lessons/173/2-example/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v1
22 | ports:
23 | - name: http
24 | containerPort: 8080
25 | startupProbe:
26 | tcpSocket:
27 | port: http
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.staging.myapp
File: /lessons/173/2-example/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v1
22 | ports:
23 | - name: http
24 | containerPort: 8080
25 | startupProbe:
26 | tcpSocket:
27 | port: http
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.myapp
File: /lessons/173/2-example/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v1
22 | ports:
23 | - name: http
24 | containerPort: 8080
25 | startupProbe:
26 | tcpSocket:
27 | port: http
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.myapp
File: /lessons/173/2-example/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v1
22 | ports:
23 | - name: http
24 | containerPort: 8080
25 | startupProbe:
26 | tcpSocket:
27 | port: http
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.myapp
File: /lessons/173/2-example/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v1
22 | ports:
23 | - name: http
24 | containerPort: 8080
25 | startupProbe:
26 | tcpSocket:
27 | port: http
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.staging.myapp
File: /lessons/173/2-example/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v1
22 | ports:
23 | - name: http
24 | containerPort: 8080
25 | startupProbe:
26 | tcpSocket:
27 | port: http
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.myapp
File: /lessons/173/2-example/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v1
22 | ports:
23 | - name: http
24 | containerPort: 8080
25 | startupProbe:
26 | tcpSocket:
27 | port: http
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.staging.myapp
File: /lessons/173/2-example/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v1
22 | ports:
23 | - name: http
24 | containerPort: 8080
25 | startupProbe:
26 | tcpSocket:
27 | port: http
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.myapp
File: /lessons/173/2-example/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v1
22 | ports:
23 | - name: http
24 | containerPort: 8080
25 | startupProbe:
26 | tcpSocket:
27 | port: http
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.myapp
File: /lessons/173/2-example/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v1
22 | ports:
23 | - name: http
24 | containerPort: 8080
25 | startupProbe:
26 | tcpSocket:
27 | port: http
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.myapp
File: /lessons/173/2-example/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v1
22 | ports:
23 | - name: http
24 | containerPort: 8080
25 | startupProbe:
26 | tcpSocket:
27 | port: http
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.staging.myapp
File: /lessons/173/2-example/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v1
22 | ports:
23 | - name: http
24 | containerPort: 8080
25 | startupProbe:
26 | tcpSocket:
27 | port: http
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.staging.myapp
File: /lessons/173/2-example/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v1
22 | ports:
23 | - name: http
24 | containerPort: 8080
25 | startupProbe:
26 | tcpSocket:
27 | port: http
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.myapp
File: /lessons/173/2-example/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-173:v1
22 | ports:
23 | - name: http
24 | containerPort: 8080
25 | startupProbe:
26 | tcpSocket:
27 | port: http
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx
File: /lessons/160/demo/deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: default
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.23.4
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | memory: 2Gi
25 | cpu: "1"
26 | limits:
27 | memory: 2Gi
28 | cpu: "1"
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx
File: /lessons/160/demo/deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: default
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.23.4
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | memory: 2Gi
25 | cpu: "1"
26 | limits:
27 | memory: 2Gi
28 | cpu: "1"
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/160/demo/deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: default
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.23.4
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | memory: 2Gi
25 | cpu: "1"
26 | limits:
27 | memory: 2Gi
28 | cpu: "1"
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/160/demo/deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: default
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.23.4
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | memory: 2Gi
25 | cpu: "1"
26 | limits:
27 | memory: 2Gi
28 | cpu: "1"
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /lessons/160/demo/deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: default
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.23.4
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | memory: 2Gi
25 | cpu: "1"
26 | limits:
27 | memory: 2Gi
28 | cpu: "1"
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx
File: /lessons/160/demo/deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: default
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.23.4
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | memory: 2Gi
25 | cpu: "1"
26 | limits:
27 | memory: 2Gi
28 | cpu: "1"
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx
File: /lessons/160/demo/deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: default
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.23.4
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | memory: 2Gi
25 | cpu: "1"
26 | limits:
27 | memory: 2Gi
28 | cpu: "1"
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/160/demo/deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: default
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.23.4
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | memory: 2Gi
25 | cpu: "1"
26 | limits:
27 | memory: 2Gi
28 | cpu: "1"
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /lessons/160/demo/deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: default
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.23.4
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | memory: 2Gi
25 | cpu: "1"
26 | limits:
27 | memory: 2Gi
28 | cpu: "1"
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx
File: /lessons/160/demo/deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: default
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.23.4
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | memory: 2Gi
25 | cpu: "1"
26 | limits:
27 | memory: 2Gi
28 | cpu: "1"
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx
File: /lessons/160/demo/deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: default
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.23.4
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | memory: 2Gi
25 | cpu: "1"
26 | limits:
27 | memory: 2Gi
28 | cpu: "1"
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx
File: /lessons/160/demo/deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: default
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.23.4
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | memory: 2Gi
25 | cpu: "1"
26 | limits:
27 | memory: 2Gi
28 | cpu: "1"
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx
File: /lessons/160/demo/deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: default
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.23.4
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | memory: 2Gi
25 | cpu: "1"
26 | limits:
27 | memory: 2Gi
28 | cpu: "1"
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.nginx
File: /lessons/160/demo/deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: default
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.23.4
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | memory: 2Gi
25 | cpu: "1"
26 | limits:
27 | memory: 2Gi
28 | cpu: "1"
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx
File: /lessons/160/demo/deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: default
7 | spec:
8 | replicas: 4
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.23.4
20 | ports:
21 | - containerPort: 80
22 | resources:
23 | requests:
24 | memory: 2Gi
25 | cpu: "1"
26 | limits:
27 | memory: 2Gi
28 | cpu: "1"
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.dev.flask
File: /lessons/157/k8s/1-deployment.yaml:2-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.dev.flask
File: /lessons/157/k8s/1-deployment.yaml:2-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.dev.flask
File: /lessons/157/k8s/1-deployment.yaml:2-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.dev.flask
File: /lessons/157/k8s/1-deployment.yaml:2-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.dev.flask
File: /lessons/157/k8s/1-deployment.yaml:2-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.dev.flask
File: /lessons/157/k8s/1-deployment.yaml:2-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.dev.flask
File: /lessons/157/k8s/1-deployment.yaml:2-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.dev.flask
File: /lessons/157/k8s/1-deployment.yaml:2-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.dev.flask
File: /lessons/157/k8s/1-deployment.yaml:2-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.dev.flask
File: /lessons/157/k8s/1-deployment.yaml:2-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.dev.flask
File: /lessons/157/k8s/1-deployment.yaml:2-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.dev.flask
File: /lessons/157/k8s/1-deployment.yaml:2-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/108/k8s/1-example.yaml:2-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | tolerations:
23 | - key: instance_type
24 | value: spot
25 | effect: NoSchedule
26 | operator: Equal
27 | affinity:
28 | nodeAffinity:
29 | requiredDuringSchedulingIgnoredDuringExecution:
30 | nodeSelectorTerms:
31 | - matchExpressions:
32 | - key: team
33 | operator: In
34 | values:
35 | - devops
36 | podAntiAffinity:
37 | requiredDuringSchedulingIgnoredDuringExecution:
38 | - labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - nginx
44 | topologyKey: kubernetes.io/hostname
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/108/k8s/1-example.yaml:2-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | tolerations:
23 | - key: instance_type
24 | value: spot
25 | effect: NoSchedule
26 | operator: Equal
27 | affinity:
28 | nodeAffinity:
29 | requiredDuringSchedulingIgnoredDuringExecution:
30 | nodeSelectorTerms:
31 | - matchExpressions:
32 | - key: team
33 | operator: In
34 | values:
35 | - devops
36 | podAntiAffinity:
37 | requiredDuringSchedulingIgnoredDuringExecution:
38 | - labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - nginx
44 | topologyKey: kubernetes.io/hostname
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/108/k8s/1-example.yaml:2-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | tolerations:
23 | - key: instance_type
24 | value: spot
25 | effect: NoSchedule
26 | operator: Equal
27 | affinity:
28 | nodeAffinity:
29 | requiredDuringSchedulingIgnoredDuringExecution:
30 | nodeSelectorTerms:
31 | - matchExpressions:
32 | - key: team
33 | operator: In
34 | values:
35 | - devops
36 | podAntiAffinity:
37 | requiredDuringSchedulingIgnoredDuringExecution:
38 | - labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - nginx
44 | topologyKey: kubernetes.io/hostname
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/108/k8s/1-example.yaml:2-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | tolerations:
23 | - key: instance_type
24 | value: spot
25 | effect: NoSchedule
26 | operator: Equal
27 | affinity:
28 | nodeAffinity:
29 | requiredDuringSchedulingIgnoredDuringExecution:
30 | nodeSelectorTerms:
31 | - matchExpressions:
32 | - key: team
33 | operator: In
34 | values:
35 | - devops
36 | podAntiAffinity:
37 | requiredDuringSchedulingIgnoredDuringExecution:
38 | - labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - nginx
44 | topologyKey: kubernetes.io/hostname
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/108/k8s/1-example.yaml:2-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | tolerations:
23 | - key: instance_type
24 | value: spot
25 | effect: NoSchedule
26 | operator: Equal
27 | affinity:
28 | nodeAffinity:
29 | requiredDuringSchedulingIgnoredDuringExecution:
30 | nodeSelectorTerms:
31 | - matchExpressions:
32 | - key: team
33 | operator: In
34 | values:
35 | - devops
36 | podAntiAffinity:
37 | requiredDuringSchedulingIgnoredDuringExecution:
38 | - labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - nginx
44 | topologyKey: kubernetes.io/hostname
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/108/k8s/1-example.yaml:2-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | tolerations:
23 | - key: instance_type
24 | value: spot
25 | effect: NoSchedule
26 | operator: Equal
27 | affinity:
28 | nodeAffinity:
29 | requiredDuringSchedulingIgnoredDuringExecution:
30 | nodeSelectorTerms:
31 | - matchExpressions:
32 | - key: team
33 | operator: In
34 | values:
35 | - devops
36 | podAntiAffinity:
37 | requiredDuringSchedulingIgnoredDuringExecution:
38 | - labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - nginx
44 | topologyKey: kubernetes.io/hostname
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/108/k8s/1-example.yaml:2-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | tolerations:
23 | - key: instance_type
24 | value: spot
25 | effect: NoSchedule
26 | operator: Equal
27 | affinity:
28 | nodeAffinity:
29 | requiredDuringSchedulingIgnoredDuringExecution:
30 | nodeSelectorTerms:
31 | - matchExpressions:
32 | - key: team
33 | operator: In
34 | values:
35 | - devops
36 | podAntiAffinity:
37 | requiredDuringSchedulingIgnoredDuringExecution:
38 | - labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - nginx
44 | topologyKey: kubernetes.io/hostname
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/108/k8s/1-example.yaml:2-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | tolerations:
23 | - key: instance_type
24 | value: spot
25 | effect: NoSchedule
26 | operator: Equal
27 | affinity:
28 | nodeAffinity:
29 | requiredDuringSchedulingIgnoredDuringExecution:
30 | nodeSelectorTerms:
31 | - matchExpressions:
32 | - key: team
33 | operator: In
34 | values:
35 | - devops
36 | podAntiAffinity:
37 | requiredDuringSchedulingIgnoredDuringExecution:
38 | - labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - nginx
44 | topologyKey: kubernetes.io/hostname
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/108/k8s/1-example.yaml:2-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | tolerations:
23 | - key: instance_type
24 | value: spot
25 | effect: NoSchedule
26 | operator: Equal
27 | affinity:
28 | nodeAffinity:
29 | requiredDuringSchedulingIgnoredDuringExecution:
30 | nodeSelectorTerms:
31 | - matchExpressions:
32 | - key: team
33 | operator: In
34 | values:
35 | - devops
36 | podAntiAffinity:
37 | requiredDuringSchedulingIgnoredDuringExecution:
38 | - labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - nginx
44 | topologyKey: kubernetes.io/hostname
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/108/k8s/1-example.yaml:2-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | tolerations:
23 | - key: instance_type
24 | value: spot
25 | effect: NoSchedule
26 | operator: Equal
27 | affinity:
28 | nodeAffinity:
29 | requiredDuringSchedulingIgnoredDuringExecution:
30 | nodeSelectorTerms:
31 | - matchExpressions:
32 | - key: team
33 | operator: In
34 | values:
35 | - devops
36 | podAntiAffinity:
37 | requiredDuringSchedulingIgnoredDuringExecution:
38 | - labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - nginx
44 | topologyKey: kubernetes.io/hostname
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/108/k8s/1-example.yaml:2-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | tolerations:
23 | - key: instance_type
24 | value: spot
25 | effect: NoSchedule
26 | operator: Equal
27 | affinity:
28 | nodeAffinity:
29 | requiredDuringSchedulingIgnoredDuringExecution:
30 | nodeSelectorTerms:
31 | - matchExpressions:
32 | - key: team
33 | operator: In
34 | values:
35 | - devops
36 | podAntiAffinity:
37 | requiredDuringSchedulingIgnoredDuringExecution:
38 | - labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - nginx
44 | topologyKey: kubernetes.io/hostname
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/108/k8s/1-example.yaml:2-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | tolerations:
23 | - key: instance_type
24 | value: spot
25 | effect: NoSchedule
26 | operator: Equal
27 | affinity:
28 | nodeAffinity:
29 | requiredDuringSchedulingIgnoredDuringExecution:
30 | nodeSelectorTerms:
31 | - matchExpressions:
32 | - key: team
33 | operator: In
34 | values:
35 | - devops
36 | podAntiAffinity:
37 | requiredDuringSchedulingIgnoredDuringExecution:
38 | - labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - nginx
44 | topologyKey: kubernetes.io/hostname
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/108/k8s/1-example.yaml:2-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | tolerations:
23 | - key: instance_type
24 | value: spot
25 | effect: NoSchedule
26 | operator: Equal
27 | affinity:
28 | nodeAffinity:
29 | requiredDuringSchedulingIgnoredDuringExecution:
30 | nodeSelectorTerms:
31 | - matchExpressions:
32 | - key: team
33 | operator: In
34 | values:
35 | - devops
36 | podAntiAffinity:
37 | requiredDuringSchedulingIgnoredDuringExecution:
38 | - labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - nginx
44 | topologyKey: kubernetes.io/hostname
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/108/k8s/1-example.yaml:2-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | tolerations:
23 | - key: instance_type
24 | value: spot
25 | effect: NoSchedule
26 | operator: Equal
27 | affinity:
28 | nodeAffinity:
29 | requiredDuringSchedulingIgnoredDuringExecution:
30 | nodeSelectorTerms:
31 | - matchExpressions:
32 | - key: team
33 | operator: In
34 | values:
35 | - devops
36 | podAntiAffinity:
37 | requiredDuringSchedulingIgnoredDuringExecution:
38 | - labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - nginx
44 | topologyKey: kubernetes.io/hostname
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/108/k8s/1-example.yaml:2-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | tolerations:
23 | - key: instance_type
24 | value: spot
25 | effect: NoSchedule
26 | operator: Equal
27 | affinity:
28 | nodeAffinity:
29 | requiredDuringSchedulingIgnoredDuringExecution:
30 | nodeSelectorTerms:
31 | - matchExpressions:
32 | - key: team
33 | operator: In
34 | values:
35 | - devops
36 | podAntiAffinity:
37 | requiredDuringSchedulingIgnoredDuringExecution:
38 | - labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - nginx
44 | topologyKey: kubernetes.io/hostname
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/108/k8s/1-example.yaml:2-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | tolerations:
23 | - key: instance_type
24 | value: spot
25 | effect: NoSchedule
26 | operator: Equal
27 | affinity:
28 | nodeAffinity:
29 | requiredDuringSchedulingIgnoredDuringExecution:
30 | nodeSelectorTerms:
31 | - matchExpressions:
32 | - key: team
33 | operator: In
34 | values:
35 | - devops
36 | podAntiAffinity:
37 | requiredDuringSchedulingIgnoredDuringExecution:
38 | - labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - nginx
44 | topologyKey: kubernetes.io/hostname
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/108/k8s/1-example.yaml:2-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | tolerations:
23 | - key: instance_type
24 | value: spot
25 | effect: NoSchedule
26 | operator: Equal
27 | affinity:
28 | nodeAffinity:
29 | requiredDuringSchedulingIgnoredDuringExecution:
30 | nodeSelectorTerms:
31 | - matchExpressions:
32 | - key: team
33 | operator: In
34 | values:
35 | - devops
36 | podAntiAffinity:
37 | requiredDuringSchedulingIgnoredDuringExecution:
38 | - labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - nginx
44 | topologyKey: kubernetes.io/hostname
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/108/k8s/1-example.yaml:2-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | tolerations:
23 | - key: instance_type
24 | value: spot
25 | effect: NoSchedule
26 | operator: Equal
27 | affinity:
28 | nodeAffinity:
29 | requiredDuringSchedulingIgnoredDuringExecution:
30 | nodeSelectorTerms:
31 | - matchExpressions:
32 | - key: team
33 | operator: In
34 | values:
35 | - devops
36 | podAntiAffinity:
37 | requiredDuringSchedulingIgnoredDuringExecution:
38 | - labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - nginx
44 | topologyKey: kubernetes.io/hostname
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/108/k8s/1-example.yaml:2-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | tolerations:
23 | - key: instance_type
24 | value: spot
25 | effect: NoSchedule
26 | operator: Equal
27 | affinity:
28 | nodeAffinity:
29 | requiredDuringSchedulingIgnoredDuringExecution:
30 | nodeSelectorTerms:
31 | - matchExpressions:
32 | - key: team
33 | operator: In
34 | values:
35 | - devops
36 | podAntiAffinity:
37 | requiredDuringSchedulingIgnoredDuringExecution:
38 | - labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - nginx
44 | topologyKey: kubernetes.io/hostname
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.nginx
File: /lessons/108/k8s/3-example.yaml:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: Service
4 | metadata:
5 | name: nginx
6 | namespace: default
7 | spec:
8 | selector:
9 | app: nginx
10 | ports:
11 | - protocol: TCP
12 | port: 80
13 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.nginx-ing
File: /lessons/108/k8s/3-example.yaml:14-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
14 | apiVersion: networking.k8s.io/v1
15 | kind: Ingress
16 | metadata:
17 | name: nginx-ing
18 | namespace: default
19 | spec:
20 | ingressClassName: external-nginx
21 | rules:
22 | - host: api.devopsbyexample.io
23 | http:
24 | paths:
25 | - path: /
26 | pathType: Prefix
27 | backend:
28 | service:
29 | name: nginx
30 | port:
31 | number: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.staging.gcloud
File: /lessons/108/k8s/2-example.yaml:15-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
15 | apiVersion: apps/v1
16 | kind: Deployment
17 | metadata:
18 | name: gcloud
19 | namespace: staging
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: gcloud
25 | template:
26 | metadata:
27 | labels:
28 | app: gcloud
29 | spec:
30 | serviceAccountName: service-a
31 | containers:
32 | - name: cloud-sdk
33 | image: google/cloud-sdk:latest
34 | command: [ "/bin/bash", "-c", "--" ]
35 | args: [ "while true; do sleep 30; done;" ]
36 | affinity:
37 | nodeAffinity:
38 | requiredDuringSchedulingIgnoredDuringExecution:
39 | nodeSelectorTerms:
40 | - matchExpressions:
41 | - key: iam.gke.io/gke-metadata-server-enabled
42 | operator: In
43 | values:
44 | - "true"
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.gcloud
File: /lessons/108/k8s/2-example.yaml:15-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
15 | apiVersion: apps/v1
16 | kind: Deployment
17 | metadata:
18 | name: gcloud
19 | namespace: staging
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: gcloud
25 | template:
26 | metadata:
27 | labels:
28 | app: gcloud
29 | spec:
30 | serviceAccountName: service-a
31 | containers:
32 | - name: cloud-sdk
33 | image: google/cloud-sdk:latest
34 | command: [ "/bin/bash", "-c", "--" ]
35 | args: [ "while true; do sleep 30; done;" ]
36 | affinity:
37 | nodeAffinity:
38 | requiredDuringSchedulingIgnoredDuringExecution:
39 | nodeSelectorTerms:
40 | - matchExpressions:
41 | - key: iam.gke.io/gke-metadata-server-enabled
42 | operator: In
43 | values:
44 | - "true"
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.staging.gcloud
File: /lessons/108/k8s/2-example.yaml:15-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
15 | apiVersion: apps/v1
16 | kind: Deployment
17 | metadata:
18 | name: gcloud
19 | namespace: staging
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: gcloud
25 | template:
26 | metadata:
27 | labels:
28 | app: gcloud
29 | spec:
30 | serviceAccountName: service-a
31 | containers:
32 | - name: cloud-sdk
33 | image: google/cloud-sdk:latest
34 | command: [ "/bin/bash", "-c", "--" ]
35 | args: [ "while true; do sleep 30; done;" ]
36 | affinity:
37 | nodeAffinity:
38 | requiredDuringSchedulingIgnoredDuringExecution:
39 | nodeSelectorTerms:
40 | - matchExpressions:
41 | - key: iam.gke.io/gke-metadata-server-enabled
42 | operator: In
43 | values:
44 | - "true"
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.gcloud
File: /lessons/108/k8s/2-example.yaml:15-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
15 | apiVersion: apps/v1
16 | kind: Deployment
17 | metadata:
18 | name: gcloud
19 | namespace: staging
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: gcloud
25 | template:
26 | metadata:
27 | labels:
28 | app: gcloud
29 | spec:
30 | serviceAccountName: service-a
31 | containers:
32 | - name: cloud-sdk
33 | image: google/cloud-sdk:latest
34 | command: [ "/bin/bash", "-c", "--" ]
35 | args: [ "while true; do sleep 30; done;" ]
36 | affinity:
37 | nodeAffinity:
38 | requiredDuringSchedulingIgnoredDuringExecution:
39 | nodeSelectorTerms:
40 | - matchExpressions:
41 | - key: iam.gke.io/gke-metadata-server-enabled
42 | operator: In
43 | values:
44 | - "true"
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.gcloud
File: /lessons/108/k8s/2-example.yaml:15-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
15 | apiVersion: apps/v1
16 | kind: Deployment
17 | metadata:
18 | name: gcloud
19 | namespace: staging
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: gcloud
25 | template:
26 | metadata:
27 | labels:
28 | app: gcloud
29 | spec:
30 | serviceAccountName: service-a
31 | containers:
32 | - name: cloud-sdk
33 | image: google/cloud-sdk:latest
34 | command: [ "/bin/bash", "-c", "--" ]
35 | args: [ "while true; do sleep 30; done;" ]
36 | affinity:
37 | nodeAffinity:
38 | requiredDuringSchedulingIgnoredDuringExecution:
39 | nodeSelectorTerms:
40 | - matchExpressions:
41 | - key: iam.gke.io/gke-metadata-server-enabled
42 | operator: In
43 | values:
44 | - "true"
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.staging.gcloud
File: /lessons/108/k8s/2-example.yaml:15-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
15 | apiVersion: apps/v1
16 | kind: Deployment
17 | metadata:
18 | name: gcloud
19 | namespace: staging
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: gcloud
25 | template:
26 | metadata:
27 | labels:
28 | app: gcloud
29 | spec:
30 | serviceAccountName: service-a
31 | containers:
32 | - name: cloud-sdk
33 | image: google/cloud-sdk:latest
34 | command: [ "/bin/bash", "-c", "--" ]
35 | args: [ "while true; do sleep 30; done;" ]
36 | affinity:
37 | nodeAffinity:
38 | requiredDuringSchedulingIgnoredDuringExecution:
39 | nodeSelectorTerms:
40 | - matchExpressions:
41 | - key: iam.gke.io/gke-metadata-server-enabled
42 | operator: In
43 | values:
44 | - "true"
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.gcloud
File: /lessons/108/k8s/2-example.yaml:15-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
15 | apiVersion: apps/v1
16 | kind: Deployment
17 | metadata:
18 | name: gcloud
19 | namespace: staging
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: gcloud
25 | template:
26 | metadata:
27 | labels:
28 | app: gcloud
29 | spec:
30 | serviceAccountName: service-a
31 | containers:
32 | - name: cloud-sdk
33 | image: google/cloud-sdk:latest
34 | command: [ "/bin/bash", "-c", "--" ]
35 | args: [ "while true; do sleep 30; done;" ]
36 | affinity:
37 | nodeAffinity:
38 | requiredDuringSchedulingIgnoredDuringExecution:
39 | nodeSelectorTerms:
40 | - matchExpressions:
41 | - key: iam.gke.io/gke-metadata-server-enabled
42 | operator: In
43 | values:
44 | - "true"
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.gcloud
File: /lessons/108/k8s/2-example.yaml:15-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
15 | apiVersion: apps/v1
16 | kind: Deployment
17 | metadata:
18 | name: gcloud
19 | namespace: staging
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: gcloud
25 | template:
26 | metadata:
27 | labels:
28 | app: gcloud
29 | spec:
30 | serviceAccountName: service-a
31 | containers:
32 | - name: cloud-sdk
33 | image: google/cloud-sdk:latest
34 | command: [ "/bin/bash", "-c", "--" ]
35 | args: [ "while true; do sleep 30; done;" ]
36 | affinity:
37 | nodeAffinity:
38 | requiredDuringSchedulingIgnoredDuringExecution:
39 | nodeSelectorTerms:
40 | - matchExpressions:
41 | - key: iam.gke.io/gke-metadata-server-enabled
42 | operator: In
43 | values:
44 | - "true"
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.gcloud
File: /lessons/108/k8s/2-example.yaml:15-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
15 | apiVersion: apps/v1
16 | kind: Deployment
17 | metadata:
18 | name: gcloud
19 | namespace: staging
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: gcloud
25 | template:
26 | metadata:
27 | labels:
28 | app: gcloud
29 | spec:
30 | serviceAccountName: service-a
31 | containers:
32 | - name: cloud-sdk
33 | image: google/cloud-sdk:latest
34 | command: [ "/bin/bash", "-c", "--" ]
35 | args: [ "while true; do sleep 30; done;" ]
36 | affinity:
37 | nodeAffinity:
38 | requiredDuringSchedulingIgnoredDuringExecution:
39 | nodeSelectorTerms:
40 | - matchExpressions:
41 | - key: iam.gke.io/gke-metadata-server-enabled
42 | operator: In
43 | values:
44 | - "true"
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.staging.gcloud
File: /lessons/108/k8s/2-example.yaml:15-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
15 | apiVersion: apps/v1
16 | kind: Deployment
17 | metadata:
18 | name: gcloud
19 | namespace: staging
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: gcloud
25 | template:
26 | metadata:
27 | labels:
28 | app: gcloud
29 | spec:
30 | serviceAccountName: service-a
31 | containers:
32 | - name: cloud-sdk
33 | image: google/cloud-sdk:latest
34 | command: [ "/bin/bash", "-c", "--" ]
35 | args: [ "while true; do sleep 30; done;" ]
36 | affinity:
37 | nodeAffinity:
38 | requiredDuringSchedulingIgnoredDuringExecution:
39 | nodeSelectorTerms:
40 | - matchExpressions:
41 | - key: iam.gke.io/gke-metadata-server-enabled
42 | operator: In
43 | values:
44 | - "true"
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.gcloud
File: /lessons/108/k8s/2-example.yaml:15-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
15 | apiVersion: apps/v1
16 | kind: Deployment
17 | metadata:
18 | name: gcloud
19 | namespace: staging
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: gcloud
25 | template:
26 | metadata:
27 | labels:
28 | app: gcloud
29 | spec:
30 | serviceAccountName: service-a
31 | containers:
32 | - name: cloud-sdk
33 | image: google/cloud-sdk:latest
34 | command: [ "/bin/bash", "-c", "--" ]
35 | args: [ "while true; do sleep 30; done;" ]
36 | affinity:
37 | nodeAffinity:
38 | requiredDuringSchedulingIgnoredDuringExecution:
39 | nodeSelectorTerms:
40 | - matchExpressions:
41 | - key: iam.gke.io/gke-metadata-server-enabled
42 | operator: In
43 | values:
44 | - "true"
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.staging.gcloud
File: /lessons/108/k8s/2-example.yaml:15-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
15 | apiVersion: apps/v1
16 | kind: Deployment
17 | metadata:
18 | name: gcloud
19 | namespace: staging
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: gcloud
25 | template:
26 | metadata:
27 | labels:
28 | app: gcloud
29 | spec:
30 | serviceAccountName: service-a
31 | containers:
32 | - name: cloud-sdk
33 | image: google/cloud-sdk:latest
34 | command: [ "/bin/bash", "-c", "--" ]
35 | args: [ "while true; do sleep 30; done;" ]
36 | affinity:
37 | nodeAffinity:
38 | requiredDuringSchedulingIgnoredDuringExecution:
39 | nodeSelectorTerms:
40 | - matchExpressions:
41 | - key: iam.gke.io/gke-metadata-server-enabled
42 | operator: In
43 | values:
44 | - "true"
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.gcloud
File: /lessons/108/k8s/2-example.yaml:15-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
15 | apiVersion: apps/v1
16 | kind: Deployment
17 | metadata:
18 | name: gcloud
19 | namespace: staging
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: gcloud
25 | template:
26 | metadata:
27 | labels:
28 | app: gcloud
29 | spec:
30 | serviceAccountName: service-a
31 | containers:
32 | - name: cloud-sdk
33 | image: google/cloud-sdk:latest
34 | command: [ "/bin/bash", "-c", "--" ]
35 | args: [ "while true; do sleep 30; done;" ]
36 | affinity:
37 | nodeAffinity:
38 | requiredDuringSchedulingIgnoredDuringExecution:
39 | nodeSelectorTerms:
40 | - matchExpressions:
41 | - key: iam.gke.io/gke-metadata-server-enabled
42 | operator: In
43 | values:
44 | - "true"
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.gcloud
File: /lessons/108/k8s/2-example.yaml:15-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
15 | apiVersion: apps/v1
16 | kind: Deployment
17 | metadata:
18 | name: gcloud
19 | namespace: staging
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: gcloud
25 | template:
26 | metadata:
27 | labels:
28 | app: gcloud
29 | spec:
30 | serviceAccountName: service-a
31 | containers:
32 | - name: cloud-sdk
33 | image: google/cloud-sdk:latest
34 | command: [ "/bin/bash", "-c", "--" ]
35 | args: [ "while true; do sleep 30; done;" ]
36 | affinity:
37 | nodeAffinity:
38 | requiredDuringSchedulingIgnoredDuringExecution:
39 | nodeSelectorTerms:
40 | - matchExpressions:
41 | - key: iam.gke.io/gke-metadata-server-enabled
42 | operator: In
43 | values:
44 | - "true"
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.gcloud
File: /lessons/108/k8s/2-example.yaml:15-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
15 | apiVersion: apps/v1
16 | kind: Deployment
17 | metadata:
18 | name: gcloud
19 | namespace: staging
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: gcloud
25 | template:
26 | metadata:
27 | labels:
28 | app: gcloud
29 | spec:
30 | serviceAccountName: service-a
31 | containers:
32 | - name: cloud-sdk
33 | image: google/cloud-sdk:latest
34 | command: [ "/bin/bash", "-c", "--" ]
35 | args: [ "while true; do sleep 30; done;" ]
36 | affinity:
37 | nodeAffinity:
38 | requiredDuringSchedulingIgnoredDuringExecution:
39 | nodeSelectorTerms:
40 | - matchExpressions:
41 | - key: iam.gke.io/gke-metadata-server-enabled
42 | operator: In
43 | values:
44 | - "true"
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.staging.gcloud
File: /lessons/108/k8s/2-example.yaml:15-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
15 | apiVersion: apps/v1
16 | kind: Deployment
17 | metadata:
18 | name: gcloud
19 | namespace: staging
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: gcloud
25 | template:
26 | metadata:
27 | labels:
28 | app: gcloud
29 | spec:
30 | serviceAccountName: service-a
31 | containers:
32 | - name: cloud-sdk
33 | image: google/cloud-sdk:latest
34 | command: [ "/bin/bash", "-c", "--" ]
35 | args: [ "while true; do sleep 30; done;" ]
36 | affinity:
37 | nodeAffinity:
38 | requiredDuringSchedulingIgnoredDuringExecution:
39 | nodeSelectorTerms:
40 | - matchExpressions:
41 | - key: iam.gke.io/gke-metadata-server-enabled
42 | operator: In
43 | values:
44 | - "true"
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.staging.gcloud
File: /lessons/108/k8s/2-example.yaml:15-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
15 | apiVersion: apps/v1
16 | kind: Deployment
17 | metadata:
18 | name: gcloud
19 | namespace: staging
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: gcloud
25 | template:
26 | metadata:
27 | labels:
28 | app: gcloud
29 | spec:
30 | serviceAccountName: service-a
31 | containers:
32 | - name: cloud-sdk
33 | image: google/cloud-sdk:latest
34 | command: [ "/bin/bash", "-c", "--" ]
35 | args: [ "while true; do sleep 30; done;" ]
36 | affinity:
37 | nodeAffinity:
38 | requiredDuringSchedulingIgnoredDuringExecution:
39 | nodeSelectorTerms:
40 | - matchExpressions:
41 | - key: iam.gke.io/gke-metadata-server-enabled
42 | operator: In
43 | values:
44 | - "true"
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.gcloud
File: /lessons/108/k8s/2-example.yaml:15-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
15 | apiVersion: apps/v1
16 | kind: Deployment
17 | metadata:
18 | name: gcloud
19 | namespace: staging
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: gcloud
25 | template:
26 | metadata:
27 | labels:
28 | app: gcloud
29 | spec:
30 | serviceAccountName: service-a
31 | containers:
32 | - name: cloud-sdk
33 | image: google/cloud-sdk:latest
34 | command: [ "/bin/bash", "-c", "--" ]
35 | args: [ "while true; do sleep 30; done;" ]
36 | affinity:
37 | nodeAffinity:
38 | requiredDuringSchedulingIgnoredDuringExecution:
39 | nodeSelectorTerms:
40 | - matchExpressions:
41 | - key: iam.gke.io/gke-metadata-server-enabled
42 | operator: In
43 | values:
44 | - "true"
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.staging.echoserver
File: /lessons/116/k8s/echo-server.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: staging
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.echoserver
File: /lessons/116/k8s/echo-server.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: staging
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.staging.echoserver
File: /lessons/116/k8s/echo-server.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: staging
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.echoserver
File: /lessons/116/k8s/echo-server.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: staging
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.echoserver
File: /lessons/116/k8s/echo-server.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: staging
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.staging.echoserver
File: /lessons/116/k8s/echo-server.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: staging
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.echoserver
File: /lessons/116/k8s/echo-server.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: staging
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.echoserver
File: /lessons/116/k8s/echo-server.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: staging
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.echoserver
File: /lessons/116/k8s/echo-server.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: staging
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.staging.echoserver
File: /lessons/116/k8s/echo-server.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: staging
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.echoserver
File: /lessons/116/k8s/echo-server.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: staging
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.staging.echoserver
File: /lessons/116/k8s/echo-server.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: staging
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.echoserver
File: /lessons/116/k8s/echo-server.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: staging
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.echoserver
File: /lessons/116/k8s/echo-server.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: staging
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.echoserver
File: /lessons/116/k8s/echo-server.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: staging
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.staging.echoserver
File: /lessons/116/k8s/echo-server.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: staging
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.staging.echoserver
File: /lessons/116/k8s/echo-server.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: staging
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.echoserver
File: /lessons/116/k8s/echo-server.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: staging
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: DaemonSet.kube-system.secrets-secrets-store-csi-driver
File: /lessons/079/secrets-store-csi-driver/5-daemonset.yaml:2-142
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: DaemonSet.kube-system.secrets-secrets-store-csi-driver
File: /lessons/079/secrets-store-csi-driver/5-daemonset.yaml:2-142
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: DaemonSet.kube-system.secrets-secrets-store-csi-driver
File: /lessons/079/secrets-store-csi-driver/5-daemonset.yaml:2-142
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_16: "Container should not be privileged"
FAILED for resource: DaemonSet.kube-system.secrets-secrets-store-csi-driver
File: /lessons/079/secrets-store-csi-driver/5-daemonset.yaml:2-142
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-15.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: DaemonSet.kube-system.secrets-secrets-store-csi-driver
File: /lessons/079/secrets-store-csi-driver/5-daemonset.yaml:2-142
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: DaemonSet.kube-system.secrets-secrets-store-csi-driver
File: /lessons/079/secrets-store-csi-driver/5-daemonset.yaml:2-142
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: DaemonSet.kube-system.secrets-secrets-store-csi-driver
File: /lessons/079/secrets-store-csi-driver/5-daemonset.yaml:2-142
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: DaemonSet.kube-system.secrets-secrets-store-csi-driver
File: /lessons/079/secrets-store-csi-driver/5-daemonset.yaml:2-142
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: DaemonSet.kube-system.secrets-secrets-store-csi-driver
File: /lessons/079/secrets-store-csi-driver/5-daemonset.yaml:2-142
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: DaemonSet.kube-system.secrets-secrets-store-csi-driver
File: /lessons/079/secrets-store-csi-driver/5-daemonset.yaml:2-142
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: DaemonSet.kube-system.secrets-secrets-store-csi-driver
File: /lessons/079/secrets-store-csi-driver/5-daemonset.yaml:2-142
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: DaemonSet.kube-system.secrets-secrets-store-csi-driver
File: /lessons/079/secrets-store-csi-driver/5-daemonset.yaml:2-142
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: DaemonSet.kube-system.secrets-secrets-store-csi-driver
File: /lessons/079/secrets-store-csi-driver/5-daemonset.yaml:2-142
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: DaemonSet.kube-system.secrets-secrets-store-csi-driver
File: /lessons/079/secrets-store-csi-driver/5-daemonset.yaml:2-142
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: DaemonSet.kube-system.secrets-secrets-store-csi-driver
File: /lessons/079/secrets-store-csi-driver/5-daemonset.yaml:2-142
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: DaemonSet.kube-system.csi-secrets-store-provider-aws
File: /lessons/079/aws-provider-installer/3-daemonset.yaml:2-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | namespace: kube-system
6 | name: csi-secrets-store-provider-aws
7 | labels:
8 | app: csi-secrets-store-provider-aws
9 | spec:
10 | updateStrategy:
11 | type: RollingUpdate
12 | selector:
13 | matchLabels:
14 | app: csi-secrets-store-provider-aws
15 | template:
16 | metadata:
17 | labels:
18 | app: csi-secrets-store-provider-aws
19 | spec:
20 | serviceAccountName: csi-secrets-store-provider-aws
21 | hostNetwork: true
22 | containers:
23 | - name: provider-aws-installer
24 | image: public.ecr.aws/aws-secrets-manager/secrets-store-csi-driver-provider-aws:1.0.r1-10-g1942553-2021.06.04.00.07-linux-amd64
25 | imagePullPolicy: Always
26 | args:
27 | - --provider-volume=/etc/kubernetes/secrets-store-csi-providers
28 | resources:
29 | requests:
30 | cpu: 50m
31 | memory: 100Mi
32 | limits:
33 | cpu: 50m
34 | memory: 100Mi
35 | volumeMounts:
36 | - mountPath: "/etc/kubernetes/secrets-store-csi-providers"
37 | name: providervol
38 | - name: mountpoint-dir
39 | mountPath: /var/lib/kubelet/pods
40 | mountPropagation: HostToContainer
41 | volumes:
42 | - name: providervol
43 | hostPath:
44 | path: "/etc/kubernetes/secrets-store-csi-providers"
45 | - name: mountpoint-dir
46 | hostPath:
47 | path: /var/lib/kubelet/pods
48 | type: DirectoryOrCreate
49 | nodeSelector:
50 | kubernetes.io/os: linux
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: DaemonSet.kube-system.csi-secrets-store-provider-aws
File: /lessons/079/aws-provider-installer/3-daemonset.yaml:2-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | namespace: kube-system
6 | name: csi-secrets-store-provider-aws
7 | labels:
8 | app: csi-secrets-store-provider-aws
9 | spec:
10 | updateStrategy:
11 | type: RollingUpdate
12 | selector:
13 | matchLabels:
14 | app: csi-secrets-store-provider-aws
15 | template:
16 | metadata:
17 | labels:
18 | app: csi-secrets-store-provider-aws
19 | spec:
20 | serviceAccountName: csi-secrets-store-provider-aws
21 | hostNetwork: true
22 | containers:
23 | - name: provider-aws-installer
24 | image: public.ecr.aws/aws-secrets-manager/secrets-store-csi-driver-provider-aws:1.0.r1-10-g1942553-2021.06.04.00.07-linux-amd64
25 | imagePullPolicy: Always
26 | args:
27 | - --provider-volume=/etc/kubernetes/secrets-store-csi-providers
28 | resources:
29 | requests:
30 | cpu: 50m
31 | memory: 100Mi
32 | limits:
33 | cpu: 50m
34 | memory: 100Mi
35 | volumeMounts:
36 | - mountPath: "/etc/kubernetes/secrets-store-csi-providers"
37 | name: providervol
38 | - name: mountpoint-dir
39 | mountPath: /var/lib/kubelet/pods
40 | mountPropagation: HostToContainer
41 | volumes:
42 | - name: providervol
43 | hostPath:
44 | path: "/etc/kubernetes/secrets-store-csi-providers"
45 | - name: mountpoint-dir
46 | hostPath:
47 | path: /var/lib/kubelet/pods
48 | type: DirectoryOrCreate
49 | nodeSelector:
50 | kubernetes.io/os: linux
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: DaemonSet.kube-system.csi-secrets-store-provider-aws
File: /lessons/079/aws-provider-installer/3-daemonset.yaml:2-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | namespace: kube-system
6 | name: csi-secrets-store-provider-aws
7 | labels:
8 | app: csi-secrets-store-provider-aws
9 | spec:
10 | updateStrategy:
11 | type: RollingUpdate
12 | selector:
13 | matchLabels:
14 | app: csi-secrets-store-provider-aws
15 | template:
16 | metadata:
17 | labels:
18 | app: csi-secrets-store-provider-aws
19 | spec:
20 | serviceAccountName: csi-secrets-store-provider-aws
21 | hostNetwork: true
22 | containers:
23 | - name: provider-aws-installer
24 | image: public.ecr.aws/aws-secrets-manager/secrets-store-csi-driver-provider-aws:1.0.r1-10-g1942553-2021.06.04.00.07-linux-amd64
25 | imagePullPolicy: Always
26 | args:
27 | - --provider-volume=/etc/kubernetes/secrets-store-csi-providers
28 | resources:
29 | requests:
30 | cpu: 50m
31 | memory: 100Mi
32 | limits:
33 | cpu: 50m
34 | memory: 100Mi
35 | volumeMounts:
36 | - mountPath: "/etc/kubernetes/secrets-store-csi-providers"
37 | name: providervol
38 | - name: mountpoint-dir
39 | mountPath: /var/lib/kubelet/pods
40 | mountPropagation: HostToContainer
41 | volumes:
42 | - name: providervol
43 | hostPath:
44 | path: "/etc/kubernetes/secrets-store-csi-providers"
45 | - name: mountpoint-dir
46 | hostPath:
47 | path: /var/lib/kubelet/pods
48 | type: DirectoryOrCreate
49 | nodeSelector:
50 | kubernetes.io/os: linux
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: DaemonSet.kube-system.csi-secrets-store-provider-aws
File: /lessons/079/aws-provider-installer/3-daemonset.yaml:2-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | namespace: kube-system
6 | name: csi-secrets-store-provider-aws
7 | labels:
8 | app: csi-secrets-store-provider-aws
9 | spec:
10 | updateStrategy:
11 | type: RollingUpdate
12 | selector:
13 | matchLabels:
14 | app: csi-secrets-store-provider-aws
15 | template:
16 | metadata:
17 | labels:
18 | app: csi-secrets-store-provider-aws
19 | spec:
20 | serviceAccountName: csi-secrets-store-provider-aws
21 | hostNetwork: true
22 | containers:
23 | - name: provider-aws-installer
24 | image: public.ecr.aws/aws-secrets-manager/secrets-store-csi-driver-provider-aws:1.0.r1-10-g1942553-2021.06.04.00.07-linux-amd64
25 | imagePullPolicy: Always
26 | args:
27 | - --provider-volume=/etc/kubernetes/secrets-store-csi-providers
28 | resources:
29 | requests:
30 | cpu: 50m
31 | memory: 100Mi
32 | limits:
33 | cpu: 50m
34 | memory: 100Mi
35 | volumeMounts:
36 | - mountPath: "/etc/kubernetes/secrets-store-csi-providers"
37 | name: providervol
38 | - name: mountpoint-dir
39 | mountPath: /var/lib/kubelet/pods
40 | mountPropagation: HostToContainer
41 | volumes:
42 | - name: providervol
43 | hostPath:
44 | path: "/etc/kubernetes/secrets-store-csi-providers"
45 | - name: mountpoint-dir
46 | hostPath:
47 | path: /var/lib/kubelet/pods
48 | type: DirectoryOrCreate
49 | nodeSelector:
50 | kubernetes.io/os: linux
Check: CKV_K8S_19: "Containers should not share the host network namespace"
FAILED for resource: DaemonSet.kube-system.csi-secrets-store-provider-aws
File: /lessons/079/aws-provider-installer/3-daemonset.yaml:2-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-18.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | namespace: kube-system
6 | name: csi-secrets-store-provider-aws
7 | labels:
8 | app: csi-secrets-store-provider-aws
9 | spec:
10 | updateStrategy:
11 | type: RollingUpdate
12 | selector:
13 | matchLabels:
14 | app: csi-secrets-store-provider-aws
15 | template:
16 | metadata:
17 | labels:
18 | app: csi-secrets-store-provider-aws
19 | spec:
20 | serviceAccountName: csi-secrets-store-provider-aws
21 | hostNetwork: true
22 | containers:
23 | - name: provider-aws-installer
24 | image: public.ecr.aws/aws-secrets-manager/secrets-store-csi-driver-provider-aws:1.0.r1-10-g1942553-2021.06.04.00.07-linux-amd64
25 | imagePullPolicy: Always
26 | args:
27 | - --provider-volume=/etc/kubernetes/secrets-store-csi-providers
28 | resources:
29 | requests:
30 | cpu: 50m
31 | memory: 100Mi
32 | limits:
33 | cpu: 50m
34 | memory: 100Mi
35 | volumeMounts:
36 | - mountPath: "/etc/kubernetes/secrets-store-csi-providers"
37 | name: providervol
38 | - name: mountpoint-dir
39 | mountPath: /var/lib/kubelet/pods
40 | mountPropagation: HostToContainer
41 | volumes:
42 | - name: providervol
43 | hostPath:
44 | path: "/etc/kubernetes/secrets-store-csi-providers"
45 | - name: mountpoint-dir
46 | hostPath:
47 | path: /var/lib/kubelet/pods
48 | type: DirectoryOrCreate
49 | nodeSelector:
50 | kubernetes.io/os: linux
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: DaemonSet.kube-system.csi-secrets-store-provider-aws
File: /lessons/079/aws-provider-installer/3-daemonset.yaml:2-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | namespace: kube-system
6 | name: csi-secrets-store-provider-aws
7 | labels:
8 | app: csi-secrets-store-provider-aws
9 | spec:
10 | updateStrategy:
11 | type: RollingUpdate
12 | selector:
13 | matchLabels:
14 | app: csi-secrets-store-provider-aws
15 | template:
16 | metadata:
17 | labels:
18 | app: csi-secrets-store-provider-aws
19 | spec:
20 | serviceAccountName: csi-secrets-store-provider-aws
21 | hostNetwork: true
22 | containers:
23 | - name: provider-aws-installer
24 | image: public.ecr.aws/aws-secrets-manager/secrets-store-csi-driver-provider-aws:1.0.r1-10-g1942553-2021.06.04.00.07-linux-amd64
25 | imagePullPolicy: Always
26 | args:
27 | - --provider-volume=/etc/kubernetes/secrets-store-csi-providers
28 | resources:
29 | requests:
30 | cpu: 50m
31 | memory: 100Mi
32 | limits:
33 | cpu: 50m
34 | memory: 100Mi
35 | volumeMounts:
36 | - mountPath: "/etc/kubernetes/secrets-store-csi-providers"
37 | name: providervol
38 | - name: mountpoint-dir
39 | mountPath: /var/lib/kubelet/pods
40 | mountPropagation: HostToContainer
41 | volumes:
42 | - name: providervol
43 | hostPath:
44 | path: "/etc/kubernetes/secrets-store-csi-providers"
45 | - name: mountpoint-dir
46 | hostPath:
47 | path: /var/lib/kubelet/pods
48 | type: DirectoryOrCreate
49 | nodeSelector:
50 | kubernetes.io/os: linux
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: DaemonSet.kube-system.csi-secrets-store-provider-aws
File: /lessons/079/aws-provider-installer/3-daemonset.yaml:2-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | namespace: kube-system
6 | name: csi-secrets-store-provider-aws
7 | labels:
8 | app: csi-secrets-store-provider-aws
9 | spec:
10 | updateStrategy:
11 | type: RollingUpdate
12 | selector:
13 | matchLabels:
14 | app: csi-secrets-store-provider-aws
15 | template:
16 | metadata:
17 | labels:
18 | app: csi-secrets-store-provider-aws
19 | spec:
20 | serviceAccountName: csi-secrets-store-provider-aws
21 | hostNetwork: true
22 | containers:
23 | - name: provider-aws-installer
24 | image: public.ecr.aws/aws-secrets-manager/secrets-store-csi-driver-provider-aws:1.0.r1-10-g1942553-2021.06.04.00.07-linux-amd64
25 | imagePullPolicy: Always
26 | args:
27 | - --provider-volume=/etc/kubernetes/secrets-store-csi-providers
28 | resources:
29 | requests:
30 | cpu: 50m
31 | memory: 100Mi
32 | limits:
33 | cpu: 50m
34 | memory: 100Mi
35 | volumeMounts:
36 | - mountPath: "/etc/kubernetes/secrets-store-csi-providers"
37 | name: providervol
38 | - name: mountpoint-dir
39 | mountPath: /var/lib/kubelet/pods
40 | mountPropagation: HostToContainer
41 | volumes:
42 | - name: providervol
43 | hostPath:
44 | path: "/etc/kubernetes/secrets-store-csi-providers"
45 | - name: mountpoint-dir
46 | hostPath:
47 | path: /var/lib/kubelet/pods
48 | type: DirectoryOrCreate
49 | nodeSelector:
50 | kubernetes.io/os: linux
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: DaemonSet.kube-system.csi-secrets-store-provider-aws
File: /lessons/079/aws-provider-installer/3-daemonset.yaml:2-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | namespace: kube-system
6 | name: csi-secrets-store-provider-aws
7 | labels:
8 | app: csi-secrets-store-provider-aws
9 | spec:
10 | updateStrategy:
11 | type: RollingUpdate
12 | selector:
13 | matchLabels:
14 | app: csi-secrets-store-provider-aws
15 | template:
16 | metadata:
17 | labels:
18 | app: csi-secrets-store-provider-aws
19 | spec:
20 | serviceAccountName: csi-secrets-store-provider-aws
21 | hostNetwork: true
22 | containers:
23 | - name: provider-aws-installer
24 | image: public.ecr.aws/aws-secrets-manager/secrets-store-csi-driver-provider-aws:1.0.r1-10-g1942553-2021.06.04.00.07-linux-amd64
25 | imagePullPolicy: Always
26 | args:
27 | - --provider-volume=/etc/kubernetes/secrets-store-csi-providers
28 | resources:
29 | requests:
30 | cpu: 50m
31 | memory: 100Mi
32 | limits:
33 | cpu: 50m
34 | memory: 100Mi
35 | volumeMounts:
36 | - mountPath: "/etc/kubernetes/secrets-store-csi-providers"
37 | name: providervol
38 | - name: mountpoint-dir
39 | mountPath: /var/lib/kubelet/pods
40 | mountPropagation: HostToContainer
41 | volumes:
42 | - name: providervol
43 | hostPath:
44 | path: "/etc/kubernetes/secrets-store-csi-providers"
45 | - name: mountpoint-dir
46 | hostPath:
47 | path: /var/lib/kubelet/pods
48 | type: DirectoryOrCreate
49 | nodeSelector:
50 | kubernetes.io/os: linux
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: DaemonSet.kube-system.csi-secrets-store-provider-aws
File: /lessons/079/aws-provider-installer/3-daemonset.yaml:2-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | namespace: kube-system
6 | name: csi-secrets-store-provider-aws
7 | labels:
8 | app: csi-secrets-store-provider-aws
9 | spec:
10 | updateStrategy:
11 | type: RollingUpdate
12 | selector:
13 | matchLabels:
14 | app: csi-secrets-store-provider-aws
15 | template:
16 | metadata:
17 | labels:
18 | app: csi-secrets-store-provider-aws
19 | spec:
20 | serviceAccountName: csi-secrets-store-provider-aws
21 | hostNetwork: true
22 | containers:
23 | - name: provider-aws-installer
24 | image: public.ecr.aws/aws-secrets-manager/secrets-store-csi-driver-provider-aws:1.0.r1-10-g1942553-2021.06.04.00.07-linux-amd64
25 | imagePullPolicy: Always
26 | args:
27 | - --provider-volume=/etc/kubernetes/secrets-store-csi-providers
28 | resources:
29 | requests:
30 | cpu: 50m
31 | memory: 100Mi
32 | limits:
33 | cpu: 50m
34 | memory: 100Mi
35 | volumeMounts:
36 | - mountPath: "/etc/kubernetes/secrets-store-csi-providers"
37 | name: providervol
38 | - name: mountpoint-dir
39 | mountPath: /var/lib/kubelet/pods
40 | mountPropagation: HostToContainer
41 | volumes:
42 | - name: providervol
43 | hostPath:
44 | path: "/etc/kubernetes/secrets-store-csi-providers"
45 | - name: mountpoint-dir
46 | hostPath:
47 | path: /var/lib/kubelet/pods
48 | type: DirectoryOrCreate
49 | nodeSelector:
50 | kubernetes.io/os: linux
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: DaemonSet.kube-system.csi-secrets-store-provider-aws
File: /lessons/079/aws-provider-installer/3-daemonset.yaml:2-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | namespace: kube-system
6 | name: csi-secrets-store-provider-aws
7 | labels:
8 | app: csi-secrets-store-provider-aws
9 | spec:
10 | updateStrategy:
11 | type: RollingUpdate
12 | selector:
13 | matchLabels:
14 | app: csi-secrets-store-provider-aws
15 | template:
16 | metadata:
17 | labels:
18 | app: csi-secrets-store-provider-aws
19 | spec:
20 | serviceAccountName: csi-secrets-store-provider-aws
21 | hostNetwork: true
22 | containers:
23 | - name: provider-aws-installer
24 | image: public.ecr.aws/aws-secrets-manager/secrets-store-csi-driver-provider-aws:1.0.r1-10-g1942553-2021.06.04.00.07-linux-amd64
25 | imagePullPolicy: Always
26 | args:
27 | - --provider-volume=/etc/kubernetes/secrets-store-csi-providers
28 | resources:
29 | requests:
30 | cpu: 50m
31 | memory: 100Mi
32 | limits:
33 | cpu: 50m
34 | memory: 100Mi
35 | volumeMounts:
36 | - mountPath: "/etc/kubernetes/secrets-store-csi-providers"
37 | name: providervol
38 | - name: mountpoint-dir
39 | mountPath: /var/lib/kubelet/pods
40 | mountPropagation: HostToContainer
41 | volumes:
42 | - name: providervol
43 | hostPath:
44 | path: "/etc/kubernetes/secrets-store-csi-providers"
45 | - name: mountpoint-dir
46 | hostPath:
47 | path: /var/lib/kubelet/pods
48 | type: DirectoryOrCreate
49 | nodeSelector:
50 | kubernetes.io/os: linux
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: DaemonSet.kube-system.csi-secrets-store-provider-aws
File: /lessons/079/aws-provider-installer/3-daemonset.yaml:2-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | namespace: kube-system
6 | name: csi-secrets-store-provider-aws
7 | labels:
8 | app: csi-secrets-store-provider-aws
9 | spec:
10 | updateStrategy:
11 | type: RollingUpdate
12 | selector:
13 | matchLabels:
14 | app: csi-secrets-store-provider-aws
15 | template:
16 | metadata:
17 | labels:
18 | app: csi-secrets-store-provider-aws
19 | spec:
20 | serviceAccountName: csi-secrets-store-provider-aws
21 | hostNetwork: true
22 | containers:
23 | - name: provider-aws-installer
24 | image: public.ecr.aws/aws-secrets-manager/secrets-store-csi-driver-provider-aws:1.0.r1-10-g1942553-2021.06.04.00.07-linux-amd64
25 | imagePullPolicy: Always
26 | args:
27 | - --provider-volume=/etc/kubernetes/secrets-store-csi-providers
28 | resources:
29 | requests:
30 | cpu: 50m
31 | memory: 100Mi
32 | limits:
33 | cpu: 50m
34 | memory: 100Mi
35 | volumeMounts:
36 | - mountPath: "/etc/kubernetes/secrets-store-csi-providers"
37 | name: providervol
38 | - name: mountpoint-dir
39 | mountPath: /var/lib/kubelet/pods
40 | mountPropagation: HostToContainer
41 | volumes:
42 | - name: providervol
43 | hostPath:
44 | path: "/etc/kubernetes/secrets-store-csi-providers"
45 | - name: mountpoint-dir
46 | hostPath:
47 | path: /var/lib/kubelet/pods
48 | type: DirectoryOrCreate
49 | nodeSelector:
50 | kubernetes.io/os: linux
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: DaemonSet.kube-system.csi-secrets-store-provider-aws
File: /lessons/079/aws-provider-installer/3-daemonset.yaml:2-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | namespace: kube-system
6 | name: csi-secrets-store-provider-aws
7 | labels:
8 | app: csi-secrets-store-provider-aws
9 | spec:
10 | updateStrategy:
11 | type: RollingUpdate
12 | selector:
13 | matchLabels:
14 | app: csi-secrets-store-provider-aws
15 | template:
16 | metadata:
17 | labels:
18 | app: csi-secrets-store-provider-aws
19 | spec:
20 | serviceAccountName: csi-secrets-store-provider-aws
21 | hostNetwork: true
22 | containers:
23 | - name: provider-aws-installer
24 | image: public.ecr.aws/aws-secrets-manager/secrets-store-csi-driver-provider-aws:1.0.r1-10-g1942553-2021.06.04.00.07-linux-amd64
25 | imagePullPolicy: Always
26 | args:
27 | - --provider-volume=/etc/kubernetes/secrets-store-csi-providers
28 | resources:
29 | requests:
30 | cpu: 50m
31 | memory: 100Mi
32 | limits:
33 | cpu: 50m
34 | memory: 100Mi
35 | volumeMounts:
36 | - mountPath: "/etc/kubernetes/secrets-store-csi-providers"
37 | name: providervol
38 | - name: mountpoint-dir
39 | mountPath: /var/lib/kubelet/pods
40 | mountPropagation: HostToContainer
41 | volumes:
42 | - name: providervol
43 | hostPath:
44 | path: "/etc/kubernetes/secrets-store-csi-providers"
45 | - name: mountpoint-dir
46 | hostPath:
47 | path: /var/lib/kubelet/pods
48 | type: DirectoryOrCreate
49 | nodeSelector:
50 | kubernetes.io/os: linux
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: DaemonSet.kube-system.csi-secrets-store-provider-aws
File: /lessons/079/aws-provider-installer/3-daemonset.yaml:2-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | namespace: kube-system
6 | name: csi-secrets-store-provider-aws
7 | labels:
8 | app: csi-secrets-store-provider-aws
9 | spec:
10 | updateStrategy:
11 | type: RollingUpdate
12 | selector:
13 | matchLabels:
14 | app: csi-secrets-store-provider-aws
15 | template:
16 | metadata:
17 | labels:
18 | app: csi-secrets-store-provider-aws
19 | spec:
20 | serviceAccountName: csi-secrets-store-provider-aws
21 | hostNetwork: true
22 | containers:
23 | - name: provider-aws-installer
24 | image: public.ecr.aws/aws-secrets-manager/secrets-store-csi-driver-provider-aws:1.0.r1-10-g1942553-2021.06.04.00.07-linux-amd64
25 | imagePullPolicy: Always
26 | args:
27 | - --provider-volume=/etc/kubernetes/secrets-store-csi-providers
28 | resources:
29 | requests:
30 | cpu: 50m
31 | memory: 100Mi
32 | limits:
33 | cpu: 50m
34 | memory: 100Mi
35 | volumeMounts:
36 | - mountPath: "/etc/kubernetes/secrets-store-csi-providers"
37 | name: providervol
38 | - name: mountpoint-dir
39 | mountPath: /var/lib/kubelet/pods
40 | mountPropagation: HostToContainer
41 | volumes:
42 | - name: providervol
43 | hostPath:
44 | path: "/etc/kubernetes/secrets-store-csi-providers"
45 | - name: mountpoint-dir
46 | hostPath:
47 | path: /var/lib/kubelet/pods
48 | type: DirectoryOrCreate
49 | nodeSelector:
50 | kubernetes.io/os: linux
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: DaemonSet.kube-system.csi-secrets-store-provider-aws
File: /lessons/079/aws-provider-installer/3-daemonset.yaml:2-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | namespace: kube-system
6 | name: csi-secrets-store-provider-aws
7 | labels:
8 | app: csi-secrets-store-provider-aws
9 | spec:
10 | updateStrategy:
11 | type: RollingUpdate
12 | selector:
13 | matchLabels:
14 | app: csi-secrets-store-provider-aws
15 | template:
16 | metadata:
17 | labels:
18 | app: csi-secrets-store-provider-aws
19 | spec:
20 | serviceAccountName: csi-secrets-store-provider-aws
21 | hostNetwork: true
22 | containers:
23 | - name: provider-aws-installer
24 | image: public.ecr.aws/aws-secrets-manager/secrets-store-csi-driver-provider-aws:1.0.r1-10-g1942553-2021.06.04.00.07-linux-amd64
25 | imagePullPolicy: Always
26 | args:
27 | - --provider-volume=/etc/kubernetes/secrets-store-csi-providers
28 | resources:
29 | requests:
30 | cpu: 50m
31 | memory: 100Mi
32 | limits:
33 | cpu: 50m
34 | memory: 100Mi
35 | volumeMounts:
36 | - mountPath: "/etc/kubernetes/secrets-store-csi-providers"
37 | name: providervol
38 | - name: mountpoint-dir
39 | mountPath: /var/lib/kubelet/pods
40 | mountPropagation: HostToContainer
41 | volumes:
42 | - name: providervol
43 | hostPath:
44 | path: "/etc/kubernetes/secrets-store-csi-providers"
45 | - name: mountpoint-dir
46 | hostPath:
47 | path: /var/lib/kubelet/pods
48 | type: DirectoryOrCreate
49 | nodeSelector:
50 | kubernetes.io/os: linux
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.production.nginx
File: /lessons/079/nginx/3-deployment.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | serviceAccountName: nginx
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | volumeMounts:
24 | - name: my-api-token
25 | mountPath: /mnt/api-token
26 | readOnly: true
27 | env:
28 | - name: API_TOKEN
29 | valueFrom:
30 | secretKeyRef:
31 | name: api-token
32 | key: SECRET_TOKEN
33 | volumes:
34 | - name: my-api-token
35 | csi:
36 | driver: secrets-store.csi.k8s.io
37 | readOnly: true
38 | volumeAttributes:
39 | secretProviderClass: aws-secrets
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.production.nginx
File: /lessons/079/nginx/3-deployment.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | serviceAccountName: nginx
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | volumeMounts:
24 | - name: my-api-token
25 | mountPath: /mnt/api-token
26 | readOnly: true
27 | env:
28 | - name: API_TOKEN
29 | valueFrom:
30 | secretKeyRef:
31 | name: api-token
32 | key: SECRET_TOKEN
33 | volumes:
34 | - name: my-api-token
35 | csi:
36 | driver: secrets-store.csi.k8s.io
37 | readOnly: true
38 | volumeAttributes:
39 | secretProviderClass: aws-secrets
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.production.nginx
File: /lessons/079/nginx/3-deployment.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | serviceAccountName: nginx
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | volumeMounts:
24 | - name: my-api-token
25 | mountPath: /mnt/api-token
26 | readOnly: true
27 | env:
28 | - name: API_TOKEN
29 | valueFrom:
30 | secretKeyRef:
31 | name: api-token
32 | key: SECRET_TOKEN
33 | volumes:
34 | - name: my-api-token
35 | csi:
36 | driver: secrets-store.csi.k8s.io
37 | readOnly: true
38 | volumeAttributes:
39 | secretProviderClass: aws-secrets
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.production.nginx
File: /lessons/079/nginx/3-deployment.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | serviceAccountName: nginx
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | volumeMounts:
24 | - name: my-api-token
25 | mountPath: /mnt/api-token
26 | readOnly: true
27 | env:
28 | - name: API_TOKEN
29 | valueFrom:
30 | secretKeyRef:
31 | name: api-token
32 | key: SECRET_TOKEN
33 | volumes:
34 | - name: my-api-token
35 | csi:
36 | driver: secrets-store.csi.k8s.io
37 | readOnly: true
38 | volumeAttributes:
39 | secretProviderClass: aws-secrets
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.production.nginx
File: /lessons/079/nginx/3-deployment.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | serviceAccountName: nginx
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | volumeMounts:
24 | - name: my-api-token
25 | mountPath: /mnt/api-token
26 | readOnly: true
27 | env:
28 | - name: API_TOKEN
29 | valueFrom:
30 | secretKeyRef:
31 | name: api-token
32 | key: SECRET_TOKEN
33 | volumes:
34 | - name: my-api-token
35 | csi:
36 | driver: secrets-store.csi.k8s.io
37 | readOnly: true
38 | volumeAttributes:
39 | secretProviderClass: aws-secrets
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.production.nginx
File: /lessons/079/nginx/3-deployment.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | serviceAccountName: nginx
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | volumeMounts:
24 | - name: my-api-token
25 | mountPath: /mnt/api-token
26 | readOnly: true
27 | env:
28 | - name: API_TOKEN
29 | valueFrom:
30 | secretKeyRef:
31 | name: api-token
32 | key: SECRET_TOKEN
33 | volumes:
34 | - name: my-api-token
35 | csi:
36 | driver: secrets-store.csi.k8s.io
37 | readOnly: true
38 | volumeAttributes:
39 | secretProviderClass: aws-secrets
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.production.nginx
File: /lessons/079/nginx/3-deployment.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | serviceAccountName: nginx
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | volumeMounts:
24 | - name: my-api-token
25 | mountPath: /mnt/api-token
26 | readOnly: true
27 | env:
28 | - name: API_TOKEN
29 | valueFrom:
30 | secretKeyRef:
31 | name: api-token
32 | key: SECRET_TOKEN
33 | volumes:
34 | - name: my-api-token
35 | csi:
36 | driver: secrets-store.csi.k8s.io
37 | readOnly: true
38 | volumeAttributes:
39 | secretProviderClass: aws-secrets
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.production.nginx
File: /lessons/079/nginx/3-deployment.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | serviceAccountName: nginx
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | volumeMounts:
24 | - name: my-api-token
25 | mountPath: /mnt/api-token
26 | readOnly: true
27 | env:
28 | - name: API_TOKEN
29 | valueFrom:
30 | secretKeyRef:
31 | name: api-token
32 | key: SECRET_TOKEN
33 | volumes:
34 | - name: my-api-token
35 | csi:
36 | driver: secrets-store.csi.k8s.io
37 | readOnly: true
38 | volumeAttributes:
39 | secretProviderClass: aws-secrets
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.production.nginx
File: /lessons/079/nginx/3-deployment.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | serviceAccountName: nginx
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | volumeMounts:
24 | - name: my-api-token
25 | mountPath: /mnt/api-token
26 | readOnly: true
27 | env:
28 | - name: API_TOKEN
29 | valueFrom:
30 | secretKeyRef:
31 | name: api-token
32 | key: SECRET_TOKEN
33 | volumes:
34 | - name: my-api-token
35 | csi:
36 | driver: secrets-store.csi.k8s.io
37 | readOnly: true
38 | volumeAttributes:
39 | secretProviderClass: aws-secrets
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.production.nginx
File: /lessons/079/nginx/3-deployment.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | serviceAccountName: nginx
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | volumeMounts:
24 | - name: my-api-token
25 | mountPath: /mnt/api-token
26 | readOnly: true
27 | env:
28 | - name: API_TOKEN
29 | valueFrom:
30 | secretKeyRef:
31 | name: api-token
32 | key: SECRET_TOKEN
33 | volumes:
34 | - name: my-api-token
35 | csi:
36 | driver: secrets-store.csi.k8s.io
37 | readOnly: true
38 | volumeAttributes:
39 | secretProviderClass: aws-secrets
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.production.nginx
File: /lessons/079/nginx/3-deployment.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | serviceAccountName: nginx
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | volumeMounts:
24 | - name: my-api-token
25 | mountPath: /mnt/api-token
26 | readOnly: true
27 | env:
28 | - name: API_TOKEN
29 | valueFrom:
30 | secretKeyRef:
31 | name: api-token
32 | key: SECRET_TOKEN
33 | volumes:
34 | - name: my-api-token
35 | csi:
36 | driver: secrets-store.csi.k8s.io
37 | readOnly: true
38 | volumeAttributes:
39 | secretProviderClass: aws-secrets
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: Deployment.production.nginx
File: /lessons/079/nginx/3-deployment.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | serviceAccountName: nginx
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | volumeMounts:
24 | - name: my-api-token
25 | mountPath: /mnt/api-token
26 | readOnly: true
27 | env:
28 | - name: API_TOKEN
29 | valueFrom:
30 | secretKeyRef:
31 | name: api-token
32 | key: SECRET_TOKEN
33 | volumes:
34 | - name: my-api-token
35 | csi:
36 | driver: secrets-store.csi.k8s.io
37 | readOnly: true
38 | volumeAttributes:
39 | secretProviderClass: aws-secrets
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.production.nginx
File: /lessons/079/nginx/3-deployment.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | serviceAccountName: nginx
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | volumeMounts:
24 | - name: my-api-token
25 | mountPath: /mnt/api-token
26 | readOnly: true
27 | env:
28 | - name: API_TOKEN
29 | valueFrom:
30 | secretKeyRef:
31 | name: api-token
32 | key: SECRET_TOKEN
33 | volumes:
34 | - name: my-api-token
35 | csi:
36 | driver: secrets-store.csi.k8s.io
37 | readOnly: true
38 | volumeAttributes:
39 | secretProviderClass: aws-secrets
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.production.nginx
File: /lessons/079/nginx/3-deployment.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | serviceAccountName: nginx
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | volumeMounts:
24 | - name: my-api-token
25 | mountPath: /mnt/api-token
26 | readOnly: true
27 | env:
28 | - name: API_TOKEN
29 | valueFrom:
30 | secretKeyRef:
31 | name: api-token
32 | key: SECRET_TOKEN
33 | volumes:
34 | - name: my-api-token
35 | csi:
36 | driver: secrets-store.csi.k8s.io
37 | readOnly: true
38 | volumeAttributes:
39 | secretProviderClass: aws-secrets
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.production.nginx
File: /lessons/079/nginx/3-deployment.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | serviceAccountName: nginx
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | volumeMounts:
24 | - name: my-api-token
25 | mountPath: /mnt/api-token
26 | readOnly: true
27 | env:
28 | - name: API_TOKEN
29 | valueFrom:
30 | secretKeyRef:
31 | name: api-token
32 | key: SECRET_TOKEN
33 | volumes:
34 | - name: my-api-token
35 | csi:
36 | driver: secrets-store.csi.k8s.io
37 | readOnly: true
38 | volumeAttributes:
39 | secretProviderClass: aws-secrets
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.production.nginx
File: /lessons/079/nginx/3-deployment.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | serviceAccountName: nginx
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | volumeMounts:
24 | - name: my-api-token
25 | mountPath: /mnt/api-token
26 | readOnly: true
27 | env:
28 | - name: API_TOKEN
29 | valueFrom:
30 | secretKeyRef:
31 | name: api-token
32 | key: SECRET_TOKEN
33 | volumes:
34 | - name: my-api-token
35 | csi:
36 | driver: secrets-store.csi.k8s.io
37 | readOnly: true
38 | volumeAttributes:
39 | secretProviderClass: aws-secrets
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.production.nginx
File: /lessons/079/nginx/3-deployment.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | serviceAccountName: nginx
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | volumeMounts:
24 | - name: my-api-token
25 | mountPath: /mnt/api-token
26 | readOnly: true
27 | env:
28 | - name: API_TOKEN
29 | valueFrom:
30 | secretKeyRef:
31 | name: api-token
32 | key: SECRET_TOKEN
33 | volumes:
34 | - name: my-api-token
35 | csi:
36 | driver: secrets-store.csi.k8s.io
37 | readOnly: true
38 | volumeAttributes:
39 | secretProviderClass: aws-secrets
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.production.nginx
File: /lessons/079/nginx/3-deployment.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | serviceAccountName: nginx
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | volumeMounts:
24 | - name: my-api-token
25 | mountPath: /mnt/api-token
26 | readOnly: true
27 | env:
28 | - name: API_TOKEN
29 | valueFrom:
30 | secretKeyRef:
31 | name: api-token
32 | key: SECRET_TOKEN
33 | volumes:
34 | - name: my-api-token
35 | csi:
36 | driver: secrets-store.csi.k8s.io
37 | readOnly: true
38 | volumeAttributes:
39 | secretProviderClass: aws-secrets
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.production.nginx
File: /lessons/079/nginx/3-deployment.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | serviceAccountName: nginx
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | volumeMounts:
24 | - name: my-api-token
25 | mountPath: /mnt/api-token
26 | readOnly: true
27 | env:
28 | - name: API_TOKEN
29 | valueFrom:
30 | secretKeyRef:
31 | name: api-token
32 | key: SECRET_TOKEN
33 | volumes:
34 | - name: my-api-token
35 | csi:
36 | driver: secrets-store.csi.k8s.io
37 | readOnly: true
38 | volumeAttributes:
39 | secretProviderClass: aws-secrets
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/145/monitoring/cadvison/daemonset.yaml:2-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/145/monitoring/cadvison/daemonset.yaml:2-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/145/monitoring/cadvison/daemonset.yaml:2-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/145/monitoring/cadvison/daemonset.yaml:2-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/145/monitoring/cadvison/daemonset.yaml:2-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/145/monitoring/cadvison/daemonset.yaml:2-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/145/monitoring/cadvison/daemonset.yaml:2-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/145/monitoring/cadvison/daemonset.yaml:2-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/145/monitoring/cadvison/daemonset.yaml:2-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/145/monitoring/cadvison/daemonset.yaml:2-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/145/monitoring/cadvison/daemonset.yaml:2-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/145/monitoring/cadvison/daemonset.yaml:2-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/145/monitoring/cadvison/daemonset.yaml:2-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/145/monitoring/grafana/deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/145/monitoring/grafana/deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/145/monitoring/grafana/deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/145/monitoring/grafana/deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/145/monitoring/grafana/deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/145/monitoring/grafana/deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/145/monitoring/grafana/deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/145/monitoring/grafana/deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/145/monitoring/grafana/deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/145/monitoring/grafana/deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/145/monitoring/grafana/deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: ClusterRole.default.prometheus-operator
File: /lessons/145/monitoring/prometheus-operator/rbac.yaml:19-98
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/145/monitoring/prometheus-operator/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/145/monitoring/prometheus-operator/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/145/monitoring/prometheus-operator/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/145/monitoring/prometheus-operator/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/145/monitoring/prometheus-operator/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/145/monitoring/prometheus-operator/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/145/monitoring/kube-state-metrics/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/145/monitoring/kube-state-metrics/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/145/monitoring/kube-state-metrics/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/145/monitoring/kube-state-metrics/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/145/monitoring/kube-state-metrics/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.go-app
File: /lessons/145/go-app/deploy/deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.go-app
File: /lessons/145/go-app/deploy/deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.go-app
File: /lessons/145/go-app/deploy/deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.staging.go-app
File: /lessons/145/go-app/deploy/deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.go-app
File: /lessons/145/go-app/deploy/deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.go-app
File: /lessons/145/go-app/deploy/deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.go-app
File: /lessons/145/go-app/deploy/deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.staging.go-app
File: /lessons/145/go-app/deploy/deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.go-app
File: /lessons/145/go-app/deploy/deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.go-app
File: /lessons/145/go-app/deploy/deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.go-app
File: /lessons/145/go-app/deploy/deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.go-app
File: /lessons/145/go-app/deploy/deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.staging.go-app
File: /lessons/145/go-app/deploy/deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.go-app
File: /lessons/145/go-app/deploy/deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/145/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: [ "/bin/sh", "/config/add-user" ]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/145/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: [ "/bin/sh", "/config/add-user" ]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/145/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: [ "/bin/sh", "/config/add-user" ]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/145/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: [ "/bin/sh", "/config/add-user" ]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/145/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: [ "/bin/sh", "/config/add-user" ]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/145/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: [ "/bin/sh", "/config/add-user" ]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/145/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: [ "/bin/sh", "/config/add-user" ]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/145/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: [ "/bin/sh", "/config/add-user" ]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/145/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: [ "/bin/sh", "/config/add-user" ]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/145/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: [ "/bin/sh", "/config/add-user" ]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/145/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: [ "/bin/sh", "/config/add-user" ]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/145/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: [ "/bin/sh", "/config/add-user" ]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/145/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: [ "/bin/sh", "/config/add-user" ]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/145/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: [ "/bin/sh", "/config/add-user" ]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/145/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: [ "/bin/sh", "/config/add-user" ]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.minio.minio
File: /lessons/145/minio/deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.minio.minio
File: /lessons/145/minio/deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.minio.minio
File: /lessons/145/minio/deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.minio.minio
File: /lessons/145/minio/deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.minio.minio
File: /lessons/145/minio/deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.minio.minio
File: /lessons/145/minio/deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.minio.minio
File: /lessons/145/minio/deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: Deployment.minio.minio
File: /lessons/145/minio/deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.minio.minio
File: /lessons/145/minio/deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.minio.minio
File: /lessons/145/minio/deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.minio.minio
File: /lessons/145/minio/deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.minio.minio
File: /lessons/145/minio/deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.minio.minio
File: /lessons/145/minio/deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.mongodb.mongodb-exporter
File: /lessons/145/mongodb/exporter-deployment.yaml:2-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.mongodb.mongodb-exporter
File: /lessons/145/mongodb/exporter-deployment.yaml:2-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.mongodb.mongodb-exporter
File: /lessons/145/mongodb/exporter-deployment.yaml:2-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.mongodb.mongodb-exporter
File: /lessons/145/mongodb/exporter-deployment.yaml:2-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.mongodb.mongodb-exporter
File: /lessons/145/mongodb/exporter-deployment.yaml:2-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.mongodb.mongodb-exporter
File: /lessons/145/mongodb/exporter-deployment.yaml:2-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.mongodb.mongodb-exporter
File: /lessons/145/mongodb/exporter-deployment.yaml:2-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.mongodb.mongodb-exporter
File: /lessons/145/mongodb/exporter-deployment.yaml:2-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.mongodb.mongodb-exporter
File: /lessons/145/mongodb/exporter-deployment.yaml:2-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.mongodb.mongodb-exporter
File: /lessons/145/mongodb/exporter-deployment.yaml:2-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.mongodb.mongodb-exporter
File: /lessons/145/mongodb/exporter-deployment.yaml:2-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.mongodb.mongodb-exporter
File: /lessons/145/mongodb/exporter-deployment.yaml:2-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.mongodb.mongodb-exporter
File: /lessons/145/mongodb/exporter-deployment.yaml:2-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.mongodb.mongodb-exporter
File: /lessons/145/mongodb/exporter-deployment.yaml:2-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.mongodb.mongodb
File: /lessons/145/mongodb/deployment.yaml:2-116
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.mongodb.mongodb
File: /lessons/145/mongodb/deployment.yaml:2-116
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.mongodb.mongodb
File: /lessons/145/mongodb/deployment.yaml:2-116
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.mongodb.mongodb
File: /lessons/145/mongodb/deployment.yaml:2-116
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: Deployment.mongodb.mongodb
File: /lessons/145/mongodb/deployment.yaml:2-116
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.mongodb.mongodb
File: /lessons/145/mongodb/deployment.yaml:2-116
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.mongodb.mongodb
File: /lessons/145/mongodb/deployment.yaml:2-116
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.mongodb.mongodb
File: /lessons/145/mongodb/deployment.yaml:2-116
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.mongodb.mongodb
File: /lessons/145/mongodb/deployment.yaml:2-116
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.mongodb.mongodb
File: /lessons/145/mongodb/deployment.yaml:2-116
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.java-app
File: /lessons/145/java-app/deploy/deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.java-app
File: /lessons/145/java-app/deploy/deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.java-app
File: /lessons/145/java-app/deploy/deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.staging.java-app
File: /lessons/145/java-app/deploy/deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.java-app
File: /lessons/145/java-app/deploy/deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.java-app
File: /lessons/145/java-app/deploy/deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.java-app
File: /lessons/145/java-app/deploy/deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.staging.java-app
File: /lessons/145/java-app/deploy/deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.java-app
File: /lessons/145/java-app/deploy/deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.java-app
File: /lessons/145/java-app/deploy/deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.java-app
File: /lessons/145/java-app/deploy/deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.java-app
File: /lessons/145/java-app/deploy/deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.staging.java-app
File: /lessons/145/java-app/deploy/deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.java-app
File: /lessons/145/java-app/deploy/deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.api.express
File: /lessons/090/k8s/deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: api
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: express
12 | template:
13 | metadata:
14 | labels:
15 | app: express
16 | spec:
17 | containers:
18 | - image: aputra/express-073:latest
19 | name: express
20 | ports:
21 | - name: http
22 | containerPort: 8081
23 | resources:
24 | limits:
25 | cpu: 500m
26 | memory: 256Mi
27 | requests:
28 | cpu: 200m
29 | memory: 128Mi
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.api.express
File: /lessons/090/k8s/deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: api
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: express
12 | template:
13 | metadata:
14 | labels:
15 | app: express
16 | spec:
17 | containers:
18 | - image: aputra/express-073:latest
19 | name: express
20 | ports:
21 | - name: http
22 | containerPort: 8081
23 | resources:
24 | limits:
25 | cpu: 500m
26 | memory: 256Mi
27 | requests:
28 | cpu: 200m
29 | memory: 128Mi
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.api.express
File: /lessons/090/k8s/deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: api
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: express
12 | template:
13 | metadata:
14 | labels:
15 | app: express
16 | spec:
17 | containers:
18 | - image: aputra/express-073:latest
19 | name: express
20 | ports:
21 | - name: http
22 | containerPort: 8081
23 | resources:
24 | limits:
25 | cpu: 500m
26 | memory: 256Mi
27 | requests:
28 | cpu: 200m
29 | memory: 128Mi
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.api.express
File: /lessons/090/k8s/deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: api
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: express
12 | template:
13 | metadata:
14 | labels:
15 | app: express
16 | spec:
17 | containers:
18 | - image: aputra/express-073:latest
19 | name: express
20 | ports:
21 | - name: http
22 | containerPort: 8081
23 | resources:
24 | limits:
25 | cpu: 500m
26 | memory: 256Mi
27 | requests:
28 | cpu: 200m
29 | memory: 128Mi
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.api.express
File: /lessons/090/k8s/deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: api
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: express
12 | template:
13 | metadata:
14 | labels:
15 | app: express
16 | spec:
17 | containers:
18 | - image: aputra/express-073:latest
19 | name: express
20 | ports:
21 | - name: http
22 | containerPort: 8081
23 | resources:
24 | limits:
25 | cpu: 500m
26 | memory: 256Mi
27 | requests:
28 | cpu: 200m
29 | memory: 128Mi
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.api.express
File: /lessons/090/k8s/deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: api
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: express
12 | template:
13 | metadata:
14 | labels:
15 | app: express
16 | spec:
17 | containers:
18 | - image: aputra/express-073:latest
19 | name: express
20 | ports:
21 | - name: http
22 | containerPort: 8081
23 | resources:
24 | limits:
25 | cpu: 500m
26 | memory: 256Mi
27 | requests:
28 | cpu: 200m
29 | memory: 128Mi
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.api.express
File: /lessons/090/k8s/deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: api
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: express
12 | template:
13 | metadata:
14 | labels:
15 | app: express
16 | spec:
17 | containers:
18 | - image: aputra/express-073:latest
19 | name: express
20 | ports:
21 | - name: http
22 | containerPort: 8081
23 | resources:
24 | limits:
25 | cpu: 500m
26 | memory: 256Mi
27 | requests:
28 | cpu: 200m
29 | memory: 128Mi
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.api.express
File: /lessons/090/k8s/deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: api
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: express
12 | template:
13 | metadata:
14 | labels:
15 | app: express
16 | spec:
17 | containers:
18 | - image: aputra/express-073:latest
19 | name: express
20 | ports:
21 | - name: http
22 | containerPort: 8081
23 | resources:
24 | limits:
25 | cpu: 500m
26 | memory: 256Mi
27 | requests:
28 | cpu: 200m
29 | memory: 128Mi
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.api.express
File: /lessons/090/k8s/deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: api
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: express
12 | template:
13 | metadata:
14 | labels:
15 | app: express
16 | spec:
17 | containers:
18 | - image: aputra/express-073:latest
19 | name: express
20 | ports:
21 | - name: http
22 | containerPort: 8081
23 | resources:
24 | limits:
25 | cpu: 500m
26 | memory: 256Mi
27 | requests:
28 | cpu: 200m
29 | memory: 128Mi
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.api.express
File: /lessons/090/k8s/deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: api
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: express
12 | template:
13 | metadata:
14 | labels:
15 | app: express
16 | spec:
17 | containers:
18 | - image: aputra/express-073:latest
19 | name: express
20 | ports:
21 | - name: http
22 | containerPort: 8081
23 | resources:
24 | limits:
25 | cpu: 500m
26 | memory: 256Mi
27 | requests:
28 | cpu: 200m
29 | memory: 128Mi
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.api.express
File: /lessons/090/k8s/deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: api
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: express
12 | template:
13 | metadata:
14 | labels:
15 | app: express
16 | spec:
17 | containers:
18 | - image: aputra/express-073:latest
19 | name: express
20 | ports:
21 | - name: http
22 | containerPort: 8081
23 | resources:
24 | limits:
25 | cpu: 500m
26 | memory: 256Mi
27 | requests:
28 | cpu: 200m
29 | memory: 128Mi
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.api.express
File: /lessons/090/k8s/deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: api
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: express
12 | template:
13 | metadata:
14 | labels:
15 | app: express
16 | spec:
17 | containers:
18 | - image: aputra/express-073:latest
19 | name: express
20 | ports:
21 | - name: http
22 | containerPort: 8081
23 | resources:
24 | limits:
25 | cpu: 500m
26 | memory: 256Mi
27 | requests:
28 | cpu: 200m
29 | memory: 128Mi
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.api.express
File: /lessons/090/k8s/deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: api
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: express
12 | template:
13 | metadata:
14 | labels:
15 | app: express
16 | spec:
17 | containers:
18 | - image: aputra/express-073:latest
19 | name: express
20 | ports:
21 | - name: http
22 | containerPort: 8081
23 | resources:
24 | limits:
25 | cpu: 500m
26 | memory: 256Mi
27 | requests:
28 | cpu: 200m
29 | memory: 128Mi
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.api.express
File: /lessons/090/k8s/deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: api
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: express
12 | template:
13 | metadata:
14 | labels:
15 | app: express
16 | spec:
17 | containers:
18 | - image: aputra/express-073:latest
19 | name: express
20 | ports:
21 | - name: http
22 | containerPort: 8081
23 | resources:
24 | limits:
25 | cpu: 500m
26 | memory: 256Mi
27 | requests:
28 | cpu: 200m
29 | memory: 128Mi
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.pod-affinity
File: /lessons/096/examples/4-pod-affinity.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: pod-affinity
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx-controller
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.pod-affinity
File: /lessons/096/examples/4-pod-affinity.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: pod-affinity
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx-controller
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.pod-affinity
File: /lessons/096/examples/4-pod-affinity.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: pod-affinity
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx-controller
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.pod-affinity
File: /lessons/096/examples/4-pod-affinity.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: pod-affinity
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx-controller
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.pod-affinity
File: /lessons/096/examples/4-pod-affinity.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: pod-affinity
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx-controller
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.pod-affinity
File: /lessons/096/examples/4-pod-affinity.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: pod-affinity
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx-controller
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.pod-affinity
File: /lessons/096/examples/4-pod-affinity.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: pod-affinity
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx-controller
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.pod-affinity
File: /lessons/096/examples/4-pod-affinity.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: pod-affinity
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx-controller
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.pod-affinity
File: /lessons/096/examples/4-pod-affinity.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: pod-affinity
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx-controller
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.pod-affinity
File: /lessons/096/examples/4-pod-affinity.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: pod-affinity
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx-controller
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.pod-affinity
File: /lessons/096/examples/4-pod-affinity.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: pod-affinity
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx-controller
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.pod-affinity
File: /lessons/096/examples/4-pod-affinity.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: pod-affinity
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx-controller
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.pod-affinity
File: /lessons/096/examples/4-pod-affinity.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: pod-affinity
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx-controller
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.pod-affinity
File: /lessons/096/examples/4-pod-affinity.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: pod-affinity
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx-controller
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.pod-affinity
File: /lessons/096/examples/4-pod-affinity.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: pod-affinity
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx-controller
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.pod-affinity
File: /lessons/096/examples/4-pod-affinity.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: pod-affinity
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx-controller
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.pod-affinity
File: /lessons/096/examples/4-pod-affinity.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: pod-affinity
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx-controller
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.pod-affinity
File: /lessons/096/examples/4-pod-affinity.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: pod-affinity
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx-controller
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.pod-affinity
File: /lessons/096/examples/4-pod-affinity.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: pod-affinity
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx-controller
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.node-affinity-soft
File: /lessons/096/examples/2-node-affinity-soft.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: node-affinity-soft
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 1
25 | preference:
26 | matchExpressions:
27 | - key: role
28 | operator: In
29 | values:
30 | - spot
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.node-affinity-soft
File: /lessons/096/examples/2-node-affinity-soft.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: node-affinity-soft
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 1
25 | preference:
26 | matchExpressions:
27 | - key: role
28 | operator: In
29 | values:
30 | - spot
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.node-affinity-soft
File: /lessons/096/examples/2-node-affinity-soft.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: node-affinity-soft
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 1
25 | preference:
26 | matchExpressions:
27 | - key: role
28 | operator: In
29 | values:
30 | - spot
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.node-affinity-soft
File: /lessons/096/examples/2-node-affinity-soft.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: node-affinity-soft
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 1
25 | preference:
26 | matchExpressions:
27 | - key: role
28 | operator: In
29 | values:
30 | - spot
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.node-affinity-soft
File: /lessons/096/examples/2-node-affinity-soft.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: node-affinity-soft
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 1
25 | preference:
26 | matchExpressions:
27 | - key: role
28 | operator: In
29 | values:
30 | - spot
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.node-affinity-soft
File: /lessons/096/examples/2-node-affinity-soft.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: node-affinity-soft
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 1
25 | preference:
26 | matchExpressions:
27 | - key: role
28 | operator: In
29 | values:
30 | - spot
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.node-affinity-soft
File: /lessons/096/examples/2-node-affinity-soft.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: node-affinity-soft
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 1
25 | preference:
26 | matchExpressions:
27 | - key: role
28 | operator: In
29 | values:
30 | - spot
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.node-affinity-soft
File: /lessons/096/examples/2-node-affinity-soft.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: node-affinity-soft
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 1
25 | preference:
26 | matchExpressions:
27 | - key: role
28 | operator: In
29 | values:
30 | - spot
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.node-affinity-soft
File: /lessons/096/examples/2-node-affinity-soft.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: node-affinity-soft
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 1
25 | preference:
26 | matchExpressions:
27 | - key: role
28 | operator: In
29 | values:
30 | - spot
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.node-affinity-soft
File: /lessons/096/examples/2-node-affinity-soft.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: node-affinity-soft
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 1
25 | preference:
26 | matchExpressions:
27 | - key: role
28 | operator: In
29 | values:
30 | - spot
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.node-affinity-soft
File: /lessons/096/examples/2-node-affinity-soft.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: node-affinity-soft
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 1
25 | preference:
26 | matchExpressions:
27 | - key: role
28 | operator: In
29 | values:
30 | - spot
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.node-affinity-soft
File: /lessons/096/examples/2-node-affinity-soft.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: node-affinity-soft
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 1
25 | preference:
26 | matchExpressions:
27 | - key: role
28 | operator: In
29 | values:
30 | - spot
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.node-affinity-soft
File: /lessons/096/examples/2-node-affinity-soft.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: node-affinity-soft
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 1
25 | preference:
26 | matchExpressions:
27 | - key: role
28 | operator: In
29 | values:
30 | - spot
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.node-affinity-soft
File: /lessons/096/examples/2-node-affinity-soft.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: node-affinity-soft
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 1
25 | preference:
26 | matchExpressions:
27 | - key: role
28 | operator: In
29 | values:
30 | - spot
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.node-affinity-soft
File: /lessons/096/examples/2-node-affinity-soft.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: node-affinity-soft
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 1
25 | preference:
26 | matchExpressions:
27 | - key: role
28 | operator: In
29 | values:
30 | - spot
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.node-affinity-soft
File: /lessons/096/examples/2-node-affinity-soft.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: node-affinity-soft
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 1
25 | preference:
26 | matchExpressions:
27 | - key: role
28 | operator: In
29 | values:
30 | - spot
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.node-affinity-soft
File: /lessons/096/examples/2-node-affinity-soft.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: node-affinity-soft
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 1
25 | preference:
26 | matchExpressions:
27 | - key: role
28 | operator: In
29 | values:
30 | - spot
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.node-affinity-soft
File: /lessons/096/examples/2-node-affinity-soft.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: node-affinity-soft
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 1
25 | preference:
26 | matchExpressions:
27 | - key: role
28 | operator: In
29 | values:
30 | - spot
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.node-affinity-soft
File: /lessons/096/examples/2-node-affinity-soft.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: node-affinity-soft
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 1
25 | preference:
26 | matchExpressions:
27 | - key: role
28 | operator: In
29 | values:
30 | - spot
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.node-affinity-hard
File: /lessons/096/examples/1-node-affinity-hard.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: node-affinity-hard
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - spot
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.node-affinity-hard
File: /lessons/096/examples/1-node-affinity-hard.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: node-affinity-hard
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - spot
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.node-affinity-hard
File: /lessons/096/examples/1-node-affinity-hard.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: node-affinity-hard
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - spot
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.node-affinity-hard
File: /lessons/096/examples/1-node-affinity-hard.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: node-affinity-hard
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - spot
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.node-affinity-hard
File: /lessons/096/examples/1-node-affinity-hard.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: node-affinity-hard
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - spot
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.node-affinity-hard
File: /lessons/096/examples/1-node-affinity-hard.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: node-affinity-hard
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - spot
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.node-affinity-hard
File: /lessons/096/examples/1-node-affinity-hard.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: node-affinity-hard
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - spot
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.node-affinity-hard
File: /lessons/096/examples/1-node-affinity-hard.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: node-affinity-hard
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - spot
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.node-affinity-hard
File: /lessons/096/examples/1-node-affinity-hard.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: node-affinity-hard
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - spot
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.node-affinity-hard
File: /lessons/096/examples/1-node-affinity-hard.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: node-affinity-hard
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - spot
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.node-affinity-hard
File: /lessons/096/examples/1-node-affinity-hard.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: node-affinity-hard
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - spot
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.node-affinity-hard
File: /lessons/096/examples/1-node-affinity-hard.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: node-affinity-hard
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - spot
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.node-affinity-hard
File: /lessons/096/examples/1-node-affinity-hard.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: node-affinity-hard
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - spot
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.node-affinity-hard
File: /lessons/096/examples/1-node-affinity-hard.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: node-affinity-hard
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - spot
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.node-affinity-hard
File: /lessons/096/examples/1-node-affinity-hard.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: node-affinity-hard
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - spot
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.node-affinity-hard
File: /lessons/096/examples/1-node-affinity-hard.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: node-affinity-hard
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - spot
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.node-affinity-hard
File: /lessons/096/examples/1-node-affinity-hard.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: node-affinity-hard
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - spot
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.node-affinity-hard
File: /lessons/096/examples/1-node-affinity-hard.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: node-affinity-hard
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - spot
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.node-affinity-hard
File: /lessons/096/examples/1-node-affinity-hard.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: node-affinity-hard
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - spot
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nginx-node-selector
File: /lessons/096/examples/0-node-selector.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-node-selector
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | nodeSelector:
22 | role: spot
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx-node-selector
File: /lessons/096/examples/0-node-selector.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-node-selector
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | nodeSelector:
22 | role: spot
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.nginx-node-selector
File: /lessons/096/examples/0-node-selector.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-node-selector
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | nodeSelector:
22 | role: spot
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx-node-selector
File: /lessons/096/examples/0-node-selector.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-node-selector
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | nodeSelector:
22 | role: spot
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx-node-selector
File: /lessons/096/examples/0-node-selector.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-node-selector
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | nodeSelector:
22 | role: spot
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx-node-selector
File: /lessons/096/examples/0-node-selector.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-node-selector
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | nodeSelector:
22 | role: spot
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-node-selector
File: /lessons/096/examples/0-node-selector.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-node-selector
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | nodeSelector:
22 | role: spot
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx-node-selector
File: /lessons/096/examples/0-node-selector.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-node-selector
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | nodeSelector:
22 | role: spot
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx-node-selector
File: /lessons/096/examples/0-node-selector.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-node-selector
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | nodeSelector:
22 | role: spot
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx-node-selector
File: /lessons/096/examples/0-node-selector.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-node-selector
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | nodeSelector:
22 | role: spot
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-node-selector
File: /lessons/096/examples/0-node-selector.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-node-selector
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | nodeSelector:
22 | role: spot
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx-node-selector
File: /lessons/096/examples/0-node-selector.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-node-selector
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | nodeSelector:
22 | role: spot
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nginx-node-selector
File: /lessons/096/examples/0-node-selector.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-node-selector
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | nodeSelector:
22 | role: spot
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx-node-selector
File: /lessons/096/examples/0-node-selector.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-node-selector
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | nodeSelector:
22 | role: spot
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx-node-selector
File: /lessons/096/examples/0-node-selector.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-node-selector
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | nodeSelector:
22 | role: spot
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx-node-selector
File: /lessons/096/examples/0-node-selector.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-node-selector
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | nodeSelector:
22 | role: spot
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.nginx-node-selector
File: /lessons/096/examples/0-node-selector.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-node-selector
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | nodeSelector:
22 | role: spot
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.nginx-node-selector
File: /lessons/096/examples/0-node-selector.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-node-selector
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | nodeSelector:
22 | role: spot
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx-node-selector
File: /lessons/096/examples/0-node-selector.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-node-selector
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | nodeSelector:
22 | role: spot
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.pod-anti-affinity
File: /lessons/096/examples/3-pod-anti-affinity.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: pod-anti-affinity
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx-controller
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.pod-anti-affinity
File: /lessons/096/examples/3-pod-anti-affinity.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: pod-anti-affinity
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx-controller
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.pod-anti-affinity
File: /lessons/096/examples/3-pod-anti-affinity.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: pod-anti-affinity
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx-controller
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.pod-anti-affinity
File: /lessons/096/examples/3-pod-anti-affinity.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: pod-anti-affinity
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx-controller
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.pod-anti-affinity
File: /lessons/096/examples/3-pod-anti-affinity.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: pod-anti-affinity
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx-controller
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.pod-anti-affinity
File: /lessons/096/examples/3-pod-anti-affinity.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: pod-anti-affinity
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx-controller
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.pod-anti-affinity
File: /lessons/096/examples/3-pod-anti-affinity.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: pod-anti-affinity
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx-controller
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.pod-anti-affinity
File: /lessons/096/examples/3-pod-anti-affinity.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: pod-anti-affinity
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx-controller
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.pod-anti-affinity
File: /lessons/096/examples/3-pod-anti-affinity.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: pod-anti-affinity
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx-controller
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.pod-anti-affinity
File: /lessons/096/examples/3-pod-anti-affinity.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: pod-anti-affinity
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx-controller
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.pod-anti-affinity
File: /lessons/096/examples/3-pod-anti-affinity.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: pod-anti-affinity
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx-controller
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.pod-anti-affinity
File: /lessons/096/examples/3-pod-anti-affinity.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: pod-anti-affinity
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx-controller
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.pod-anti-affinity
File: /lessons/096/examples/3-pod-anti-affinity.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: pod-anti-affinity
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx-controller
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.pod-anti-affinity
File: /lessons/096/examples/3-pod-anti-affinity.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: pod-anti-affinity
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx-controller
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.pod-anti-affinity
File: /lessons/096/examples/3-pod-anti-affinity.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: pod-anti-affinity
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx-controller
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.pod-anti-affinity
File: /lessons/096/examples/3-pod-anti-affinity.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: pod-anti-affinity
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx-controller
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.pod-anti-affinity
File: /lessons/096/examples/3-pod-anti-affinity.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: pod-anti-affinity
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx-controller
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.pod-anti-affinity
File: /lessons/096/examples/3-pod-anti-affinity.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: pod-anti-affinity
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx-controller
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.pod-anti-affinity
File: /lessons/096/examples/3-pod-anti-affinity.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: pod-anti-affinity
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx-controller
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Secret.default.creds-v4
File: /lessons/042/secret-v1.yaml:2-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: Secret
4 | metadata:
5 | name: creds-v4
6 | type: Opaque
7 | data:
8 | token: c2VjcmV0MTIzNDU=
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Secret.default.creds-v5
File: /lessons/042/secret-v2.yaml:2-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: Secret
4 | metadata:
5 | name: creds-v5
6 | type: Opaque
7 | stringData:
8 | token: secret12345
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: StatefulSet.default.web
File: /lessons/166/demo/statefulset.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | spec:
7 | serviceName: nginx
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: registry.k8s.io/nginx-slim:0.8
20 | ports:
21 | - containerPort: 80
22 | name: web
23 | volumeMounts:
24 | - name: www
25 | mountPath: /usr/share/nginx/html
26 | volumeClaimTemplates:
27 | - metadata:
28 | name: www
29 | spec:
30 | storageClassName: my-gp3
31 | accessModes: ["ReadWriteOnce"]
32 | resources:
33 | requests:
34 | storage: 1Gi
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: StatefulSet.default.web
File: /lessons/166/demo/statefulset.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | spec:
7 | serviceName: nginx
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: registry.k8s.io/nginx-slim:0.8
20 | ports:
21 | - containerPort: 80
22 | name: web
23 | volumeMounts:
24 | - name: www
25 | mountPath: /usr/share/nginx/html
26 | volumeClaimTemplates:
27 | - metadata:
28 | name: www
29 | spec:
30 | storageClassName: my-gp3
31 | accessModes: ["ReadWriteOnce"]
32 | resources:
33 | requests:
34 | storage: 1Gi
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: StatefulSet.default.web
File: /lessons/166/demo/statefulset.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | spec:
7 | serviceName: nginx
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: registry.k8s.io/nginx-slim:0.8
20 | ports:
21 | - containerPort: 80
22 | name: web
23 | volumeMounts:
24 | - name: www
25 | mountPath: /usr/share/nginx/html
26 | volumeClaimTemplates:
27 | - metadata:
28 | name: www
29 | spec:
30 | storageClassName: my-gp3
31 | accessModes: ["ReadWriteOnce"]
32 | resources:
33 | requests:
34 | storage: 1Gi
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: StatefulSet.default.web
File: /lessons/166/demo/statefulset.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | spec:
7 | serviceName: nginx
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: registry.k8s.io/nginx-slim:0.8
20 | ports:
21 | - containerPort: 80
22 | name: web
23 | volumeMounts:
24 | - name: www
25 | mountPath: /usr/share/nginx/html
26 | volumeClaimTemplates:
27 | - metadata:
28 | name: www
29 | spec:
30 | storageClassName: my-gp3
31 | accessModes: ["ReadWriteOnce"]
32 | resources:
33 | requests:
34 | storage: 1Gi
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: StatefulSet.default.web
File: /lessons/166/demo/statefulset.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | spec:
7 | serviceName: nginx
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: registry.k8s.io/nginx-slim:0.8
20 | ports:
21 | - containerPort: 80
22 | name: web
23 | volumeMounts:
24 | - name: www
25 | mountPath: /usr/share/nginx/html
26 | volumeClaimTemplates:
27 | - metadata:
28 | name: www
29 | spec:
30 | storageClassName: my-gp3
31 | accessModes: ["ReadWriteOnce"]
32 | resources:
33 | requests:
34 | storage: 1Gi
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: StatefulSet.default.web
File: /lessons/166/demo/statefulset.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | spec:
7 | serviceName: nginx
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: registry.k8s.io/nginx-slim:0.8
20 | ports:
21 | - containerPort: 80
22 | name: web
23 | volumeMounts:
24 | - name: www
25 | mountPath: /usr/share/nginx/html
26 | volumeClaimTemplates:
27 | - metadata:
28 | name: www
29 | spec:
30 | storageClassName: my-gp3
31 | accessModes: ["ReadWriteOnce"]
32 | resources:
33 | requests:
34 | storage: 1Gi
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: StatefulSet.default.web
File: /lessons/166/demo/statefulset.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | spec:
7 | serviceName: nginx
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: registry.k8s.io/nginx-slim:0.8
20 | ports:
21 | - containerPort: 80
22 | name: web
23 | volumeMounts:
24 | - name: www
25 | mountPath: /usr/share/nginx/html
26 | volumeClaimTemplates:
27 | - metadata:
28 | name: www
29 | spec:
30 | storageClassName: my-gp3
31 | accessModes: ["ReadWriteOnce"]
32 | resources:
33 | requests:
34 | storage: 1Gi
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: StatefulSet.default.web
File: /lessons/166/demo/statefulset.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | spec:
7 | serviceName: nginx
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: registry.k8s.io/nginx-slim:0.8
20 | ports:
21 | - containerPort: 80
22 | name: web
23 | volumeMounts:
24 | - name: www
25 | mountPath: /usr/share/nginx/html
26 | volumeClaimTemplates:
27 | - metadata:
28 | name: www
29 | spec:
30 | storageClassName: my-gp3
31 | accessModes: ["ReadWriteOnce"]
32 | resources:
33 | requests:
34 | storage: 1Gi
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: StatefulSet.default.web
File: /lessons/166/demo/statefulset.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | spec:
7 | serviceName: nginx
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: registry.k8s.io/nginx-slim:0.8
20 | ports:
21 | - containerPort: 80
22 | name: web
23 | volumeMounts:
24 | - name: www
25 | mountPath: /usr/share/nginx/html
26 | volumeClaimTemplates:
27 | - metadata:
28 | name: www
29 | spec:
30 | storageClassName: my-gp3
31 | accessModes: ["ReadWriteOnce"]
32 | resources:
33 | requests:
34 | storage: 1Gi
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: StatefulSet.default.web
File: /lessons/166/demo/statefulset.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | spec:
7 | serviceName: nginx
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: registry.k8s.io/nginx-slim:0.8
20 | ports:
21 | - containerPort: 80
22 | name: web
23 | volumeMounts:
24 | - name: www
25 | mountPath: /usr/share/nginx/html
26 | volumeClaimTemplates:
27 | - metadata:
28 | name: www
29 | spec:
30 | storageClassName: my-gp3
31 | accessModes: ["ReadWriteOnce"]
32 | resources:
33 | requests:
34 | storage: 1Gi
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: StatefulSet.default.web
File: /lessons/166/demo/statefulset.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | spec:
7 | serviceName: nginx
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: registry.k8s.io/nginx-slim:0.8
20 | ports:
21 | - containerPort: 80
22 | name: web
23 | volumeMounts:
24 | - name: www
25 | mountPath: /usr/share/nginx/html
26 | volumeClaimTemplates:
27 | - metadata:
28 | name: www
29 | spec:
30 | storageClassName: my-gp3
31 | accessModes: ["ReadWriteOnce"]
32 | resources:
33 | requests:
34 | storage: 1Gi
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: StatefulSet.default.web
File: /lessons/166/demo/statefulset.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | spec:
7 | serviceName: nginx
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: registry.k8s.io/nginx-slim:0.8
20 | ports:
21 | - containerPort: 80
22 | name: web
23 | volumeMounts:
24 | - name: www
25 | mountPath: /usr/share/nginx/html
26 | volumeClaimTemplates:
27 | - metadata:
28 | name: www
29 | spec:
30 | storageClassName: my-gp3
31 | accessModes: ["ReadWriteOnce"]
32 | resources:
33 | requests:
34 | storage: 1Gi
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: StatefulSet.default.web
File: /lessons/166/demo/statefulset.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | spec:
7 | serviceName: nginx
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: registry.k8s.io/nginx-slim:0.8
20 | ports:
21 | - containerPort: 80
22 | name: web
23 | volumeMounts:
24 | - name: www
25 | mountPath: /usr/share/nginx/html
26 | volumeClaimTemplates:
27 | - metadata:
28 | name: www
29 | spec:
30 | storageClassName: my-gp3
31 | accessModes: ["ReadWriteOnce"]
32 | resources:
33 | requests:
34 | storage: 1Gi
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: StatefulSet.default.web
File: /lessons/166/demo/statefulset.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | spec:
7 | serviceName: nginx
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: registry.k8s.io/nginx-slim:0.8
20 | ports:
21 | - containerPort: 80
22 | name: web
23 | volumeMounts:
24 | - name: www
25 | mountPath: /usr/share/nginx/html
26 | volumeClaimTemplates:
27 | - metadata:
28 | name: www
29 | spec:
30 | storageClassName: my-gp3
31 | accessModes: ["ReadWriteOnce"]
32 | resources:
33 | requests:
34 | storage: 1Gi
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: StatefulSet.default.web
File: /lessons/166/demo/statefulset.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | spec:
7 | serviceName: nginx
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: registry.k8s.io/nginx-slim:0.8
20 | ports:
21 | - containerPort: 80
22 | name: web
23 | volumeMounts:
24 | - name: www
25 | mountPath: /usr/share/nginx/html
26 | volumeClaimTemplates:
27 | - metadata:
28 | name: www
29 | spec:
30 | storageClassName: my-gp3
31 | accessModes: ["ReadWriteOnce"]
32 | resources:
33 | requests:
34 | storage: 1Gi
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: StatefulSet.default.web
File: /lessons/166/demo/statefulset.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | spec:
7 | serviceName: nginx
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: registry.k8s.io/nginx-slim:0.8
20 | ports:
21 | - containerPort: 80
22 | name: web
23 | volumeMounts:
24 | - name: www
25 | mountPath: /usr/share/nginx/html
26 | volumeClaimTemplates:
27 | - metadata:
28 | name: www
29 | spec:
30 | storageClassName: my-gp3
31 | accessModes: ["ReadWriteOnce"]
32 | resources:
33 | requests:
34 | storage: 1Gi
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: StatefulSet.default.web
File: /lessons/166/demo/statefulset.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | spec:
7 | serviceName: nginx
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: registry.k8s.io/nginx-slim:0.8
20 | ports:
21 | - containerPort: 80
22 | name: web
23 | volumeMounts:
24 | - name: www
25 | mountPath: /usr/share/nginx/html
26 | volumeClaimTemplates:
27 | - metadata:
28 | name: www
29 | spec:
30 | storageClassName: my-gp3
31 | accessModes: ["ReadWriteOnce"]
32 | resources:
33 | requests:
34 | storage: 1Gi
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: StatefulSet.default.web
File: /lessons/166/demo/statefulset.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | spec:
7 | serviceName: nginx
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: registry.k8s.io/nginx-slim:0.8
20 | ports:
21 | - containerPort: 80
22 | name: web
23 | volumeMounts:
24 | - name: www
25 | mountPath: /usr/share/nginx/html
26 | volumeClaimTemplates:
27 | - metadata:
28 | name: www
29 | spec:
30 | storageClassName: my-gp3
31 | accessModes: ["ReadWriteOnce"]
32 | resources:
33 | requests:
34 | storage: 1Gi
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: StatefulSet.default.web
File: /lessons/166/demo/statefulset.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: web
6 | spec:
7 | serviceName: nginx
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: registry.k8s.io/nginx-slim:0.8
20 | ports:
21 | - containerPort: 80
22 | name: web
23 | volumeMounts:
24 | - name: www
25 | mountPath: /usr/share/nginx/html
26 | volumeClaimTemplates:
27 | - metadata:
28 | name: www
29 | spec:
30 | storageClassName: my-gp3
31 | accessModes: ["ReadWriteOnce"]
32 | resources:
33 | requests:
34 | storage: 1Gi
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.go-app
File: /lessons/151/go-app/deploy/deployment.yaml:2-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.go-app
File: /lessons/151/go-app/deploy/deployment.yaml:2-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.go-app
File: /lessons/151/go-app/deploy/deployment.yaml:2-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.staging.go-app
File: /lessons/151/go-app/deploy/deployment.yaml:2-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.go-app
File: /lessons/151/go-app/deploy/deployment.yaml:2-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.go-app
File: /lessons/151/go-app/deploy/deployment.yaml:2-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.go-app
File: /lessons/151/go-app/deploy/deployment.yaml:2-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.staging.go-app
File: /lessons/151/go-app/deploy/deployment.yaml:2-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.go-app
File: /lessons/151/go-app/deploy/deployment.yaml:2-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.go-app
File: /lessons/151/go-app/deploy/deployment.yaml:2-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.go-app
File: /lessons/151/go-app/deploy/deployment.yaml:2-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.go-app
File: /lessons/151/go-app/deploy/deployment.yaml:2-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.staging.go-app
File: /lessons/151/go-app/deploy/deployment.yaml:2-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.go-app
File: /lessons/151/go-app/deploy/deployment.yaml:2-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.kube-system.metrics-server
File: /lessons/071/k8s/0-metrics-server.yaml:112-178
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.kube-system.metrics-server
File: /lessons/071/k8s/0-metrics-server.yaml:112-178
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.kube-system.metrics-server
File: /lessons/071/k8s/0-metrics-server.yaml:112-178
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.kube-system.metrics-server
File: /lessons/071/k8s/0-metrics-server.yaml:112-178
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.kube-system.metrics-server
File: /lessons/071/k8s/0-metrics-server.yaml:112-178
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.kube-system.metrics-server
File: /lessons/071/k8s/0-metrics-server.yaml:112-178
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.kube-system.metrics-server
File: /lessons/071/k8s/0-metrics-server.yaml:112-178
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.kube-system.metrics-server
File: /lessons/071/k8s/0-metrics-server.yaml:112-178
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.kube-system.metrics-server
File: /lessons/071/k8s/0-metrics-server.yaml:112-178
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.kube-system.metrics-server
File: /lessons/071/k8s/0-metrics-server.yaml:112-178
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.kube-system.metrics-server
File: /lessons/071/k8s/0-metrics-server.yaml:112-178
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.express
File: /lessons/071/k8s/1-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: express
11 | template:
12 | metadata:
13 | labels:
14 | app: express
15 | spec:
16 | containers:
17 | - name: express
18 | imagePullPolicy: Always
19 | image: aputrabay/express:latest
20 | ports:
21 | - containerPort: 8080
22 | resources:
23 | limits:
24 | cpu: 500m
25 | memory: 256Mi
26 | requests:
27 | cpu: 200m
28 | memory: 128Mi
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.express
File: /lessons/071/k8s/1-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: express
11 | template:
12 | metadata:
13 | labels:
14 | app: express
15 | spec:
16 | containers:
17 | - name: express
18 | imagePullPolicy: Always
19 | image: aputrabay/express:latest
20 | ports:
21 | - containerPort: 8080
22 | resources:
23 | limits:
24 | cpu: 500m
25 | memory: 256Mi
26 | requests:
27 | cpu: 200m
28 | memory: 128Mi
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.express
File: /lessons/071/k8s/1-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: express
11 | template:
12 | metadata:
13 | labels:
14 | app: express
15 | spec:
16 | containers:
17 | - name: express
18 | imagePullPolicy: Always
19 | image: aputrabay/express:latest
20 | ports:
21 | - containerPort: 8080
22 | resources:
23 | limits:
24 | cpu: 500m
25 | memory: 256Mi
26 | requests:
27 | cpu: 200m
28 | memory: 128Mi
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.express
File: /lessons/071/k8s/1-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: express
11 | template:
12 | metadata:
13 | labels:
14 | app: express
15 | spec:
16 | containers:
17 | - name: express
18 | imagePullPolicy: Always
19 | image: aputrabay/express:latest
20 | ports:
21 | - containerPort: 8080
22 | resources:
23 | limits:
24 | cpu: 500m
25 | memory: 256Mi
26 | requests:
27 | cpu: 200m
28 | memory: 128Mi
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.express
File: /lessons/071/k8s/1-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: express
11 | template:
12 | metadata:
13 | labels:
14 | app: express
15 | spec:
16 | containers:
17 | - name: express
18 | imagePullPolicy: Always
19 | image: aputrabay/express:latest
20 | ports:
21 | - containerPort: 8080
22 | resources:
23 | limits:
24 | cpu: 500m
25 | memory: 256Mi
26 | requests:
27 | cpu: 200m
28 | memory: 128Mi
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.express
File: /lessons/071/k8s/1-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: express
11 | template:
12 | metadata:
13 | labels:
14 | app: express
15 | spec:
16 | containers:
17 | - name: express
18 | imagePullPolicy: Always
19 | image: aputrabay/express:latest
20 | ports:
21 | - containerPort: 8080
22 | resources:
23 | limits:
24 | cpu: 500m
25 | memory: 256Mi
26 | requests:
27 | cpu: 200m
28 | memory: 128Mi
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.express
File: /lessons/071/k8s/1-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: express
11 | template:
12 | metadata:
13 | labels:
14 | app: express
15 | spec:
16 | containers:
17 | - name: express
18 | imagePullPolicy: Always
19 | image: aputrabay/express:latest
20 | ports:
21 | - containerPort: 8080
22 | resources:
23 | limits:
24 | cpu: 500m
25 | memory: 256Mi
26 | requests:
27 | cpu: 200m
28 | memory: 128Mi
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.express
File: /lessons/071/k8s/1-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: express
11 | template:
12 | metadata:
13 | labels:
14 | app: express
15 | spec:
16 | containers:
17 | - name: express
18 | imagePullPolicy: Always
19 | image: aputrabay/express:latest
20 | ports:
21 | - containerPort: 8080
22 | resources:
23 | limits:
24 | cpu: 500m
25 | memory: 256Mi
26 | requests:
27 | cpu: 200m
28 | memory: 128Mi
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.express
File: /lessons/071/k8s/1-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: express
11 | template:
12 | metadata:
13 | labels:
14 | app: express
15 | spec:
16 | containers:
17 | - name: express
18 | imagePullPolicy: Always
19 | image: aputrabay/express:latest
20 | ports:
21 | - containerPort: 8080
22 | resources:
23 | limits:
24 | cpu: 500m
25 | memory: 256Mi
26 | requests:
27 | cpu: 200m
28 | memory: 128Mi
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.express
File: /lessons/071/k8s/1-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: express
11 | template:
12 | metadata:
13 | labels:
14 | app: express
15 | spec:
16 | containers:
17 | - name: express
18 | imagePullPolicy: Always
19 | image: aputrabay/express:latest
20 | ports:
21 | - containerPort: 8080
22 | resources:
23 | limits:
24 | cpu: 500m
25 | memory: 256Mi
26 | requests:
27 | cpu: 200m
28 | memory: 128Mi
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.express
File: /lessons/071/k8s/1-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: express
11 | template:
12 | metadata:
13 | labels:
14 | app: express
15 | spec:
16 | containers:
17 | - name: express
18 | imagePullPolicy: Always
19 | image: aputrabay/express:latest
20 | ports:
21 | - containerPort: 8080
22 | resources:
23 | limits:
24 | cpu: 500m
25 | memory: 256Mi
26 | requests:
27 | cpu: 200m
28 | memory: 128Mi
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.express
File: /lessons/071/k8s/1-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: express
11 | template:
12 | metadata:
13 | labels:
14 | app: express
15 | spec:
16 | containers:
17 | - name: express
18 | imagePullPolicy: Always
19 | image: aputrabay/express:latest
20 | ports:
21 | - containerPort: 8080
22 | resources:
23 | limits:
24 | cpu: 500m
25 | memory: 256Mi
26 | requests:
27 | cpu: 200m
28 | memory: 128Mi
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.express
File: /lessons/071/k8s/1-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: express
11 | template:
12 | metadata:
13 | labels:
14 | app: express
15 | spec:
16 | containers:
17 | - name: express
18 | imagePullPolicy: Always
19 | image: aputrabay/express:latest
20 | ports:
21 | - containerPort: 8080
22 | resources:
23 | limits:
24 | cpu: 500m
25 | memory: 256Mi
26 | requests:
27 | cpu: 200m
28 | memory: 128Mi
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.express
File: /lessons/071/k8s/1-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: express
11 | template:
12 | metadata:
13 | labels:
14 | app: express
15 | spec:
16 | containers:
17 | - name: express
18 | imagePullPolicy: Always
19 | image: aputrabay/express:latest
20 | ports:
21 | - containerPort: 8080
22 | resources:
23 | limits:
24 | cpu: 500m
25 | memory: 256Mi
26 | requests:
27 | cpu: 200m
28 | memory: 128Mi
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.express
File: /lessons/071/k8s/1-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: express
11 | template:
12 | metadata:
13 | labels:
14 | app: express
15 | spec:
16 | containers:
17 | - name: express
18 | imagePullPolicy: Always
19 | image: aputrabay/express:latest
20 | ports:
21 | - containerPort: 8080
22 | resources:
23 | limits:
24 | cpu: 500m
25 | memory: 256Mi
26 | requests:
27 | cpu: 200m
28 | memory: 128Mi
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /lessons/070/k8s/0-cluster-autoscaler.yaml:122-171
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /lessons/070/k8s/0-cluster-autoscaler.yaml:122-171
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /lessons/070/k8s/0-cluster-autoscaler.yaml:122-171
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /lessons/070/k8s/0-cluster-autoscaler.yaml:122-171
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /lessons/070/k8s/0-cluster-autoscaler.yaml:122-171
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /lessons/070/k8s/0-cluster-autoscaler.yaml:122-171
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /lessons/070/k8s/0-cluster-autoscaler.yaml:122-171
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /lessons/070/k8s/0-cluster-autoscaler.yaml:122-171
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /lessons/070/k8s/0-cluster-autoscaler.yaml:122-171
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /lessons/070/k8s/0-cluster-autoscaler.yaml:122-171
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /lessons/070/k8s/0-cluster-autoscaler.yaml:122-171
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /lessons/070/k8s/0-cluster-autoscaler.yaml:122-171
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /lessons/070/k8s/0-cluster-autoscaler.yaml:122-171
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nginx-unmanaged
File: /lessons/070/k8s/2-nginx-unmanaged.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-unmanaged
5 | namespace: default
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-unmanaged
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-unmanaged
15 | spec:
16 | containers:
17 | - name: nginx-unmanaged
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - unmanaged-nodes
30 | podAntiAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | - labelSelector:
33 | matchExpressions:
34 | - key: app
35 | operator: In
36 | values:
37 | - nginx-unmanaged
38 | topologyKey: kubernetes.io/hostname
39 | namespaces:
40 | - default
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx-unmanaged
File: /lessons/070/k8s/2-nginx-unmanaged.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-unmanaged
5 | namespace: default
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-unmanaged
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-unmanaged
15 | spec:
16 | containers:
17 | - name: nginx-unmanaged
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - unmanaged-nodes
30 | podAntiAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | - labelSelector:
33 | matchExpressions:
34 | - key: app
35 | operator: In
36 | values:
37 | - nginx-unmanaged
38 | topologyKey: kubernetes.io/hostname
39 | namespaces:
40 | - default
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.nginx-unmanaged
File: /lessons/070/k8s/2-nginx-unmanaged.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-unmanaged
5 | namespace: default
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-unmanaged
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-unmanaged
15 | spec:
16 | containers:
17 | - name: nginx-unmanaged
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - unmanaged-nodes
30 | podAntiAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | - labelSelector:
33 | matchExpressions:
34 | - key: app
35 | operator: In
36 | values:
37 | - nginx-unmanaged
38 | topologyKey: kubernetes.io/hostname
39 | namespaces:
40 | - default
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx-unmanaged
File: /lessons/070/k8s/2-nginx-unmanaged.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-unmanaged
5 | namespace: default
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-unmanaged
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-unmanaged
15 | spec:
16 | containers:
17 | - name: nginx-unmanaged
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - unmanaged-nodes
30 | podAntiAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | - labelSelector:
33 | matchExpressions:
34 | - key: app
35 | operator: In
36 | values:
37 | - nginx-unmanaged
38 | topologyKey: kubernetes.io/hostname
39 | namespaces:
40 | - default
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx-unmanaged
File: /lessons/070/k8s/2-nginx-unmanaged.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-unmanaged
5 | namespace: default
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-unmanaged
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-unmanaged
15 | spec:
16 | containers:
17 | - name: nginx-unmanaged
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - unmanaged-nodes
30 | podAntiAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | - labelSelector:
33 | matchExpressions:
34 | - key: app
35 | operator: In
36 | values:
37 | - nginx-unmanaged
38 | topologyKey: kubernetes.io/hostname
39 | namespaces:
40 | - default
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx-unmanaged
File: /lessons/070/k8s/2-nginx-unmanaged.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-unmanaged
5 | namespace: default
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-unmanaged
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-unmanaged
15 | spec:
16 | containers:
17 | - name: nginx-unmanaged
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - unmanaged-nodes
30 | podAntiAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | - labelSelector:
33 | matchExpressions:
34 | - key: app
35 | operator: In
36 | values:
37 | - nginx-unmanaged
38 | topologyKey: kubernetes.io/hostname
39 | namespaces:
40 | - default
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-unmanaged
File: /lessons/070/k8s/2-nginx-unmanaged.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-unmanaged
5 | namespace: default
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-unmanaged
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-unmanaged
15 | spec:
16 | containers:
17 | - name: nginx-unmanaged
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - unmanaged-nodes
30 | podAntiAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | - labelSelector:
33 | matchExpressions:
34 | - key: app
35 | operator: In
36 | values:
37 | - nginx-unmanaged
38 | topologyKey: kubernetes.io/hostname
39 | namespaces:
40 | - default
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx-unmanaged
File: /lessons/070/k8s/2-nginx-unmanaged.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-unmanaged
5 | namespace: default
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-unmanaged
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-unmanaged
15 | spec:
16 | containers:
17 | - name: nginx-unmanaged
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - unmanaged-nodes
30 | podAntiAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | - labelSelector:
33 | matchExpressions:
34 | - key: app
35 | operator: In
36 | values:
37 | - nginx-unmanaged
38 | topologyKey: kubernetes.io/hostname
39 | namespaces:
40 | - default
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx-unmanaged
File: /lessons/070/k8s/2-nginx-unmanaged.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-unmanaged
5 | namespace: default
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-unmanaged
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-unmanaged
15 | spec:
16 | containers:
17 | - name: nginx-unmanaged
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - unmanaged-nodes
30 | podAntiAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | - labelSelector:
33 | matchExpressions:
34 | - key: app
35 | operator: In
36 | values:
37 | - nginx-unmanaged
38 | topologyKey: kubernetes.io/hostname
39 | namespaces:
40 | - default
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx-unmanaged
File: /lessons/070/k8s/2-nginx-unmanaged.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-unmanaged
5 | namespace: default
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-unmanaged
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-unmanaged
15 | spec:
16 | containers:
17 | - name: nginx-unmanaged
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - unmanaged-nodes
30 | podAntiAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | - labelSelector:
33 | matchExpressions:
34 | - key: app
35 | operator: In
36 | values:
37 | - nginx-unmanaged
38 | topologyKey: kubernetes.io/hostname
39 | namespaces:
40 | - default
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-unmanaged
File: /lessons/070/k8s/2-nginx-unmanaged.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-unmanaged
5 | namespace: default
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-unmanaged
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-unmanaged
15 | spec:
16 | containers:
17 | - name: nginx-unmanaged
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - unmanaged-nodes
30 | podAntiAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | - labelSelector:
33 | matchExpressions:
34 | - key: app
35 | operator: In
36 | values:
37 | - nginx-unmanaged
38 | topologyKey: kubernetes.io/hostname
39 | namespaces:
40 | - default
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx-unmanaged
File: /lessons/070/k8s/2-nginx-unmanaged.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-unmanaged
5 | namespace: default
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-unmanaged
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-unmanaged
15 | spec:
16 | containers:
17 | - name: nginx-unmanaged
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - unmanaged-nodes
30 | podAntiAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | - labelSelector:
33 | matchExpressions:
34 | - key: app
35 | operator: In
36 | values:
37 | - nginx-unmanaged
38 | topologyKey: kubernetes.io/hostname
39 | namespaces:
40 | - default
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nginx-unmanaged
File: /lessons/070/k8s/2-nginx-unmanaged.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-unmanaged
5 | namespace: default
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-unmanaged
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-unmanaged
15 | spec:
16 | containers:
17 | - name: nginx-unmanaged
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - unmanaged-nodes
30 | podAntiAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | - labelSelector:
33 | matchExpressions:
34 | - key: app
35 | operator: In
36 | values:
37 | - nginx-unmanaged
38 | topologyKey: kubernetes.io/hostname
39 | namespaces:
40 | - default
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx-unmanaged
File: /lessons/070/k8s/2-nginx-unmanaged.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-unmanaged
5 | namespace: default
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-unmanaged
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-unmanaged
15 | spec:
16 | containers:
17 | - name: nginx-unmanaged
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - unmanaged-nodes
30 | podAntiAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | - labelSelector:
33 | matchExpressions:
34 | - key: app
35 | operator: In
36 | values:
37 | - nginx-unmanaged
38 | topologyKey: kubernetes.io/hostname
39 | namespaces:
40 | - default
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx-unmanaged
File: /lessons/070/k8s/2-nginx-unmanaged.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-unmanaged
5 | namespace: default
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-unmanaged
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-unmanaged
15 | spec:
16 | containers:
17 | - name: nginx-unmanaged
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - unmanaged-nodes
30 | podAntiAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | - labelSelector:
33 | matchExpressions:
34 | - key: app
35 | operator: In
36 | values:
37 | - nginx-unmanaged
38 | topologyKey: kubernetes.io/hostname
39 | namespaces:
40 | - default
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx-unmanaged
File: /lessons/070/k8s/2-nginx-unmanaged.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-unmanaged
5 | namespace: default
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-unmanaged
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-unmanaged
15 | spec:
16 | containers:
17 | - name: nginx-unmanaged
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - unmanaged-nodes
30 | podAntiAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | - labelSelector:
33 | matchExpressions:
34 | - key: app
35 | operator: In
36 | values:
37 | - nginx-unmanaged
38 | topologyKey: kubernetes.io/hostname
39 | namespaces:
40 | - default
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.nginx-unmanaged
File: /lessons/070/k8s/2-nginx-unmanaged.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-unmanaged
5 | namespace: default
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-unmanaged
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-unmanaged
15 | spec:
16 | containers:
17 | - name: nginx-unmanaged
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - unmanaged-nodes
30 | podAntiAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | - labelSelector:
33 | matchExpressions:
34 | - key: app
35 | operator: In
36 | values:
37 | - nginx-unmanaged
38 | topologyKey: kubernetes.io/hostname
39 | namespaces:
40 | - default
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.nginx-unmanaged
File: /lessons/070/k8s/2-nginx-unmanaged.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-unmanaged
5 | namespace: default
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-unmanaged
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-unmanaged
15 | spec:
16 | containers:
17 | - name: nginx-unmanaged
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - unmanaged-nodes
30 | podAntiAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | - labelSelector:
33 | matchExpressions:
34 | - key: app
35 | operator: In
36 | values:
37 | - nginx-unmanaged
38 | topologyKey: kubernetes.io/hostname
39 | namespaces:
40 | - default
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx-unmanaged
File: /lessons/070/k8s/2-nginx-unmanaged.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-unmanaged
5 | namespace: default
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-unmanaged
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-unmanaged
15 | spec:
16 | containers:
17 | - name: nginx-unmanaged
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - unmanaged-nodes
30 | podAntiAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | - labelSelector:
33 | matchExpressions:
34 | - key: app
35 | operator: In
36 | values:
37 | - nginx-unmanaged
38 | topologyKey: kubernetes.io/hostname
39 | namespaces:
40 | - default
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nginx-managed
File: /lessons/070/k8s/1-nginx-managed.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-managed
5 | namespace: default
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-managed
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-managed
15 | spec:
16 | containers:
17 | - name: nginx-managed
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - managed-nodes
30 | podAntiAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | - labelSelector:
33 | matchExpressions:
34 | - key: app
35 | operator: In
36 | values:
37 | - nginx-managed
38 | topologyKey: kubernetes.io/hostname
39 | namespaces:
40 | - default
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx-managed
File: /lessons/070/k8s/1-nginx-managed.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-managed
5 | namespace: default
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-managed
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-managed
15 | spec:
16 | containers:
17 | - name: nginx-managed
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - managed-nodes
30 | podAntiAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | - labelSelector:
33 | matchExpressions:
34 | - key: app
35 | operator: In
36 | values:
37 | - nginx-managed
38 | topologyKey: kubernetes.io/hostname
39 | namespaces:
40 | - default
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.nginx-managed
File: /lessons/070/k8s/1-nginx-managed.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-managed
5 | namespace: default
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-managed
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-managed
15 | spec:
16 | containers:
17 | - name: nginx-managed
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - managed-nodes
30 | podAntiAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | - labelSelector:
33 | matchExpressions:
34 | - key: app
35 | operator: In
36 | values:
37 | - nginx-managed
38 | topologyKey: kubernetes.io/hostname
39 | namespaces:
40 | - default
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx-managed
File: /lessons/070/k8s/1-nginx-managed.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-managed
5 | namespace: default
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-managed
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-managed
15 | spec:
16 | containers:
17 | - name: nginx-managed
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - managed-nodes
30 | podAntiAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | - labelSelector:
33 | matchExpressions:
34 | - key: app
35 | operator: In
36 | values:
37 | - nginx-managed
38 | topologyKey: kubernetes.io/hostname
39 | namespaces:
40 | - default
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx-managed
File: /lessons/070/k8s/1-nginx-managed.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-managed
5 | namespace: default
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-managed
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-managed
15 | spec:
16 | containers:
17 | - name: nginx-managed
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - managed-nodes
30 | podAntiAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | - labelSelector:
33 | matchExpressions:
34 | - key: app
35 | operator: In
36 | values:
37 | - nginx-managed
38 | topologyKey: kubernetes.io/hostname
39 | namespaces:
40 | - default
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx-managed
File: /lessons/070/k8s/1-nginx-managed.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-managed
5 | namespace: default
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-managed
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-managed
15 | spec:
16 | containers:
17 | - name: nginx-managed
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - managed-nodes
30 | podAntiAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | - labelSelector:
33 | matchExpressions:
34 | - key: app
35 | operator: In
36 | values:
37 | - nginx-managed
38 | topologyKey: kubernetes.io/hostname
39 | namespaces:
40 | - default
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-managed
File: /lessons/070/k8s/1-nginx-managed.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-managed
5 | namespace: default
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-managed
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-managed
15 | spec:
16 | containers:
17 | - name: nginx-managed
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - managed-nodes
30 | podAntiAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | - labelSelector:
33 | matchExpressions:
34 | - key: app
35 | operator: In
36 | values:
37 | - nginx-managed
38 | topologyKey: kubernetes.io/hostname
39 | namespaces:
40 | - default
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx-managed
File: /lessons/070/k8s/1-nginx-managed.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-managed
5 | namespace: default
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-managed
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-managed
15 | spec:
16 | containers:
17 | - name: nginx-managed
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - managed-nodes
30 | podAntiAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | - labelSelector:
33 | matchExpressions:
34 | - key: app
35 | operator: In
36 | values:
37 | - nginx-managed
38 | topologyKey: kubernetes.io/hostname
39 | namespaces:
40 | - default
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx-managed
File: /lessons/070/k8s/1-nginx-managed.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-managed
5 | namespace: default
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-managed
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-managed
15 | spec:
16 | containers:
17 | - name: nginx-managed
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - managed-nodes
30 | podAntiAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | - labelSelector:
33 | matchExpressions:
34 | - key: app
35 | operator: In
36 | values:
37 | - nginx-managed
38 | topologyKey: kubernetes.io/hostname
39 | namespaces:
40 | - default
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx-managed
File: /lessons/070/k8s/1-nginx-managed.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-managed
5 | namespace: default
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-managed
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-managed
15 | spec:
16 | containers:
17 | - name: nginx-managed
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - managed-nodes
30 | podAntiAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | - labelSelector:
33 | matchExpressions:
34 | - key: app
35 | operator: In
36 | values:
37 | - nginx-managed
38 | topologyKey: kubernetes.io/hostname
39 | namespaces:
40 | - default
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-managed
File: /lessons/070/k8s/1-nginx-managed.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-managed
5 | namespace: default
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-managed
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-managed
15 | spec:
16 | containers:
17 | - name: nginx-managed
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - managed-nodes
30 | podAntiAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | - labelSelector:
33 | matchExpressions:
34 | - key: app
35 | operator: In
36 | values:
37 | - nginx-managed
38 | topologyKey: kubernetes.io/hostname
39 | namespaces:
40 | - default
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx-managed
File: /lessons/070/k8s/1-nginx-managed.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-managed
5 | namespace: default
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-managed
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-managed
15 | spec:
16 | containers:
17 | - name: nginx-managed
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - managed-nodes
30 | podAntiAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | - labelSelector:
33 | matchExpressions:
34 | - key: app
35 | operator: In
36 | values:
37 | - nginx-managed
38 | topologyKey: kubernetes.io/hostname
39 | namespaces:
40 | - default
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nginx-managed
File: /lessons/070/k8s/1-nginx-managed.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-managed
5 | namespace: default
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-managed
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-managed
15 | spec:
16 | containers:
17 | - name: nginx-managed
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - managed-nodes
30 | podAntiAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | - labelSelector:
33 | matchExpressions:
34 | - key: app
35 | operator: In
36 | values:
37 | - nginx-managed
38 | topologyKey: kubernetes.io/hostname
39 | namespaces:
40 | - default
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx-managed
File: /lessons/070/k8s/1-nginx-managed.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-managed
5 | namespace: default
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-managed
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-managed
15 | spec:
16 | containers:
17 | - name: nginx-managed
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - managed-nodes
30 | podAntiAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | - labelSelector:
33 | matchExpressions:
34 | - key: app
35 | operator: In
36 | values:
37 | - nginx-managed
38 | topologyKey: kubernetes.io/hostname
39 | namespaces:
40 | - default
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx-managed
File: /lessons/070/k8s/1-nginx-managed.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-managed
5 | namespace: default
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-managed
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-managed
15 | spec:
16 | containers:
17 | - name: nginx-managed
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - managed-nodes
30 | podAntiAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | - labelSelector:
33 | matchExpressions:
34 | - key: app
35 | operator: In
36 | values:
37 | - nginx-managed
38 | topologyKey: kubernetes.io/hostname
39 | namespaces:
40 | - default
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx-managed
File: /lessons/070/k8s/1-nginx-managed.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-managed
5 | namespace: default
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-managed
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-managed
15 | spec:
16 | containers:
17 | - name: nginx-managed
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - managed-nodes
30 | podAntiAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | - labelSelector:
33 | matchExpressions:
34 | - key: app
35 | operator: In
36 | values:
37 | - nginx-managed
38 | topologyKey: kubernetes.io/hostname
39 | namespaces:
40 | - default
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.nginx-managed
File: /lessons/070/k8s/1-nginx-managed.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-managed
5 | namespace: default
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-managed
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-managed
15 | spec:
16 | containers:
17 | - name: nginx-managed
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - managed-nodes
30 | podAntiAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | - labelSelector:
33 | matchExpressions:
34 | - key: app
35 | operator: In
36 | values:
37 | - nginx-managed
38 | topologyKey: kubernetes.io/hostname
39 | namespaces:
40 | - default
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.nginx-managed
File: /lessons/070/k8s/1-nginx-managed.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-managed
5 | namespace: default
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-managed
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-managed
15 | spec:
16 | containers:
17 | - name: nginx-managed
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - managed-nodes
30 | podAntiAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | - labelSelector:
33 | matchExpressions:
34 | - key: app
35 | operator: In
36 | values:
37 | - nginx-managed
38 | topologyKey: kubernetes.io/hostname
39 | namespaces:
40 | - default
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx-managed
File: /lessons/070/k8s/1-nginx-managed.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-managed
5 | namespace: default
6 | spec:
7 | replicas: 2
8 | selector:
9 | matchLabels:
10 | app: nginx-managed
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-managed
15 | spec:
16 | containers:
17 | - name: nginx-managed
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | nodeAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | nodeSelectorTerms:
25 | - matchExpressions:
26 | - key: role
27 | operator: In
28 | values:
29 | - managed-nodes
30 | podAntiAffinity:
31 | requiredDuringSchedulingIgnoredDuringExecution:
32 | - labelSelector:
33 | matchExpressions:
34 | - key: app
35 | operator: In
36 | values:
37 | - nginx-managed
38 | topologyKey: kubernetes.io/hostname
39 | namespaces:
40 | - default
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /lessons/109/k8s/cluster-autoscaler.yaml:98-145
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
98 | apiVersion: apps/v1
99 | kind: Deployment
100 | metadata:
101 | name: cluster-autoscaler
102 | namespace: kube-system
103 | labels:
104 | app: cluster-autoscaler
105 | spec:
106 | replicas: 1
107 | selector:
108 | matchLabels:
109 | app: cluster-autoscaler
110 | template:
111 | metadata:
112 | labels:
113 | app: cluster-autoscaler
114 | spec:
115 | serviceAccountName: cluster-autoscaler
116 | containers:
117 | - image: k8s.gcr.io/autoscaling/cluster-autoscaler:v1.21.0
118 | name: cluster-autoscaler
119 | resources:
120 | limits:
121 | cpu: 100m
122 | memory: 600Mi
123 | requests:
124 | cpu: 100m
125 | memory: 600Mi
126 | # https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md
127 | command:
128 | - ./cluster-autoscaler
129 | - --v=4
130 | - --stderrthreshold=info
131 | - --cloud-provider=aws
132 | - --skip-nodes-with-local-storage=false
133 | - --expander=least-waste
134 | - --node-group-auto-discovery=asg:tag=k8s.io/cluster-autoscaler/enabled,k8s.io/cluster-autoscaler/cluster-irsa # Update cluster
135 | - --balance-similar-node-groups
136 | - --skip-nodes-with-system-pods=false
137 | volumeMounts:
138 | - name: ssl-certs
139 | mountPath: /etc/ssl/certs/ca-certificates.crt
140 | readOnly: true
141 | imagePullPolicy: "Always"
142 | volumes:
143 | - name: ssl-certs
144 | hostPath:
145 | path: "/etc/ssl/certs/ca-bundle.crt"
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /lessons/109/k8s/cluster-autoscaler.yaml:98-145
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
98 | apiVersion: apps/v1
99 | kind: Deployment
100 | metadata:
101 | name: cluster-autoscaler
102 | namespace: kube-system
103 | labels:
104 | app: cluster-autoscaler
105 | spec:
106 | replicas: 1
107 | selector:
108 | matchLabels:
109 | app: cluster-autoscaler
110 | template:
111 | metadata:
112 | labels:
113 | app: cluster-autoscaler
114 | spec:
115 | serviceAccountName: cluster-autoscaler
116 | containers:
117 | - image: k8s.gcr.io/autoscaling/cluster-autoscaler:v1.21.0
118 | name: cluster-autoscaler
119 | resources:
120 | limits:
121 | cpu: 100m
122 | memory: 600Mi
123 | requests:
124 | cpu: 100m
125 | memory: 600Mi
126 | # https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md
127 | command:
128 | - ./cluster-autoscaler
129 | - --v=4
130 | - --stderrthreshold=info
131 | - --cloud-provider=aws
132 | - --skip-nodes-with-local-storage=false
133 | - --expander=least-waste
134 | - --node-group-auto-discovery=asg:tag=k8s.io/cluster-autoscaler/enabled,k8s.io/cluster-autoscaler/cluster-irsa # Update cluster
135 | - --balance-similar-node-groups
136 | - --skip-nodes-with-system-pods=false
137 | volumeMounts:
138 | - name: ssl-certs
139 | mountPath: /etc/ssl/certs/ca-certificates.crt
140 | readOnly: true
141 | imagePullPolicy: "Always"
142 | volumes:
143 | - name: ssl-certs
144 | hostPath:
145 | path: "/etc/ssl/certs/ca-bundle.crt"
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /lessons/109/k8s/cluster-autoscaler.yaml:98-145
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
98 | apiVersion: apps/v1
99 | kind: Deployment
100 | metadata:
101 | name: cluster-autoscaler
102 | namespace: kube-system
103 | labels:
104 | app: cluster-autoscaler
105 | spec:
106 | replicas: 1
107 | selector:
108 | matchLabels:
109 | app: cluster-autoscaler
110 | template:
111 | metadata:
112 | labels:
113 | app: cluster-autoscaler
114 | spec:
115 | serviceAccountName: cluster-autoscaler
116 | containers:
117 | - image: k8s.gcr.io/autoscaling/cluster-autoscaler:v1.21.0
118 | name: cluster-autoscaler
119 | resources:
120 | limits:
121 | cpu: 100m
122 | memory: 600Mi
123 | requests:
124 | cpu: 100m
125 | memory: 600Mi
126 | # https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md
127 | command:
128 | - ./cluster-autoscaler
129 | - --v=4
130 | - --stderrthreshold=info
131 | - --cloud-provider=aws
132 | - --skip-nodes-with-local-storage=false
133 | - --expander=least-waste
134 | - --node-group-auto-discovery=asg:tag=k8s.io/cluster-autoscaler/enabled,k8s.io/cluster-autoscaler/cluster-irsa # Update cluster
135 | - --balance-similar-node-groups
136 | - --skip-nodes-with-system-pods=false
137 | volumeMounts:
138 | - name: ssl-certs
139 | mountPath: /etc/ssl/certs/ca-certificates.crt
140 | readOnly: true
141 | imagePullPolicy: "Always"
142 | volumes:
143 | - name: ssl-certs
144 | hostPath:
145 | path: "/etc/ssl/certs/ca-bundle.crt"
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /lessons/109/k8s/cluster-autoscaler.yaml:98-145
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
98 | apiVersion: apps/v1
99 | kind: Deployment
100 | metadata:
101 | name: cluster-autoscaler
102 | namespace: kube-system
103 | labels:
104 | app: cluster-autoscaler
105 | spec:
106 | replicas: 1
107 | selector:
108 | matchLabels:
109 | app: cluster-autoscaler
110 | template:
111 | metadata:
112 | labels:
113 | app: cluster-autoscaler
114 | spec:
115 | serviceAccountName: cluster-autoscaler
116 | containers:
117 | - image: k8s.gcr.io/autoscaling/cluster-autoscaler:v1.21.0
118 | name: cluster-autoscaler
119 | resources:
120 | limits:
121 | cpu: 100m
122 | memory: 600Mi
123 | requests:
124 | cpu: 100m
125 | memory: 600Mi
126 | # https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md
127 | command:
128 | - ./cluster-autoscaler
129 | - --v=4
130 | - --stderrthreshold=info
131 | - --cloud-provider=aws
132 | - --skip-nodes-with-local-storage=false
133 | - --expander=least-waste
134 | - --node-group-auto-discovery=asg:tag=k8s.io/cluster-autoscaler/enabled,k8s.io/cluster-autoscaler/cluster-irsa # Update cluster
135 | - --balance-similar-node-groups
136 | - --skip-nodes-with-system-pods=false
137 | volumeMounts:
138 | - name: ssl-certs
139 | mountPath: /etc/ssl/certs/ca-certificates.crt
140 | readOnly: true
141 | imagePullPolicy: "Always"
142 | volumes:
143 | - name: ssl-certs
144 | hostPath:
145 | path: "/etc/ssl/certs/ca-bundle.crt"
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /lessons/109/k8s/cluster-autoscaler.yaml:98-145
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
98 | apiVersion: apps/v1
99 | kind: Deployment
100 | metadata:
101 | name: cluster-autoscaler
102 | namespace: kube-system
103 | labels:
104 | app: cluster-autoscaler
105 | spec:
106 | replicas: 1
107 | selector:
108 | matchLabels:
109 | app: cluster-autoscaler
110 | template:
111 | metadata:
112 | labels:
113 | app: cluster-autoscaler
114 | spec:
115 | serviceAccountName: cluster-autoscaler
116 | containers:
117 | - image: k8s.gcr.io/autoscaling/cluster-autoscaler:v1.21.0
118 | name: cluster-autoscaler
119 | resources:
120 | limits:
121 | cpu: 100m
122 | memory: 600Mi
123 | requests:
124 | cpu: 100m
125 | memory: 600Mi
126 | # https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md
127 | command:
128 | - ./cluster-autoscaler
129 | - --v=4
130 | - --stderrthreshold=info
131 | - --cloud-provider=aws
132 | - --skip-nodes-with-local-storage=false
133 | - --expander=least-waste
134 | - --node-group-auto-discovery=asg:tag=k8s.io/cluster-autoscaler/enabled,k8s.io/cluster-autoscaler/cluster-irsa # Update cluster
135 | - --balance-similar-node-groups
136 | - --skip-nodes-with-system-pods=false
137 | volumeMounts:
138 | - name: ssl-certs
139 | mountPath: /etc/ssl/certs/ca-certificates.crt
140 | readOnly: true
141 | imagePullPolicy: "Always"
142 | volumes:
143 | - name: ssl-certs
144 | hostPath:
145 | path: "/etc/ssl/certs/ca-bundle.crt"
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /lessons/109/k8s/cluster-autoscaler.yaml:98-145
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
98 | apiVersion: apps/v1
99 | kind: Deployment
100 | metadata:
101 | name: cluster-autoscaler
102 | namespace: kube-system
103 | labels:
104 | app: cluster-autoscaler
105 | spec:
106 | replicas: 1
107 | selector:
108 | matchLabels:
109 | app: cluster-autoscaler
110 | template:
111 | metadata:
112 | labels:
113 | app: cluster-autoscaler
114 | spec:
115 | serviceAccountName: cluster-autoscaler
116 | containers:
117 | - image: k8s.gcr.io/autoscaling/cluster-autoscaler:v1.21.0
118 | name: cluster-autoscaler
119 | resources:
120 | limits:
121 | cpu: 100m
122 | memory: 600Mi
123 | requests:
124 | cpu: 100m
125 | memory: 600Mi
126 | # https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md
127 | command:
128 | - ./cluster-autoscaler
129 | - --v=4
130 | - --stderrthreshold=info
131 | - --cloud-provider=aws
132 | - --skip-nodes-with-local-storage=false
133 | - --expander=least-waste
134 | - --node-group-auto-discovery=asg:tag=k8s.io/cluster-autoscaler/enabled,k8s.io/cluster-autoscaler/cluster-irsa # Update cluster
135 | - --balance-similar-node-groups
136 | - --skip-nodes-with-system-pods=false
137 | volumeMounts:
138 | - name: ssl-certs
139 | mountPath: /etc/ssl/certs/ca-certificates.crt
140 | readOnly: true
141 | imagePullPolicy: "Always"
142 | volumes:
143 | - name: ssl-certs
144 | hostPath:
145 | path: "/etc/ssl/certs/ca-bundle.crt"
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /lessons/109/k8s/cluster-autoscaler.yaml:98-145
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
98 | apiVersion: apps/v1
99 | kind: Deployment
100 | metadata:
101 | name: cluster-autoscaler
102 | namespace: kube-system
103 | labels:
104 | app: cluster-autoscaler
105 | spec:
106 | replicas: 1
107 | selector:
108 | matchLabels:
109 | app: cluster-autoscaler
110 | template:
111 | metadata:
112 | labels:
113 | app: cluster-autoscaler
114 | spec:
115 | serviceAccountName: cluster-autoscaler
116 | containers:
117 | - image: k8s.gcr.io/autoscaling/cluster-autoscaler:v1.21.0
118 | name: cluster-autoscaler
119 | resources:
120 | limits:
121 | cpu: 100m
122 | memory: 600Mi
123 | requests:
124 | cpu: 100m
125 | memory: 600Mi
126 | # https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md
127 | command:
128 | - ./cluster-autoscaler
129 | - --v=4
130 | - --stderrthreshold=info
131 | - --cloud-provider=aws
132 | - --skip-nodes-with-local-storage=false
133 | - --expander=least-waste
134 | - --node-group-auto-discovery=asg:tag=k8s.io/cluster-autoscaler/enabled,k8s.io/cluster-autoscaler/cluster-irsa # Update cluster
135 | - --balance-similar-node-groups
136 | - --skip-nodes-with-system-pods=false
137 | volumeMounts:
138 | - name: ssl-certs
139 | mountPath: /etc/ssl/certs/ca-certificates.crt
140 | readOnly: true
141 | imagePullPolicy: "Always"
142 | volumes:
143 | - name: ssl-certs
144 | hostPath:
145 | path: "/etc/ssl/certs/ca-bundle.crt"
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /lessons/109/k8s/cluster-autoscaler.yaml:98-145
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
98 | apiVersion: apps/v1
99 | kind: Deployment
100 | metadata:
101 | name: cluster-autoscaler
102 | namespace: kube-system
103 | labels:
104 | app: cluster-autoscaler
105 | spec:
106 | replicas: 1
107 | selector:
108 | matchLabels:
109 | app: cluster-autoscaler
110 | template:
111 | metadata:
112 | labels:
113 | app: cluster-autoscaler
114 | spec:
115 | serviceAccountName: cluster-autoscaler
116 | containers:
117 | - image: k8s.gcr.io/autoscaling/cluster-autoscaler:v1.21.0
118 | name: cluster-autoscaler
119 | resources:
120 | limits:
121 | cpu: 100m
122 | memory: 600Mi
123 | requests:
124 | cpu: 100m
125 | memory: 600Mi
126 | # https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md
127 | command:
128 | - ./cluster-autoscaler
129 | - --v=4
130 | - --stderrthreshold=info
131 | - --cloud-provider=aws
132 | - --skip-nodes-with-local-storage=false
133 | - --expander=least-waste
134 | - --node-group-auto-discovery=asg:tag=k8s.io/cluster-autoscaler/enabled,k8s.io/cluster-autoscaler/cluster-irsa # Update cluster
135 | - --balance-similar-node-groups
136 | - --skip-nodes-with-system-pods=false
137 | volumeMounts:
138 | - name: ssl-certs
139 | mountPath: /etc/ssl/certs/ca-certificates.crt
140 | readOnly: true
141 | imagePullPolicy: "Always"
142 | volumes:
143 | - name: ssl-certs
144 | hostPath:
145 | path: "/etc/ssl/certs/ca-bundle.crt"
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /lessons/109/k8s/cluster-autoscaler.yaml:98-145
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
98 | apiVersion: apps/v1
99 | kind: Deployment
100 | metadata:
101 | name: cluster-autoscaler
102 | namespace: kube-system
103 | labels:
104 | app: cluster-autoscaler
105 | spec:
106 | replicas: 1
107 | selector:
108 | matchLabels:
109 | app: cluster-autoscaler
110 | template:
111 | metadata:
112 | labels:
113 | app: cluster-autoscaler
114 | spec:
115 | serviceAccountName: cluster-autoscaler
116 | containers:
117 | - image: k8s.gcr.io/autoscaling/cluster-autoscaler:v1.21.0
118 | name: cluster-autoscaler
119 | resources:
120 | limits:
121 | cpu: 100m
122 | memory: 600Mi
123 | requests:
124 | cpu: 100m
125 | memory: 600Mi
126 | # https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md
127 | command:
128 | - ./cluster-autoscaler
129 | - --v=4
130 | - --stderrthreshold=info
131 | - --cloud-provider=aws
132 | - --skip-nodes-with-local-storage=false
133 | - --expander=least-waste
134 | - --node-group-auto-discovery=asg:tag=k8s.io/cluster-autoscaler/enabled,k8s.io/cluster-autoscaler/cluster-irsa # Update cluster
135 | - --balance-similar-node-groups
136 | - --skip-nodes-with-system-pods=false
137 | volumeMounts:
138 | - name: ssl-certs
139 | mountPath: /etc/ssl/certs/ca-certificates.crt
140 | readOnly: true
141 | imagePullPolicy: "Always"
142 | volumes:
143 | - name: ssl-certs
144 | hostPath:
145 | path: "/etc/ssl/certs/ca-bundle.crt"
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /lessons/109/k8s/cluster-autoscaler.yaml:98-145
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
98 | apiVersion: apps/v1
99 | kind: Deployment
100 | metadata:
101 | name: cluster-autoscaler
102 | namespace: kube-system
103 | labels:
104 | app: cluster-autoscaler
105 | spec:
106 | replicas: 1
107 | selector:
108 | matchLabels:
109 | app: cluster-autoscaler
110 | template:
111 | metadata:
112 | labels:
113 | app: cluster-autoscaler
114 | spec:
115 | serviceAccountName: cluster-autoscaler
116 | containers:
117 | - image: k8s.gcr.io/autoscaling/cluster-autoscaler:v1.21.0
118 | name: cluster-autoscaler
119 | resources:
120 | limits:
121 | cpu: 100m
122 | memory: 600Mi
123 | requests:
124 | cpu: 100m
125 | memory: 600Mi
126 | # https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md
127 | command:
128 | - ./cluster-autoscaler
129 | - --v=4
130 | - --stderrthreshold=info
131 | - --cloud-provider=aws
132 | - --skip-nodes-with-local-storage=false
133 | - --expander=least-waste
134 | - --node-group-auto-discovery=asg:tag=k8s.io/cluster-autoscaler/enabled,k8s.io/cluster-autoscaler/cluster-irsa # Update cluster
135 | - --balance-similar-node-groups
136 | - --skip-nodes-with-system-pods=false
137 | volumeMounts:
138 | - name: ssl-certs
139 | mountPath: /etc/ssl/certs/ca-certificates.crt
140 | readOnly: true
141 | imagePullPolicy: "Always"
142 | volumes:
143 | - name: ssl-certs
144 | hostPath:
145 | path: "/etc/ssl/certs/ca-bundle.crt"
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /lessons/109/k8s/cluster-autoscaler.yaml:98-145
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
98 | apiVersion: apps/v1
99 | kind: Deployment
100 | metadata:
101 | name: cluster-autoscaler
102 | namespace: kube-system
103 | labels:
104 | app: cluster-autoscaler
105 | spec:
106 | replicas: 1
107 | selector:
108 | matchLabels:
109 | app: cluster-autoscaler
110 | template:
111 | metadata:
112 | labels:
113 | app: cluster-autoscaler
114 | spec:
115 | serviceAccountName: cluster-autoscaler
116 | containers:
117 | - image: k8s.gcr.io/autoscaling/cluster-autoscaler:v1.21.0
118 | name: cluster-autoscaler
119 | resources:
120 | limits:
121 | cpu: 100m
122 | memory: 600Mi
123 | requests:
124 | cpu: 100m
125 | memory: 600Mi
126 | # https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md
127 | command:
128 | - ./cluster-autoscaler
129 | - --v=4
130 | - --stderrthreshold=info
131 | - --cloud-provider=aws
132 | - --skip-nodes-with-local-storage=false
133 | - --expander=least-waste
134 | - --node-group-auto-discovery=asg:tag=k8s.io/cluster-autoscaler/enabled,k8s.io/cluster-autoscaler/cluster-irsa # Update cluster
135 | - --balance-similar-node-groups
136 | - --skip-nodes-with-system-pods=false
137 | volumeMounts:
138 | - name: ssl-certs
139 | mountPath: /etc/ssl/certs/ca-certificates.crt
140 | readOnly: true
141 | imagePullPolicy: "Always"
142 | volumes:
143 | - name: ssl-certs
144 | hostPath:
145 | path: "/etc/ssl/certs/ca-bundle.crt"
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /lessons/109/k8s/cluster-autoscaler.yaml:98-145
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
98 | apiVersion: apps/v1
99 | kind: Deployment
100 | metadata:
101 | name: cluster-autoscaler
102 | namespace: kube-system
103 | labels:
104 | app: cluster-autoscaler
105 | spec:
106 | replicas: 1
107 | selector:
108 | matchLabels:
109 | app: cluster-autoscaler
110 | template:
111 | metadata:
112 | labels:
113 | app: cluster-autoscaler
114 | spec:
115 | serviceAccountName: cluster-autoscaler
116 | containers:
117 | - image: k8s.gcr.io/autoscaling/cluster-autoscaler:v1.21.0
118 | name: cluster-autoscaler
119 | resources:
120 | limits:
121 | cpu: 100m
122 | memory: 600Mi
123 | requests:
124 | cpu: 100m
125 | memory: 600Mi
126 | # https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md
127 | command:
128 | - ./cluster-autoscaler
129 | - --v=4
130 | - --stderrthreshold=info
131 | - --cloud-provider=aws
132 | - --skip-nodes-with-local-storage=false
133 | - --expander=least-waste
134 | - --node-group-auto-discovery=asg:tag=k8s.io/cluster-autoscaler/enabled,k8s.io/cluster-autoscaler/cluster-irsa # Update cluster
135 | - --balance-similar-node-groups
136 | - --skip-nodes-with-system-pods=false
137 | volumeMounts:
138 | - name: ssl-certs
139 | mountPath: /etc/ssl/certs/ca-certificates.crt
140 | readOnly: true
141 | imagePullPolicy: "Always"
142 | volumes:
143 | - name: ssl-certs
144 | hostPath:
145 | path: "/etc/ssl/certs/ca-bundle.crt"
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /lessons/109/k8s/cluster-autoscaler.yaml:98-145
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
98 | apiVersion: apps/v1
99 | kind: Deployment
100 | metadata:
101 | name: cluster-autoscaler
102 | namespace: kube-system
103 | labels:
104 | app: cluster-autoscaler
105 | spec:
106 | replicas: 1
107 | selector:
108 | matchLabels:
109 | app: cluster-autoscaler
110 | template:
111 | metadata:
112 | labels:
113 | app: cluster-autoscaler
114 | spec:
115 | serviceAccountName: cluster-autoscaler
116 | containers:
117 | - image: k8s.gcr.io/autoscaling/cluster-autoscaler:v1.21.0
118 | name: cluster-autoscaler
119 | resources:
120 | limits:
121 | cpu: 100m
122 | memory: 600Mi
123 | requests:
124 | cpu: 100m
125 | memory: 600Mi
126 | # https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md
127 | command:
128 | - ./cluster-autoscaler
129 | - --v=4
130 | - --stderrthreshold=info
131 | - --cloud-provider=aws
132 | - --skip-nodes-with-local-storage=false
133 | - --expander=least-waste
134 | - --node-group-auto-discovery=asg:tag=k8s.io/cluster-autoscaler/enabled,k8s.io/cluster-autoscaler/cluster-irsa # Update cluster
135 | - --balance-similar-node-groups
136 | - --skip-nodes-with-system-pods=false
137 | volumeMounts:
138 | - name: ssl-certs
139 | mountPath: /etc/ssl/certs/ca-certificates.crt
140 | readOnly: true
141 | imagePullPolicy: "Always"
142 | volumes:
143 | - name: ssl-certs
144 | hostPath:
145 | path: "/etc/ssl/certs/ca-bundle.crt"
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.staging.aws-cli
File: /lessons/109/k8s/s3.yaml:15-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
15 | apiVersion: v1
16 | kind: Pod
17 | metadata:
18 | name: aws-cli
19 | namespace: staging
20 | spec:
21 | serviceAccountName: foo
22 | containers:
23 | - name: aws-cli
24 | image: amazon/aws-cli
25 | command: [ "/bin/bash", "-c", "--" ]
26 | args: [ "while true; do sleep 30; done;" ]
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.staging.aws-cli
File: /lessons/109/k8s/s3.yaml:15-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
15 | apiVersion: v1
16 | kind: Pod
17 | metadata:
18 | name: aws-cli
19 | namespace: staging
20 | spec:
21 | serviceAccountName: foo
22 | containers:
23 | - name: aws-cli
24 | image: amazon/aws-cli
25 | command: [ "/bin/bash", "-c", "--" ]
26 | args: [ "while true; do sleep 30; done;" ]
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Pod.staging.aws-cli
File: /lessons/109/k8s/s3.yaml:15-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
15 | apiVersion: v1
16 | kind: Pod
17 | metadata:
18 | name: aws-cli
19 | namespace: staging
20 | spec:
21 | serviceAccountName: foo
22 | containers:
23 | - name: aws-cli
24 | image: amazon/aws-cli
25 | command: [ "/bin/bash", "-c", "--" ]
26 | args: [ "while true; do sleep 30; done;" ]
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.staging.aws-cli
File: /lessons/109/k8s/s3.yaml:15-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
15 | apiVersion: v1
16 | kind: Pod
17 | metadata:
18 | name: aws-cli
19 | namespace: staging
20 | spec:
21 | serviceAccountName: foo
22 | containers:
23 | - name: aws-cli
24 | image: amazon/aws-cli
25 | command: [ "/bin/bash", "-c", "--" ]
26 | args: [ "while true; do sleep 30; done;" ]
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.staging.aws-cli
File: /lessons/109/k8s/s3.yaml:15-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
15 | apiVersion: v1
16 | kind: Pod
17 | metadata:
18 | name: aws-cli
19 | namespace: staging
20 | spec:
21 | serviceAccountName: foo
22 | containers:
23 | - name: aws-cli
24 | image: amazon/aws-cli
25 | command: [ "/bin/bash", "-c", "--" ]
26 | args: [ "while true; do sleep 30; done;" ]
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.staging.aws-cli
File: /lessons/109/k8s/s3.yaml:15-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
15 | apiVersion: v1
16 | kind: Pod
17 | metadata:
18 | name: aws-cli
19 | namespace: staging
20 | spec:
21 | serviceAccountName: foo
22 | containers:
23 | - name: aws-cli
24 | image: amazon/aws-cli
25 | command: [ "/bin/bash", "-c", "--" ]
26 | args: [ "while true; do sleep 30; done;" ]
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.staging.aws-cli
File: /lessons/109/k8s/s3.yaml:15-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
15 | apiVersion: v1
16 | kind: Pod
17 | metadata:
18 | name: aws-cli
19 | namespace: staging
20 | spec:
21 | serviceAccountName: foo
22 | containers:
23 | - name: aws-cli
24 | image: amazon/aws-cli
25 | command: [ "/bin/bash", "-c", "--" ]
26 | args: [ "while true; do sleep 30; done;" ]
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.staging.aws-cli
File: /lessons/109/k8s/s3.yaml:15-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
15 | apiVersion: v1
16 | kind: Pod
17 | metadata:
18 | name: aws-cli
19 | namespace: staging
20 | spec:
21 | serviceAccountName: foo
22 | containers:
23 | - name: aws-cli
24 | image: amazon/aws-cli
25 | command: [ "/bin/bash", "-c", "--" ]
26 | args: [ "while true; do sleep 30; done;" ]
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.staging.aws-cli
File: /lessons/109/k8s/s3.yaml:15-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
15 | apiVersion: v1
16 | kind: Pod
17 | metadata:
18 | name: aws-cli
19 | namespace: staging
20 | spec:
21 | serviceAccountName: foo
22 | containers:
23 | - name: aws-cli
24 | image: amazon/aws-cli
25 | command: [ "/bin/bash", "-c", "--" ]
26 | args: [ "while true; do sleep 30; done;" ]
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.staging.aws-cli
File: /lessons/109/k8s/s3.yaml:15-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
15 | apiVersion: v1
16 | kind: Pod
17 | metadata:
18 | name: aws-cli
19 | namespace: staging
20 | spec:
21 | serviceAccountName: foo
22 | containers:
23 | - name: aws-cli
24 | image: amazon/aws-cli
25 | command: [ "/bin/bash", "-c", "--" ]
26 | args: [ "while true; do sleep 30; done;" ]
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.staging.aws-cli
File: /lessons/109/k8s/s3.yaml:15-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
15 | apiVersion: v1
16 | kind: Pod
17 | metadata:
18 | name: aws-cli
19 | namespace: staging
20 | spec:
21 | serviceAccountName: foo
22 | containers:
23 | - name: aws-cli
24 | image: amazon/aws-cli
25 | command: [ "/bin/bash", "-c", "--" ]
26 | args: [ "while true; do sleep 30; done;" ]
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.staging.aws-cli
File: /lessons/109/k8s/s3.yaml:15-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
15 | apiVersion: v1
16 | kind: Pod
17 | metadata:
18 | name: aws-cli
19 | namespace: staging
20 | spec:
21 | serviceAccountName: foo
22 | containers:
23 | - name: aws-cli
24 | image: amazon/aws-cli
25 | command: [ "/bin/bash", "-c", "--" ]
26 | args: [ "while true; do sleep 30; done;" ]
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.staging.aws-cli
File: /lessons/109/k8s/s3.yaml:15-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
15 | apiVersion: v1
16 | kind: Pod
17 | metadata:
18 | name: aws-cli
19 | namespace: staging
20 | spec:
21 | serviceAccountName: foo
22 | containers:
23 | - name: aws-cli
24 | image: amazon/aws-cli
25 | command: [ "/bin/bash", "-c", "--" ]
26 | args: [ "while true; do sleep 30; done;" ]
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.staging.aws-cli
File: /lessons/109/k8s/s3.yaml:15-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
15 | apiVersion: v1
16 | kind: Pod
17 | metadata:
18 | name: aws-cli
19 | namespace: staging
20 | spec:
21 | serviceAccountName: foo
22 | containers:
23 | - name: aws-cli
24 | image: amazon/aws-cli
25 | command: [ "/bin/bash", "-c", "--" ]
26 | args: [ "while true; do sleep 30; done;" ]
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.staging.aws-cli
File: /lessons/109/k8s/s3.yaml:15-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
15 | apiVersion: v1
16 | kind: Pod
17 | metadata:
18 | name: aws-cli
19 | namespace: staging
20 | spec:
21 | serviceAccountName: foo
22 | containers:
23 | - name: aws-cli
24 | image: amazon/aws-cli
25 | command: [ "/bin/bash", "-c", "--" ]
26 | args: [ "while true; do sleep 30; done;" ]
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Pod.staging.aws-cli
File: /lessons/109/k8s/s3.yaml:15-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
15 | apiVersion: v1
16 | kind: Pod
17 | metadata:
18 | name: aws-cli
19 | namespace: staging
20 | spec:
21 | serviceAccountName: foo
22 | containers:
23 | - name: aws-cli
24 | image: amazon/aws-cli
25 | command: [ "/bin/bash", "-c", "--" ]
26 | args: [ "while true; do sleep 30; done;" ]
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.staging.aws-cli
File: /lessons/109/k8s/s3.yaml:15-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
15 | apiVersion: v1
16 | kind: Pod
17 | metadata:
18 | name: aws-cli
19 | namespace: staging
20 | spec:
21 | serviceAccountName: foo
22 | containers:
23 | - name: aws-cli
24 | image: amazon/aws-cli
25 | command: [ "/bin/bash", "-c", "--" ]
26 | args: [ "while true; do sleep 30; done;" ]
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.staging.aws-cli
File: /lessons/109/k8s/s3.yaml:15-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
15 | apiVersion: v1
16 | kind: Pod
17 | metadata:
18 | name: aws-cli
19 | namespace: staging
20 | spec:
21 | serviceAccountName: foo
22 | containers:
23 | - name: aws-cli
24 | image: amazon/aws-cli
25 | command: [ "/bin/bash", "-c", "--" ]
26 | args: [ "while true; do sleep 30; done;" ]
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/109/k8s/deployment.yaml:2-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: 250m
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx
File: /lessons/109/k8s/deployment.yaml:2-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: 250m
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx
File: /lessons/109/k8s/deployment.yaml:2-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: 250m
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/109/k8s/deployment.yaml:2-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: 250m
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/109/k8s/deployment.yaml:2-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: 250m
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /lessons/109/k8s/deployment.yaml:2-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: 250m
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx
File: /lessons/109/k8s/deployment.yaml:2-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: 250m
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx
File: /lessons/109/k8s/deployment.yaml:2-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: 250m
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/109/k8s/deployment.yaml:2-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: 250m
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /lessons/109/k8s/deployment.yaml:2-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: 250m
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx
File: /lessons/109/k8s/deployment.yaml:2-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: 250m
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/109/k8s/deployment.yaml:2-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: 250m
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx
File: /lessons/109/k8s/deployment.yaml:2-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: 250m
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx
File: /lessons/109/k8s/deployment.yaml:2-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: 250m
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx
File: /lessons/109/k8s/deployment.yaml:2-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: 250m
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.nginx
File: /lessons/109/k8s/deployment.yaml:2-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: 250m
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx
File: /lessons/109/k8s/deployment.yaml:2-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: 250m
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.staging.service-b
File: /lessons/066/k8s/2-service-b.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b
16 | spec:
17 | containers:
18 | - name: service-b
19 | image: busybox:1.33.1
20 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
21 | ports:
22 | - containerPort: 8080
23 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.service-b
File: /lessons/066/k8s/2-service-b.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b
16 | spec:
17 | containers:
18 | - name: service-b
19 | image: busybox:1.33.1
20 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
21 | ports:
22 | - containerPort: 8080
23 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.staging.service-b
File: /lessons/066/k8s/2-service-b.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b
16 | spec:
17 | containers:
18 | - name: service-b
19 | image: busybox:1.33.1
20 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
21 | ports:
22 | - containerPort: 8080
23 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.service-b
File: /lessons/066/k8s/2-service-b.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b
16 | spec:
17 | containers:
18 | - name: service-b
19 | image: busybox:1.33.1
20 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
21 | ports:
22 | - containerPort: 8080
23 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.service-b
File: /lessons/066/k8s/2-service-b.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b
16 | spec:
17 | containers:
18 | - name: service-b
19 | image: busybox:1.33.1
20 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
21 | ports:
22 | - containerPort: 8080
23 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.staging.service-b
File: /lessons/066/k8s/2-service-b.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b
16 | spec:
17 | containers:
18 | - name: service-b
19 | image: busybox:1.33.1
20 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
21 | ports:
22 | - containerPort: 8080
23 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.service-b
File: /lessons/066/k8s/2-service-b.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b
16 | spec:
17 | containers:
18 | - name: service-b
19 | image: busybox:1.33.1
20 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
21 | ports:
22 | - containerPort: 8080
23 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.service-b
File: /lessons/066/k8s/2-service-b.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b
16 | spec:
17 | containers:
18 | - name: service-b
19 | image: busybox:1.33.1
20 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
21 | ports:
22 | - containerPort: 8080
23 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.service-b
File: /lessons/066/k8s/2-service-b.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b
16 | spec:
17 | containers:
18 | - name: service-b
19 | image: busybox:1.33.1
20 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
21 | ports:
22 | - containerPort: 8080
23 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.staging.service-b
File: /lessons/066/k8s/2-service-b.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b
16 | spec:
17 | containers:
18 | - name: service-b
19 | image: busybox:1.33.1
20 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
21 | ports:
22 | - containerPort: 8080
23 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.service-b
File: /lessons/066/k8s/2-service-b.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b
16 | spec:
17 | containers:
18 | - name: service-b
19 | image: busybox:1.33.1
20 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
21 | ports:
22 | - containerPort: 8080
23 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.staging.service-b
File: /lessons/066/k8s/2-service-b.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b
16 | spec:
17 | containers:
18 | - name: service-b
19 | image: busybox:1.33.1
20 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
21 | ports:
22 | - containerPort: 8080
23 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.service-b
File: /lessons/066/k8s/2-service-b.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b
16 | spec:
17 | containers:
18 | - name: service-b
19 | image: busybox:1.33.1
20 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
21 | ports:
22 | - containerPort: 8080
23 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.service-b
File: /lessons/066/k8s/2-service-b.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b
16 | spec:
17 | containers:
18 | - name: service-b
19 | image: busybox:1.33.1
20 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
21 | ports:
22 | - containerPort: 8080
23 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.service-b
File: /lessons/066/k8s/2-service-b.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b
16 | spec:
17 | containers:
18 | - name: service-b
19 | image: busybox:1.33.1
20 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
21 | ports:
22 | - containerPort: 8080
23 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.staging.service-b
File: /lessons/066/k8s/2-service-b.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b
16 | spec:
17 | containers:
18 | - name: service-b
19 | image: busybox:1.33.1
20 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
21 | ports:
22 | - containerPort: 8080
23 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.staging.service-b
File: /lessons/066/k8s/2-service-b.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b
16 | spec:
17 | containers:
18 | - name: service-b
19 | image: busybox:1.33.1
20 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
21 | ports:
22 | - containerPort: 8080
23 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.service-b
File: /lessons/066/k8s/2-service-b.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | template:
13 | metadata:
14 | labels:
15 | app: service-b
16 | spec:
17 | containers:
18 | - name: service-b
19 | image: busybox:1.33.1
20 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
21 | ports:
22 | - containerPort: 8080
23 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.staging.service-a
File: /lessons/066/k8s/1-service-a.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | access: service-b
13 | template:
14 | metadata:
15 | labels:
16 | app: service-a
17 | access: service-b
18 | spec:
19 | containers:
20 | - name: service-a
21 | image: busybox:1.33.1
22 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
23 | ports:
24 | - containerPort: 8080
25 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.service-a
File: /lessons/066/k8s/1-service-a.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | access: service-b
13 | template:
14 | metadata:
15 | labels:
16 | app: service-a
17 | access: service-b
18 | spec:
19 | containers:
20 | - name: service-a
21 | image: busybox:1.33.1
22 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
23 | ports:
24 | - containerPort: 8080
25 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.staging.service-a
File: /lessons/066/k8s/1-service-a.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | access: service-b
13 | template:
14 | metadata:
15 | labels:
16 | app: service-a
17 | access: service-b
18 | spec:
19 | containers:
20 | - name: service-a
21 | image: busybox:1.33.1
22 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
23 | ports:
24 | - containerPort: 8080
25 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.service-a
File: /lessons/066/k8s/1-service-a.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | access: service-b
13 | template:
14 | metadata:
15 | labels:
16 | app: service-a
17 | access: service-b
18 | spec:
19 | containers:
20 | - name: service-a
21 | image: busybox:1.33.1
22 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
23 | ports:
24 | - containerPort: 8080
25 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.service-a
File: /lessons/066/k8s/1-service-a.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | access: service-b
13 | template:
14 | metadata:
15 | labels:
16 | app: service-a
17 | access: service-b
18 | spec:
19 | containers:
20 | - name: service-a
21 | image: busybox:1.33.1
22 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
23 | ports:
24 | - containerPort: 8080
25 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.staging.service-a
File: /lessons/066/k8s/1-service-a.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | access: service-b
13 | template:
14 | metadata:
15 | labels:
16 | app: service-a
17 | access: service-b
18 | spec:
19 | containers:
20 | - name: service-a
21 | image: busybox:1.33.1
22 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
23 | ports:
24 | - containerPort: 8080
25 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.service-a
File: /lessons/066/k8s/1-service-a.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | access: service-b
13 | template:
14 | metadata:
15 | labels:
16 | app: service-a
17 | access: service-b
18 | spec:
19 | containers:
20 | - name: service-a
21 | image: busybox:1.33.1
22 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
23 | ports:
24 | - containerPort: 8080
25 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.service-a
File: /lessons/066/k8s/1-service-a.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | access: service-b
13 | template:
14 | metadata:
15 | labels:
16 | app: service-a
17 | access: service-b
18 | spec:
19 | containers:
20 | - name: service-a
21 | image: busybox:1.33.1
22 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
23 | ports:
24 | - containerPort: 8080
25 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.service-a
File: /lessons/066/k8s/1-service-a.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | access: service-b
13 | template:
14 | metadata:
15 | labels:
16 | app: service-a
17 | access: service-b
18 | spec:
19 | containers:
20 | - name: service-a
21 | image: busybox:1.33.1
22 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
23 | ports:
24 | - containerPort: 8080
25 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.staging.service-a
File: /lessons/066/k8s/1-service-a.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | access: service-b
13 | template:
14 | metadata:
15 | labels:
16 | app: service-a
17 | access: service-b
18 | spec:
19 | containers:
20 | - name: service-a
21 | image: busybox:1.33.1
22 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
23 | ports:
24 | - containerPort: 8080
25 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.service-a
File: /lessons/066/k8s/1-service-a.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | access: service-b
13 | template:
14 | metadata:
15 | labels:
16 | app: service-a
17 | access: service-b
18 | spec:
19 | containers:
20 | - name: service-a
21 | image: busybox:1.33.1
22 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
23 | ports:
24 | - containerPort: 8080
25 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.staging.service-a
File: /lessons/066/k8s/1-service-a.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | access: service-b
13 | template:
14 | metadata:
15 | labels:
16 | app: service-a
17 | access: service-b
18 | spec:
19 | containers:
20 | - name: service-a
21 | image: busybox:1.33.1
22 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
23 | ports:
24 | - containerPort: 8080
25 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.service-a
File: /lessons/066/k8s/1-service-a.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | access: service-b
13 | template:
14 | metadata:
15 | labels:
16 | app: service-a
17 | access: service-b
18 | spec:
19 | containers:
20 | - name: service-a
21 | image: busybox:1.33.1
22 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
23 | ports:
24 | - containerPort: 8080
25 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.service-a
File: /lessons/066/k8s/1-service-a.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | access: service-b
13 | template:
14 | metadata:
15 | labels:
16 | app: service-a
17 | access: service-b
18 | spec:
19 | containers:
20 | - name: service-a
21 | image: busybox:1.33.1
22 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
23 | ports:
24 | - containerPort: 8080
25 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.service-a
File: /lessons/066/k8s/1-service-a.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | access: service-b
13 | template:
14 | metadata:
15 | labels:
16 | app: service-a
17 | access: service-b
18 | spec:
19 | containers:
20 | - name: service-a
21 | image: busybox:1.33.1
22 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
23 | ports:
24 | - containerPort: 8080
25 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.staging.service-a
File: /lessons/066/k8s/1-service-a.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | access: service-b
13 | template:
14 | metadata:
15 | labels:
16 | app: service-a
17 | access: service-b
18 | spec:
19 | containers:
20 | - name: service-a
21 | image: busybox:1.33.1
22 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
23 | ports:
24 | - containerPort: 8080
25 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.staging.service-a
File: /lessons/066/k8s/1-service-a.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | access: service-b
13 | template:
14 | metadata:
15 | labels:
16 | app: service-a
17 | access: service-b
18 | spec:
19 | containers:
20 | - name: service-a
21 | image: busybox:1.33.1
22 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
23 | ports:
24 | - containerPort: 8080
25 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.service-a
File: /lessons/066/k8s/1-service-a.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | access: service-b
13 | template:
14 | metadata:
15 | labels:
16 | app: service-a
17 | access: service-b
18 | spec:
19 | containers:
20 | - name: service-a
21 | image: busybox:1.33.1
22 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
23 | ports:
24 | - containerPort: 8080
25 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.production.service-c
File: /lessons/066/k8s/4-service-c.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-c
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-c
12 | template:
13 | metadata:
14 | labels:
15 | app: service-c
16 | spec:
17 | containers:
18 | - name: service-c
19 | image: busybox:1.33.1
20 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
21 | ports:
22 | - containerPort: 8080
23 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.production.service-c
File: /lessons/066/k8s/4-service-c.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-c
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-c
12 | template:
13 | metadata:
14 | labels:
15 | app: service-c
16 | spec:
17 | containers:
18 | - name: service-c
19 | image: busybox:1.33.1
20 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
21 | ports:
22 | - containerPort: 8080
23 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.production.service-c
File: /lessons/066/k8s/4-service-c.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-c
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-c
12 | template:
13 | metadata:
14 | labels:
15 | app: service-c
16 | spec:
17 | containers:
18 | - name: service-c
19 | image: busybox:1.33.1
20 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
21 | ports:
22 | - containerPort: 8080
23 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.production.service-c
File: /lessons/066/k8s/4-service-c.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-c
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-c
12 | template:
13 | metadata:
14 | labels:
15 | app: service-c
16 | spec:
17 | containers:
18 | - name: service-c
19 | image: busybox:1.33.1
20 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
21 | ports:
22 | - containerPort: 8080
23 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.production.service-c
File: /lessons/066/k8s/4-service-c.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-c
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-c
12 | template:
13 | metadata:
14 | labels:
15 | app: service-c
16 | spec:
17 | containers:
18 | - name: service-c
19 | image: busybox:1.33.1
20 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
21 | ports:
22 | - containerPort: 8080
23 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.production.service-c
File: /lessons/066/k8s/4-service-c.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-c
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-c
12 | template:
13 | metadata:
14 | labels:
15 | app: service-c
16 | spec:
17 | containers:
18 | - name: service-c
19 | image: busybox:1.33.1
20 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
21 | ports:
22 | - containerPort: 8080
23 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.production.service-c
File: /lessons/066/k8s/4-service-c.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-c
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-c
12 | template:
13 | metadata:
14 | labels:
15 | app: service-c
16 | spec:
17 | containers:
18 | - name: service-c
19 | image: busybox:1.33.1
20 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
21 | ports:
22 | - containerPort: 8080
23 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.production.service-c
File: /lessons/066/k8s/4-service-c.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-c
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-c
12 | template:
13 | metadata:
14 | labels:
15 | app: service-c
16 | spec:
17 | containers:
18 | - name: service-c
19 | image: busybox:1.33.1
20 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
21 | ports:
22 | - containerPort: 8080
23 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.production.service-c
File: /lessons/066/k8s/4-service-c.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-c
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-c
12 | template:
13 | metadata:
14 | labels:
15 | app: service-c
16 | spec:
17 | containers:
18 | - name: service-c
19 | image: busybox:1.33.1
20 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
21 | ports:
22 | - containerPort: 8080
23 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.production.service-c
File: /lessons/066/k8s/4-service-c.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-c
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-c
12 | template:
13 | metadata:
14 | labels:
15 | app: service-c
16 | spec:
17 | containers:
18 | - name: service-c
19 | image: busybox:1.33.1
20 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
21 | ports:
22 | - containerPort: 8080
23 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.production.service-c
File: /lessons/066/k8s/4-service-c.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-c
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-c
12 | template:
13 | metadata:
14 | labels:
15 | app: service-c
16 | spec:
17 | containers:
18 | - name: service-c
19 | image: busybox:1.33.1
20 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
21 | ports:
22 | - containerPort: 8080
23 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.production.service-c
File: /lessons/066/k8s/4-service-c.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-c
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-c
12 | template:
13 | metadata:
14 | labels:
15 | app: service-c
16 | spec:
17 | containers:
18 | - name: service-c
19 | image: busybox:1.33.1
20 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
21 | ports:
22 | - containerPort: 8080
23 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.production.service-c
File: /lessons/066/k8s/4-service-c.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-c
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-c
12 | template:
13 | metadata:
14 | labels:
15 | app: service-c
16 | spec:
17 | containers:
18 | - name: service-c
19 | image: busybox:1.33.1
20 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
21 | ports:
22 | - containerPort: 8080
23 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.production.service-c
File: /lessons/066/k8s/4-service-c.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-c
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-c
12 | template:
13 | metadata:
14 | labels:
15 | app: service-c
16 | spec:
17 | containers:
18 | - name: service-c
19 | image: busybox:1.33.1
20 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
21 | ports:
22 | - containerPort: 8080
23 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.production.service-c
File: /lessons/066/k8s/4-service-c.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-c
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-c
12 | template:
13 | metadata:
14 | labels:
15 | app: service-c
16 | spec:
17 | containers:
18 | - name: service-c
19 | image: busybox:1.33.1
20 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
21 | ports:
22 | - containerPort: 8080
23 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.production.service-c
File: /lessons/066/k8s/4-service-c.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-c
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-c
12 | template:
13 | metadata:
14 | labels:
15 | app: service-c
16 | spec:
17 | containers:
18 | - name: service-c
19 | image: busybox:1.33.1
20 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
21 | ports:
22 | - containerPort: 8080
23 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.production.service-c
File: /lessons/066/k8s/4-service-c.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-c
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-c
12 | template:
13 | metadata:
14 | labels:
15 | app: service-c
16 | spec:
17 | containers:
18 | - name: service-c
19 | image: busybox:1.33.1
20 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
21 | ports:
22 | - containerPort: 8080
23 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.production.service-c
File: /lessons/066/k8s/4-service-c.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-c
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-c
12 | template:
13 | metadata:
14 | labels:
15 | app: service-c
16 | spec:
17 | containers:
18 | - name: service-c
19 | image: busybox:1.33.1
20 | command: ["nc", "-lkv", "-p", "8080", "-e", "/bin/sh"]
21 | ports:
22 | - containerPort: 8080
23 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/159/lesson-159/my-app-base/deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | imagePullPolicy: Always
20 | image: aputra/nginx-lesson159
21 | ports:
22 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/159/lesson-159/my-app-base/deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | imagePullPolicy: Always
20 | image: aputra/nginx-lesson159
21 | ports:
22 | - containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/159/lesson-159/my-app-base/deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | imagePullPolicy: Always
20 | image: aputra/nginx-lesson159
21 | ports:
22 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/159/lesson-159/my-app-base/deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | imagePullPolicy: Always
20 | image: aputra/nginx-lesson159
21 | ports:
22 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/159/lesson-159/my-app-base/deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | imagePullPolicy: Always
20 | image: aputra/nginx-lesson159
21 | ports:
22 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/159/lesson-159/my-app-base/deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | imagePullPolicy: Always
20 | image: aputra/nginx-lesson159
21 | ports:
22 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/159/lesson-159/my-app-base/deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | imagePullPolicy: Always
20 | image: aputra/nginx-lesson159
21 | ports:
22 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/159/lesson-159/my-app-base/deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | imagePullPolicy: Always
20 | image: aputra/nginx-lesson159
21 | ports:
22 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/159/lesson-159/my-app-base/deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | imagePullPolicy: Always
20 | image: aputra/nginx-lesson159
21 | ports:
22 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/159/lesson-159/my-app-base/deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | imagePullPolicy: Always
20 | image: aputra/nginx-lesson159
21 | ports:
22 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/159/lesson-159/my-app-base/deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | imagePullPolicy: Always
20 | image: aputra/nginx-lesson159
21 | ports:
22 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/159/lesson-159/my-app-base/deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | imagePullPolicy: Always
20 | image: aputra/nginx-lesson159
21 | ports:
22 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/159/lesson-159/my-app-base/deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | imagePullPolicy: Always
20 | image: aputra/nginx-lesson159
21 | ports:
22 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/159/lesson-159/my-app-base/deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | imagePullPolicy: Always
20 | image: aputra/nginx-lesson159
21 | ports:
22 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/159/lesson-159/my-app-base/deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | imagePullPolicy: Always
20 | image: aputra/nginx-lesson159
21 | ports:
22 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/159/lesson-159/my-app-base/deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | imagePullPolicy: Always
20 | image: aputra/nginx-lesson159
21 | ports:
22 | - containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/159/lesson-159/my-app-base/deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | imagePullPolicy: Always
20 | image: aputra/nginx-lesson159
21 | ports:
22 | - containerPort: 80
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/159/lesson-159/my-app-base/deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | imagePullPolicy: Always
20 | image: aputra/nginx-lesson159
21 | ports:
22 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/159/lesson-159/my-app-base/deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | imagePullPolicy: Always
20 | image: aputra/nginx-lesson159
21 | ports:
22 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: StatefulSet.database.mongodb
File: /lessons/050/k8s/mongodb/5-mongodb-statefulset.yaml:2-196
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: StatefulSet.database.mongodb
File: /lessons/050/k8s/mongodb/5-mongodb-statefulset.yaml:2-196
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: StatefulSet.database.mongodb
File: /lessons/050/k8s/mongodb/5-mongodb-statefulset.yaml:2-196
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: StatefulSet.database.mongodb
File: /lessons/050/k8s/mongodb/5-mongodb-statefulset.yaml:2-196
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: StatefulSet.database.mongodb
File: /lessons/050/k8s/mongodb/5-mongodb-statefulset.yaml:2-196
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: StatefulSet.database.mongodb
File: /lessons/050/k8s/mongodb/5-mongodb-statefulset.yaml:2-196
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: StatefulSet.database.mongodb
File: /lessons/050/k8s/mongodb/5-mongodb-statefulset.yaml:2-196
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: StatefulSet.database.mongodb
File: /lessons/050/k8s/mongodb/5-mongodb-statefulset.yaml:2-196
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: StatefulSet.database.mongodb
File: /lessons/050/k8s/mongodb/5-mongodb-statefulset.yaml:2-196
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: StatefulSet.database.mongodb
File: /lessons/050/k8s/mongodb/5-mongodb-statefulset.yaml:2-196
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: StatefulSet.database.mongodb-arbiter
File: /lessons/050/k8s/mongodb/7-arbiter-statefulset.yaml:2-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: StatefulSet.database.mongodb-arbiter
File: /lessons/050/k8s/mongodb/7-arbiter-statefulset.yaml:2-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: StatefulSet.database.mongodb-arbiter
File: /lessons/050/k8s/mongodb/7-arbiter-statefulset.yaml:2-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: StatefulSet.database.mongodb-arbiter
File: /lessons/050/k8s/mongodb/7-arbiter-statefulset.yaml:2-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: StatefulSet.database.mongodb-arbiter
File: /lessons/050/k8s/mongodb/7-arbiter-statefulset.yaml:2-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: StatefulSet.database.mongodb-arbiter
File: /lessons/050/k8s/mongodb/7-arbiter-statefulset.yaml:2-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: StatefulSet.database.mongodb-arbiter
File: /lessons/050/k8s/mongodb/7-arbiter-statefulset.yaml:2-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: StatefulSet.database.mongodb-arbiter
File: /lessons/050/k8s/mongodb/7-arbiter-statefulset.yaml:2-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: StatefulSet.database.mongodb-arbiter
File: /lessons/050/k8s/mongodb/7-arbiter-statefulset.yaml:2-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: StatefulSet.database.mongodb-arbiter
File: /lessons/050/k8s/mongodb/7-arbiter-statefulset.yaml:2-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.drage
File: /lessons/050/k8s/drage/3-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: drage
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: drage
12 | template:
13 | metadata:
14 | labels:
15 | app: drage
16 | spec:
17 | containers:
18 | - name: drage
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/drage:v0.1.5
20 | ports:
21 | - name: http
22 | containerPort: 5000
23 | env:
24 | - name: MONGODB_HOSTNAME
25 | value: mongodb-0.mongodb-headless.database
26 | - name: MONGODB_PORT
27 | value: "27017"
28 | - name: MONGODB_DATABASE
29 | value: inventory
30 | - name: MONGODB_USERNAME
31 | value: drage
32 | - name: MONGODB_PASSWORD
33 | valueFrom:
34 | secretKeyRef:
35 | name: creds
36 | key: db-password
37 | resources:
38 | limits:
39 | cpu: 200m
40 | memory: 256Mi
41 | requests:
42 | cpu: 100m
43 | memory: 128Mi
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.drage
File: /lessons/050/k8s/drage/3-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: drage
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: drage
12 | template:
13 | metadata:
14 | labels:
15 | app: drage
16 | spec:
17 | containers:
18 | - name: drage
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/drage:v0.1.5
20 | ports:
21 | - name: http
22 | containerPort: 5000
23 | env:
24 | - name: MONGODB_HOSTNAME
25 | value: mongodb-0.mongodb-headless.database
26 | - name: MONGODB_PORT
27 | value: "27017"
28 | - name: MONGODB_DATABASE
29 | value: inventory
30 | - name: MONGODB_USERNAME
31 | value: drage
32 | - name: MONGODB_PASSWORD
33 | valueFrom:
34 | secretKeyRef:
35 | name: creds
36 | key: db-password
37 | resources:
38 | limits:
39 | cpu: 200m
40 | memory: 256Mi
41 | requests:
42 | cpu: 100m
43 | memory: 128Mi
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.drage
File: /lessons/050/k8s/drage/3-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: drage
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: drage
12 | template:
13 | metadata:
14 | labels:
15 | app: drage
16 | spec:
17 | containers:
18 | - name: drage
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/drage:v0.1.5
20 | ports:
21 | - name: http
22 | containerPort: 5000
23 | env:
24 | - name: MONGODB_HOSTNAME
25 | value: mongodb-0.mongodb-headless.database
26 | - name: MONGODB_PORT
27 | value: "27017"
28 | - name: MONGODB_DATABASE
29 | value: inventory
30 | - name: MONGODB_USERNAME
31 | value: drage
32 | - name: MONGODB_PASSWORD
33 | valueFrom:
34 | secretKeyRef:
35 | name: creds
36 | key: db-password
37 | resources:
38 | limits:
39 | cpu: 200m
40 | memory: 256Mi
41 | requests:
42 | cpu: 100m
43 | memory: 128Mi
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.staging.drage
File: /lessons/050/k8s/drage/3-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: drage
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: drage
12 | template:
13 | metadata:
14 | labels:
15 | app: drage
16 | spec:
17 | containers:
18 | - name: drage
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/drage:v0.1.5
20 | ports:
21 | - name: http
22 | containerPort: 5000
23 | env:
24 | - name: MONGODB_HOSTNAME
25 | value: mongodb-0.mongodb-headless.database
26 | - name: MONGODB_PORT
27 | value: "27017"
28 | - name: MONGODB_DATABASE
29 | value: inventory
30 | - name: MONGODB_USERNAME
31 | value: drage
32 | - name: MONGODB_PASSWORD
33 | valueFrom:
34 | secretKeyRef:
35 | name: creds
36 | key: db-password
37 | resources:
38 | limits:
39 | cpu: 200m
40 | memory: 256Mi
41 | requests:
42 | cpu: 100m
43 | memory: 128Mi
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.drage
File: /lessons/050/k8s/drage/3-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: drage
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: drage
12 | template:
13 | metadata:
14 | labels:
15 | app: drage
16 | spec:
17 | containers:
18 | - name: drage
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/drage:v0.1.5
20 | ports:
21 | - name: http
22 | containerPort: 5000
23 | env:
24 | - name: MONGODB_HOSTNAME
25 | value: mongodb-0.mongodb-headless.database
26 | - name: MONGODB_PORT
27 | value: "27017"
28 | - name: MONGODB_DATABASE
29 | value: inventory
30 | - name: MONGODB_USERNAME
31 | value: drage
32 | - name: MONGODB_PASSWORD
33 | valueFrom:
34 | secretKeyRef:
35 | name: creds
36 | key: db-password
37 | resources:
38 | limits:
39 | cpu: 200m
40 | memory: 256Mi
41 | requests:
42 | cpu: 100m
43 | memory: 128Mi
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.drage
File: /lessons/050/k8s/drage/3-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: drage
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: drage
12 | template:
13 | metadata:
14 | labels:
15 | app: drage
16 | spec:
17 | containers:
18 | - name: drage
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/drage:v0.1.5
20 | ports:
21 | - name: http
22 | containerPort: 5000
23 | env:
24 | - name: MONGODB_HOSTNAME
25 | value: mongodb-0.mongodb-headless.database
26 | - name: MONGODB_PORT
27 | value: "27017"
28 | - name: MONGODB_DATABASE
29 | value: inventory
30 | - name: MONGODB_USERNAME
31 | value: drage
32 | - name: MONGODB_PASSWORD
33 | valueFrom:
34 | secretKeyRef:
35 | name: creds
36 | key: db-password
37 | resources:
38 | limits:
39 | cpu: 200m
40 | memory: 256Mi
41 | requests:
42 | cpu: 100m
43 | memory: 128Mi
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.drage
File: /lessons/050/k8s/drage/3-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: drage
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: drage
12 | template:
13 | metadata:
14 | labels:
15 | app: drage
16 | spec:
17 | containers:
18 | - name: drage
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/drage:v0.1.5
20 | ports:
21 | - name: http
22 | containerPort: 5000
23 | env:
24 | - name: MONGODB_HOSTNAME
25 | value: mongodb-0.mongodb-headless.database
26 | - name: MONGODB_PORT
27 | value: "27017"
28 | - name: MONGODB_DATABASE
29 | value: inventory
30 | - name: MONGODB_USERNAME
31 | value: drage
32 | - name: MONGODB_PASSWORD
33 | valueFrom:
34 | secretKeyRef:
35 | name: creds
36 | key: db-password
37 | resources:
38 | limits:
39 | cpu: 200m
40 | memory: 256Mi
41 | requests:
42 | cpu: 100m
43 | memory: 128Mi
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.staging.drage
File: /lessons/050/k8s/drage/3-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: drage
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: drage
12 | template:
13 | metadata:
14 | labels:
15 | app: drage
16 | spec:
17 | containers:
18 | - name: drage
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/drage:v0.1.5
20 | ports:
21 | - name: http
22 | containerPort: 5000
23 | env:
24 | - name: MONGODB_HOSTNAME
25 | value: mongodb-0.mongodb-headless.database
26 | - name: MONGODB_PORT
27 | value: "27017"
28 | - name: MONGODB_DATABASE
29 | value: inventory
30 | - name: MONGODB_USERNAME
31 | value: drage
32 | - name: MONGODB_PASSWORD
33 | valueFrom:
34 | secretKeyRef:
35 | name: creds
36 | key: db-password
37 | resources:
38 | limits:
39 | cpu: 200m
40 | memory: 256Mi
41 | requests:
42 | cpu: 100m
43 | memory: 128Mi
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.drage
File: /lessons/050/k8s/drage/3-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: drage
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: drage
12 | template:
13 | metadata:
14 | labels:
15 | app: drage
16 | spec:
17 | containers:
18 | - name: drage
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/drage:v0.1.5
20 | ports:
21 | - name: http
22 | containerPort: 5000
23 | env:
24 | - name: MONGODB_HOSTNAME
25 | value: mongodb-0.mongodb-headless.database
26 | - name: MONGODB_PORT
27 | value: "27017"
28 | - name: MONGODB_DATABASE
29 | value: inventory
30 | - name: MONGODB_USERNAME
31 | value: drage
32 | - name: MONGODB_PASSWORD
33 | valueFrom:
34 | secretKeyRef:
35 | name: creds
36 | key: db-password
37 | resources:
38 | limits:
39 | cpu: 200m
40 | memory: 256Mi
41 | requests:
42 | cpu: 100m
43 | memory: 128Mi
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: Deployment.staging.drage
File: /lessons/050/k8s/drage/3-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: drage
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: drage
12 | template:
13 | metadata:
14 | labels:
15 | app: drage
16 | spec:
17 | containers:
18 | - name: drage
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/drage:v0.1.5
20 | ports:
21 | - name: http
22 | containerPort: 5000
23 | env:
24 | - name: MONGODB_HOSTNAME
25 | value: mongodb-0.mongodb-headless.database
26 | - name: MONGODB_PORT
27 | value: "27017"
28 | - name: MONGODB_DATABASE
29 | value: inventory
30 | - name: MONGODB_USERNAME
31 | value: drage
32 | - name: MONGODB_PASSWORD
33 | valueFrom:
34 | secretKeyRef:
35 | name: creds
36 | key: db-password
37 | resources:
38 | limits:
39 | cpu: 200m
40 | memory: 256Mi
41 | requests:
42 | cpu: 100m
43 | memory: 128Mi
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.drage
File: /lessons/050/k8s/drage/3-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: drage
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: drage
12 | template:
13 | metadata:
14 | labels:
15 | app: drage
16 | spec:
17 | containers:
18 | - name: drage
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/drage:v0.1.5
20 | ports:
21 | - name: http
22 | containerPort: 5000
23 | env:
24 | - name: MONGODB_HOSTNAME
25 | value: mongodb-0.mongodb-headless.database
26 | - name: MONGODB_PORT
27 | value: "27017"
28 | - name: MONGODB_DATABASE
29 | value: inventory
30 | - name: MONGODB_USERNAME
31 | value: drage
32 | - name: MONGODB_PASSWORD
33 | valueFrom:
34 | secretKeyRef:
35 | name: creds
36 | key: db-password
37 | resources:
38 | limits:
39 | cpu: 200m
40 | memory: 256Mi
41 | requests:
42 | cpu: 100m
43 | memory: 128Mi
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.drage
File: /lessons/050/k8s/drage/3-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: drage
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: drage
12 | template:
13 | metadata:
14 | labels:
15 | app: drage
16 | spec:
17 | containers:
18 | - name: drage
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/drage:v0.1.5
20 | ports:
21 | - name: http
22 | containerPort: 5000
23 | env:
24 | - name: MONGODB_HOSTNAME
25 | value: mongodb-0.mongodb-headless.database
26 | - name: MONGODB_PORT
27 | value: "27017"
28 | - name: MONGODB_DATABASE
29 | value: inventory
30 | - name: MONGODB_USERNAME
31 | value: drage
32 | - name: MONGODB_PASSWORD
33 | valueFrom:
34 | secretKeyRef:
35 | name: creds
36 | key: db-password
37 | resources:
38 | limits:
39 | cpu: 200m
40 | memory: 256Mi
41 | requests:
42 | cpu: 100m
43 | memory: 128Mi
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.drage
File: /lessons/050/k8s/drage/3-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: drage
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: drage
12 | template:
13 | metadata:
14 | labels:
15 | app: drage
16 | spec:
17 | containers:
18 | - name: drage
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/drage:v0.1.5
20 | ports:
21 | - name: http
22 | containerPort: 5000
23 | env:
24 | - name: MONGODB_HOSTNAME
25 | value: mongodb-0.mongodb-headless.database
26 | - name: MONGODB_PORT
27 | value: "27017"
28 | - name: MONGODB_DATABASE
29 | value: inventory
30 | - name: MONGODB_USERNAME
31 | value: drage
32 | - name: MONGODB_PASSWORD
33 | valueFrom:
34 | secretKeyRef:
35 | name: creds
36 | key: db-password
37 | resources:
38 | limits:
39 | cpu: 200m
40 | memory: 256Mi
41 | requests:
42 | cpu: 100m
43 | memory: 128Mi
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.staging.drage
File: /lessons/050/k8s/drage/3-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: drage
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: drage
12 | template:
13 | metadata:
14 | labels:
15 | app: drage
16 | spec:
17 | containers:
18 | - name: drage
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/drage:v0.1.5
20 | ports:
21 | - name: http
22 | containerPort: 5000
23 | env:
24 | - name: MONGODB_HOSTNAME
25 | value: mongodb-0.mongodb-headless.database
26 | - name: MONGODB_PORT
27 | value: "27017"
28 | - name: MONGODB_DATABASE
29 | value: inventory
30 | - name: MONGODB_USERNAME
31 | value: drage
32 | - name: MONGODB_PASSWORD
33 | valueFrom:
34 | secretKeyRef:
35 | name: creds
36 | key: db-password
37 | resources:
38 | limits:
39 | cpu: 200m
40 | memory: 256Mi
41 | requests:
42 | cpu: 100m
43 | memory: 128Mi
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.drage
File: /lessons/050/k8s/drage/3-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: drage
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: drage
12 | template:
13 | metadata:
14 | labels:
15 | app: drage
16 | spec:
17 | containers:
18 | - name: drage
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/drage:v0.1.5
20 | ports:
21 | - name: http
22 | containerPort: 5000
23 | env:
24 | - name: MONGODB_HOSTNAME
25 | value: mongodb-0.mongodb-headless.database
26 | - name: MONGODB_PORT
27 | value: "27017"
28 | - name: MONGODB_DATABASE
29 | value: inventory
30 | - name: MONGODB_USERNAME
31 | value: drage
32 | - name: MONGODB_PASSWORD
33 | valueFrom:
34 | secretKeyRef:
35 | name: creds
36 | key: db-password
37 | resources:
38 | limits:
39 | cpu: 200m
40 | memory: 256Mi
41 | requests:
42 | cpu: 100m
43 | memory: 128Mi
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ServiceAccount.default.app
File: /lessons/065/k8s/sa.yaml:2-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: ServiceAccount
4 | metadata:
5 | name: app
6 | namespace: default
7 | annotations:
8 | eks.amazonaws.com/role-arn: arn:aws:iam::424432388155:role/S3TestAccessRole
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/065/k8s/deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | serviceAccountName: app
18 | initContainers:
19 | - name: aws-cli
20 | image: amazon/aws-cli
21 | command: ['aws', 's3', 'cp', 's3://antonputra-test/README.md', '-']
22 | containers:
23 | - name: nginx
24 | image: nginx:1.14.2
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/065/k8s/deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | serviceAccountName: app
18 | initContainers:
19 | - name: aws-cli
20 | image: amazon/aws-cli
21 | command: ['aws', 's3', 'cp', 's3://antonputra-test/README.md', '-']
22 | containers:
23 | - name: nginx
24 | image: nginx:1.14.2
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/065/k8s/deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | serviceAccountName: app
18 | initContainers:
19 | - name: aws-cli
20 | image: amazon/aws-cli
21 | command: ['aws', 's3', 'cp', 's3://antonputra-test/README.md', '-']
22 | containers:
23 | - name: nginx
24 | image: nginx:1.14.2
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/065/k8s/deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | serviceAccountName: app
18 | initContainers:
19 | - name: aws-cli
20 | image: amazon/aws-cli
21 | command: ['aws', 's3', 'cp', 's3://antonputra-test/README.md', '-']
22 | containers:
23 | - name: nginx
24 | image: nginx:1.14.2
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/065/k8s/deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | serviceAccountName: app
18 | initContainers:
19 | - name: aws-cli
20 | image: amazon/aws-cli
21 | command: ['aws', 's3', 'cp', 's3://antonputra-test/README.md', '-']
22 | containers:
23 | - name: nginx
24 | image: nginx:1.14.2
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/065/k8s/deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | serviceAccountName: app
18 | initContainers:
19 | - name: aws-cli
20 | image: amazon/aws-cli
21 | command: ['aws', 's3', 'cp', 's3://antonputra-test/README.md', '-']
22 | containers:
23 | - name: nginx
24 | image: nginx:1.14.2
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/065/k8s/deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | serviceAccountName: app
18 | initContainers:
19 | - name: aws-cli
20 | image: amazon/aws-cli
21 | command: ['aws', 's3', 'cp', 's3://antonputra-test/README.md', '-']
22 | containers:
23 | - name: nginx
24 | image: nginx:1.14.2
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/065/k8s/deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | serviceAccountName: app
18 | initContainers:
19 | - name: aws-cli
20 | image: amazon/aws-cli
21 | command: ['aws', 's3', 'cp', 's3://antonputra-test/README.md', '-']
22 | containers:
23 | - name: nginx
24 | image: nginx:1.14.2
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/065/k8s/deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | serviceAccountName: app
18 | initContainers:
19 | - name: aws-cli
20 | image: amazon/aws-cli
21 | command: ['aws', 's3', 'cp', 's3://antonputra-test/README.md', '-']
22 | containers:
23 | - name: nginx
24 | image: nginx:1.14.2
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/065/k8s/deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | serviceAccountName: app
18 | initContainers:
19 | - name: aws-cli
20 | image: amazon/aws-cli
21 | command: ['aws', 's3', 'cp', 's3://antonputra-test/README.md', '-']
22 | containers:
23 | - name: nginx
24 | image: nginx:1.14.2
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/065/k8s/deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | serviceAccountName: app
18 | initContainers:
19 | - name: aws-cli
20 | image: amazon/aws-cli
21 | command: ['aws', 's3', 'cp', 's3://antonputra-test/README.md', '-']
22 | containers:
23 | - name: nginx
24 | image: nginx:1.14.2
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/065/k8s/deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | serviceAccountName: app
18 | initContainers:
19 | - name: aws-cli
20 | image: amazon/aws-cli
21 | command: ['aws', 's3', 'cp', 's3://antonputra-test/README.md', '-']
22 | containers:
23 | - name: nginx
24 | image: nginx:1.14.2
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/065/k8s/deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | serviceAccountName: app
18 | initContainers:
19 | - name: aws-cli
20 | image: amazon/aws-cli
21 | command: ['aws', 's3', 'cp', 's3://antonputra-test/README.md', '-']
22 | containers:
23 | - name: nginx
24 | image: nginx:1.14.2
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/065/k8s/deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | serviceAccountName: app
18 | initContainers:
19 | - name: aws-cli
20 | image: amazon/aws-cli
21 | command: ['aws', 's3', 'cp', 's3://antonputra-test/README.md', '-']
22 | containers:
23 | - name: nginx
24 | image: nginx:1.14.2
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/065/k8s/deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | serviceAccountName: app
18 | initContainers:
19 | - name: aws-cli
20 | image: amazon/aws-cli
21 | command: ['aws', 's3', 'cp', 's3://antonputra-test/README.md', '-']
22 | containers:
23 | - name: nginx
24 | image: nginx:1.14.2
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/065/k8s/deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | serviceAccountName: app
18 | initContainers:
19 | - name: aws-cli
20 | image: amazon/aws-cli
21 | command: ['aws', 's3', 'cp', 's3://antonputra-test/README.md', '-']
22 | containers:
23 | - name: nginx
24 | image: nginx:1.14.2
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/065/k8s/deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | serviceAccountName: app
18 | initContainers:
19 | - name: aws-cli
20 | image: amazon/aws-cli
21 | command: ['aws', 's3', 'cp', 's3://antonputra-test/README.md', '-']
22 | containers:
23 | - name: nginx
24 | image: nginx:1.14.2
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/065/k8s/deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | serviceAccountName: app
18 | initContainers:
19 | - name: aws-cli
20 | image: amazon/aws-cli
21 | command: ['aws', 's3', 'cp', 's3://antonputra-test/README.md', '-']
22 | containers:
23 | - name: nginx
24 | image: nginx:1.14.2
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/065/k8s/deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | serviceAccountName: app
18 | initContainers:
19 | - name: aws-cli
20 | image: amazon/aws-cli
21 | command: ['aws', 's3', 'cp', 's3://antonputra-test/README.md', '-']
22 | containers:
23 | - name: nginx
24 | image: nginx:1.14.2
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/065/k8s/deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | serviceAccountName: app
18 | initContainers:
19 | - name: aws-cli
20 | image: amazon/aws-cli
21 | command: ['aws', 's3', 'cp', 's3://antonputra-test/README.md', '-']
22 | containers:
23 | - name: nginx
24 | image: nginx:1.14.2
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/083/grafana/4-deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/083/grafana/4-deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/083/grafana/4-deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/083/grafana/4-deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/083/grafana/4-deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/083/grafana/4-deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/083/grafana/4-deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/083/grafana/4-deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/083/grafana/4-deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/083/grafana/4-deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/083/grafana/4-deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/083/grafana/4-deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/083/grafana/4-deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/083/grafana/4-deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/083/grafana/4-deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/083/grafana/4-deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/083/grafana/4-deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_155: "Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations"
FAILED for resource: ClusterRole.default.cert-083-cert-manager-cainjector
File: /lessons/083/helm-generated-yaml/cert-manager/templates/cainjector-rbac.yaml:3-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-control-over-validating-or-mutating-admission-webhook-configurations-are-minimized.html
3 | apiVersion: rbac.authorization.k8s.io/v1
4 | kind: ClusterRole
5 | metadata:
6 | name: cert-083-cert-manager-cainjector
7 | labels:
8 | app: cainjector
9 | app.kubernetes.io/name: cainjector
10 | app.kubernetes.io/instance: cert-083
11 | app.kubernetes.io/component: "cainjector"
12 | app.kubernetes.io/version: "v1.5.3"
13 | app.kubernetes.io/managed-by: Helm
14 | helm.sh/chart: cert-manager-v1.5.3
15 | rules:
16 | - apiGroups: ["cert-manager.io"]
17 | resources: ["certificates"]
18 | verbs: ["get", "list", "watch"]
19 | - apiGroups: [""]
20 | resources: ["secrets"]
21 | verbs: ["get", "list", "watch"]
22 | - apiGroups: [""]
23 | resources: ["events"]
24 | verbs: ["get", "create", "update", "patch"]
25 | - apiGroups: ["admissionregistration.k8s.io"]
26 | resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
27 | verbs: ["get", "list", "watch", "update"]
28 | - apiGroups: ["apiregistration.k8s.io"]
29 | resources: ["apiservices"]
30 | verbs: ["get", "list", "watch", "update"]
31 | - apiGroups: ["apiextensions.k8s.io"]
32 | resources: ["customresourcedefinitions"]
33 | verbs: ["get", "list", "watch", "update"]
34 | - apiGroups: ["auditregistration.k8s.io"]
35 | resources: ["auditsinks"]
36 | verbs: ["get", "list", "watch", "update"]
37 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Job.cert-manager.cert-083-cert-manager-startupapicheck
File: /lessons/083/helm-generated-yaml/cert-manager/templates/startupapicheck-job.yaml:3-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
3 | apiVersion: batch/v1
4 | kind: Job
5 | metadata:
6 | name: cert-083-cert-manager-startupapicheck
7 | namespace: "cert-manager"
8 | labels:
9 | app: startupapicheck
10 | app.kubernetes.io/name: startupapicheck
11 | app.kubernetes.io/instance: cert-083
12 | app.kubernetes.io/component: "startupapicheck"
13 | app.kubernetes.io/version: "v1.5.3"
14 | app.kubernetes.io/managed-by: Helm
15 | helm.sh/chart: cert-manager-v1.5.3
16 | annotations:
17 | helm.sh/hook: post-install
18 | helm.sh/hook-delete-policy: hook-succeeded
19 | helm.sh/hook-weight: "1"
20 | spec:
21 | backoffLimit: 4
22 | template:
23 | metadata:
24 | labels:
25 | app: startupapicheck
26 | app.kubernetes.io/name: startupapicheck
27 | app.kubernetes.io/instance: cert-083
28 | app.kubernetes.io/component: "startupapicheck"
29 | app.kubernetes.io/version: "v1.5.3"
30 | app.kubernetes.io/managed-by: Helm
31 | helm.sh/chart: cert-manager-v1.5.3
32 | spec:
33 | restartPolicy: OnFailure
34 | serviceAccountName: cert-083-cert-manager-startupapicheck
35 | securityContext:
36 | runAsNonRoot: true
37 | containers:
38 | - name: cert-manager
39 | image: "quay.io/jetstack/cert-manager-ctl:v1.5.3"
40 | imagePullPolicy: IfNotPresent
41 | args:
42 | - check
43 | - api
44 | - --wait=1m
45 | resources:
46 | {}
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Job.cert-manager.cert-083-cert-manager-startupapicheck
File: /lessons/083/helm-generated-yaml/cert-manager/templates/startupapicheck-job.yaml:3-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
3 | apiVersion: batch/v1
4 | kind: Job
5 | metadata:
6 | name: cert-083-cert-manager-startupapicheck
7 | namespace: "cert-manager"
8 | labels:
9 | app: startupapicheck
10 | app.kubernetes.io/name: startupapicheck
11 | app.kubernetes.io/instance: cert-083
12 | app.kubernetes.io/component: "startupapicheck"
13 | app.kubernetes.io/version: "v1.5.3"
14 | app.kubernetes.io/managed-by: Helm
15 | helm.sh/chart: cert-manager-v1.5.3
16 | annotations:
17 | helm.sh/hook: post-install
18 | helm.sh/hook-delete-policy: hook-succeeded
19 | helm.sh/hook-weight: "1"
20 | spec:
21 | backoffLimit: 4
22 | template:
23 | metadata:
24 | labels:
25 | app: startupapicheck
26 | app.kubernetes.io/name: startupapicheck
27 | app.kubernetes.io/instance: cert-083
28 | app.kubernetes.io/component: "startupapicheck"
29 | app.kubernetes.io/version: "v1.5.3"
30 | app.kubernetes.io/managed-by: Helm
31 | helm.sh/chart: cert-manager-v1.5.3
32 | spec:
33 | restartPolicy: OnFailure
34 | serviceAccountName: cert-083-cert-manager-startupapicheck
35 | securityContext:
36 | runAsNonRoot: true
37 | containers:
38 | - name: cert-manager
39 | image: "quay.io/jetstack/cert-manager-ctl:v1.5.3"
40 | imagePullPolicy: IfNotPresent
41 | args:
42 | - check
43 | - api
44 | - --wait=1m
45 | resources:
46 | {}
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Job.cert-manager.cert-083-cert-manager-startupapicheck
File: /lessons/083/helm-generated-yaml/cert-manager/templates/startupapicheck-job.yaml:3-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
3 | apiVersion: batch/v1
4 | kind: Job
5 | metadata:
6 | name: cert-083-cert-manager-startupapicheck
7 | namespace: "cert-manager"
8 | labels:
9 | app: startupapicheck
10 | app.kubernetes.io/name: startupapicheck
11 | app.kubernetes.io/instance: cert-083
12 | app.kubernetes.io/component: "startupapicheck"
13 | app.kubernetes.io/version: "v1.5.3"
14 | app.kubernetes.io/managed-by: Helm
15 | helm.sh/chart: cert-manager-v1.5.3
16 | annotations:
17 | helm.sh/hook: post-install
18 | helm.sh/hook-delete-policy: hook-succeeded
19 | helm.sh/hook-weight: "1"
20 | spec:
21 | backoffLimit: 4
22 | template:
23 | metadata:
24 | labels:
25 | app: startupapicheck
26 | app.kubernetes.io/name: startupapicheck
27 | app.kubernetes.io/instance: cert-083
28 | app.kubernetes.io/component: "startupapicheck"
29 | app.kubernetes.io/version: "v1.5.3"
30 | app.kubernetes.io/managed-by: Helm
31 | helm.sh/chart: cert-manager-v1.5.3
32 | spec:
33 | restartPolicy: OnFailure
34 | serviceAccountName: cert-083-cert-manager-startupapicheck
35 | securityContext:
36 | runAsNonRoot: true
37 | containers:
38 | - name: cert-manager
39 | image: "quay.io/jetstack/cert-manager-ctl:v1.5.3"
40 | imagePullPolicy: IfNotPresent
41 | args:
42 | - check
43 | - api
44 | - --wait=1m
45 | resources:
46 | {}
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Job.cert-manager.cert-083-cert-manager-startupapicheck
File: /lessons/083/helm-generated-yaml/cert-manager/templates/startupapicheck-job.yaml:3-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
3 | apiVersion: batch/v1
4 | kind: Job
5 | metadata:
6 | name: cert-083-cert-manager-startupapicheck
7 | namespace: "cert-manager"
8 | labels:
9 | app: startupapicheck
10 | app.kubernetes.io/name: startupapicheck
11 | app.kubernetes.io/instance: cert-083
12 | app.kubernetes.io/component: "startupapicheck"
13 | app.kubernetes.io/version: "v1.5.3"
14 | app.kubernetes.io/managed-by: Helm
15 | helm.sh/chart: cert-manager-v1.5.3
16 | annotations:
17 | helm.sh/hook: post-install
18 | helm.sh/hook-delete-policy: hook-succeeded
19 | helm.sh/hook-weight: "1"
20 | spec:
21 | backoffLimit: 4
22 | template:
23 | metadata:
24 | labels:
25 | app: startupapicheck
26 | app.kubernetes.io/name: startupapicheck
27 | app.kubernetes.io/instance: cert-083
28 | app.kubernetes.io/component: "startupapicheck"
29 | app.kubernetes.io/version: "v1.5.3"
30 | app.kubernetes.io/managed-by: Helm
31 | helm.sh/chart: cert-manager-v1.5.3
32 | spec:
33 | restartPolicy: OnFailure
34 | serviceAccountName: cert-083-cert-manager-startupapicheck
35 | securityContext:
36 | runAsNonRoot: true
37 | containers:
38 | - name: cert-manager
39 | image: "quay.io/jetstack/cert-manager-ctl:v1.5.3"
40 | imagePullPolicy: IfNotPresent
41 | args:
42 | - check
43 | - api
44 | - --wait=1m
45 | resources:
46 | {}
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Job.cert-manager.cert-083-cert-manager-startupapicheck
File: /lessons/083/helm-generated-yaml/cert-manager/templates/startupapicheck-job.yaml:3-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
3 | apiVersion: batch/v1
4 | kind: Job
5 | metadata:
6 | name: cert-083-cert-manager-startupapicheck
7 | namespace: "cert-manager"
8 | labels:
9 | app: startupapicheck
10 | app.kubernetes.io/name: startupapicheck
11 | app.kubernetes.io/instance: cert-083
12 | app.kubernetes.io/component: "startupapicheck"
13 | app.kubernetes.io/version: "v1.5.3"
14 | app.kubernetes.io/managed-by: Helm
15 | helm.sh/chart: cert-manager-v1.5.3
16 | annotations:
17 | helm.sh/hook: post-install
18 | helm.sh/hook-delete-policy: hook-succeeded
19 | helm.sh/hook-weight: "1"
20 | spec:
21 | backoffLimit: 4
22 | template:
23 | metadata:
24 | labels:
25 | app: startupapicheck
26 | app.kubernetes.io/name: startupapicheck
27 | app.kubernetes.io/instance: cert-083
28 | app.kubernetes.io/component: "startupapicheck"
29 | app.kubernetes.io/version: "v1.5.3"
30 | app.kubernetes.io/managed-by: Helm
31 | helm.sh/chart: cert-manager-v1.5.3
32 | spec:
33 | restartPolicy: OnFailure
34 | serviceAccountName: cert-083-cert-manager-startupapicheck
35 | securityContext:
36 | runAsNonRoot: true
37 | containers:
38 | - name: cert-manager
39 | image: "quay.io/jetstack/cert-manager-ctl:v1.5.3"
40 | imagePullPolicy: IfNotPresent
41 | args:
42 | - check
43 | - api
44 | - --wait=1m
45 | resources:
46 | {}
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Job.cert-manager.cert-083-cert-manager-startupapicheck
File: /lessons/083/helm-generated-yaml/cert-manager/templates/startupapicheck-job.yaml:3-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
3 | apiVersion: batch/v1
4 | kind: Job
5 | metadata:
6 | name: cert-083-cert-manager-startupapicheck
7 | namespace: "cert-manager"
8 | labels:
9 | app: startupapicheck
10 | app.kubernetes.io/name: startupapicheck
11 | app.kubernetes.io/instance: cert-083
12 | app.kubernetes.io/component: "startupapicheck"
13 | app.kubernetes.io/version: "v1.5.3"
14 | app.kubernetes.io/managed-by: Helm
15 | helm.sh/chart: cert-manager-v1.5.3
16 | annotations:
17 | helm.sh/hook: post-install
18 | helm.sh/hook-delete-policy: hook-succeeded
19 | helm.sh/hook-weight: "1"
20 | spec:
21 | backoffLimit: 4
22 | template:
23 | metadata:
24 | labels:
25 | app: startupapicheck
26 | app.kubernetes.io/name: startupapicheck
27 | app.kubernetes.io/instance: cert-083
28 | app.kubernetes.io/component: "startupapicheck"
29 | app.kubernetes.io/version: "v1.5.3"
30 | app.kubernetes.io/managed-by: Helm
31 | helm.sh/chart: cert-manager-v1.5.3
32 | spec:
33 | restartPolicy: OnFailure
34 | serviceAccountName: cert-083-cert-manager-startupapicheck
35 | securityContext:
36 | runAsNonRoot: true
37 | containers:
38 | - name: cert-manager
39 | image: "quay.io/jetstack/cert-manager-ctl:v1.5.3"
40 | imagePullPolicy: IfNotPresent
41 | args:
42 | - check
43 | - api
44 | - --wait=1m
45 | resources:
46 | {}
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Job.cert-manager.cert-083-cert-manager-startupapicheck
File: /lessons/083/helm-generated-yaml/cert-manager/templates/startupapicheck-job.yaml:3-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
3 | apiVersion: batch/v1
4 | kind: Job
5 | metadata:
6 | name: cert-083-cert-manager-startupapicheck
7 | namespace: "cert-manager"
8 | labels:
9 | app: startupapicheck
10 | app.kubernetes.io/name: startupapicheck
11 | app.kubernetes.io/instance: cert-083
12 | app.kubernetes.io/component: "startupapicheck"
13 | app.kubernetes.io/version: "v1.5.3"
14 | app.kubernetes.io/managed-by: Helm
15 | helm.sh/chart: cert-manager-v1.5.3
16 | annotations:
17 | helm.sh/hook: post-install
18 | helm.sh/hook-delete-policy: hook-succeeded
19 | helm.sh/hook-weight: "1"
20 | spec:
21 | backoffLimit: 4
22 | template:
23 | metadata:
24 | labels:
25 | app: startupapicheck
26 | app.kubernetes.io/name: startupapicheck
27 | app.kubernetes.io/instance: cert-083
28 | app.kubernetes.io/component: "startupapicheck"
29 | app.kubernetes.io/version: "v1.5.3"
30 | app.kubernetes.io/managed-by: Helm
31 | helm.sh/chart: cert-manager-v1.5.3
32 | spec:
33 | restartPolicy: OnFailure
34 | serviceAccountName: cert-083-cert-manager-startupapicheck
35 | securityContext:
36 | runAsNonRoot: true
37 | containers:
38 | - name: cert-manager
39 | image: "quay.io/jetstack/cert-manager-ctl:v1.5.3"
40 | imagePullPolicy: IfNotPresent
41 | args:
42 | - check
43 | - api
44 | - --wait=1m
45 | resources:
46 | {}
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Job.cert-manager.cert-083-cert-manager-startupapicheck
File: /lessons/083/helm-generated-yaml/cert-manager/templates/startupapicheck-job.yaml:3-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
3 | apiVersion: batch/v1
4 | kind: Job
5 | metadata:
6 | name: cert-083-cert-manager-startupapicheck
7 | namespace: "cert-manager"
8 | labels:
9 | app: startupapicheck
10 | app.kubernetes.io/name: startupapicheck
11 | app.kubernetes.io/instance: cert-083
12 | app.kubernetes.io/component: "startupapicheck"
13 | app.kubernetes.io/version: "v1.5.3"
14 | app.kubernetes.io/managed-by: Helm
15 | helm.sh/chart: cert-manager-v1.5.3
16 | annotations:
17 | helm.sh/hook: post-install
18 | helm.sh/hook-delete-policy: hook-succeeded
19 | helm.sh/hook-weight: "1"
20 | spec:
21 | backoffLimit: 4
22 | template:
23 | metadata:
24 | labels:
25 | app: startupapicheck
26 | app.kubernetes.io/name: startupapicheck
27 | app.kubernetes.io/instance: cert-083
28 | app.kubernetes.io/component: "startupapicheck"
29 | app.kubernetes.io/version: "v1.5.3"
30 | app.kubernetes.io/managed-by: Helm
31 | helm.sh/chart: cert-manager-v1.5.3
32 | spec:
33 | restartPolicy: OnFailure
34 | serviceAccountName: cert-083-cert-manager-startupapicheck
35 | securityContext:
36 | runAsNonRoot: true
37 | containers:
38 | - name: cert-manager
39 | image: "quay.io/jetstack/cert-manager-ctl:v1.5.3"
40 | imagePullPolicy: IfNotPresent
41 | args:
42 | - check
43 | - api
44 | - --wait=1m
45 | resources:
46 | {}
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Job.cert-manager.cert-083-cert-manager-startupapicheck
File: /lessons/083/helm-generated-yaml/cert-manager/templates/startupapicheck-job.yaml:3-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
3 | apiVersion: batch/v1
4 | kind: Job
5 | metadata:
6 | name: cert-083-cert-manager-startupapicheck
7 | namespace: "cert-manager"
8 | labels:
9 | app: startupapicheck
10 | app.kubernetes.io/name: startupapicheck
11 | app.kubernetes.io/instance: cert-083
12 | app.kubernetes.io/component: "startupapicheck"
13 | app.kubernetes.io/version: "v1.5.3"
14 | app.kubernetes.io/managed-by: Helm
15 | helm.sh/chart: cert-manager-v1.5.3
16 | annotations:
17 | helm.sh/hook: post-install
18 | helm.sh/hook-delete-policy: hook-succeeded
19 | helm.sh/hook-weight: "1"
20 | spec:
21 | backoffLimit: 4
22 | template:
23 | metadata:
24 | labels:
25 | app: startupapicheck
26 | app.kubernetes.io/name: startupapicheck
27 | app.kubernetes.io/instance: cert-083
28 | app.kubernetes.io/component: "startupapicheck"
29 | app.kubernetes.io/version: "v1.5.3"
30 | app.kubernetes.io/managed-by: Helm
31 | helm.sh/chart: cert-manager-v1.5.3
32 | spec:
33 | restartPolicy: OnFailure
34 | serviceAccountName: cert-083-cert-manager-startupapicheck
35 | securityContext:
36 | runAsNonRoot: true
37 | containers:
38 | - name: cert-manager
39 | image: "quay.io/jetstack/cert-manager-ctl:v1.5.3"
40 | imagePullPolicy: IfNotPresent
41 | args:
42 | - check
43 | - api
44 | - --wait=1m
45 | resources:
46 | {}
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Job.cert-manager.cert-083-cert-manager-startupapicheck
File: /lessons/083/helm-generated-yaml/cert-manager/templates/startupapicheck-job.yaml:3-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
3 | apiVersion: batch/v1
4 | kind: Job
5 | metadata:
6 | name: cert-083-cert-manager-startupapicheck
7 | namespace: "cert-manager"
8 | labels:
9 | app: startupapicheck
10 | app.kubernetes.io/name: startupapicheck
11 | app.kubernetes.io/instance: cert-083
12 | app.kubernetes.io/component: "startupapicheck"
13 | app.kubernetes.io/version: "v1.5.3"
14 | app.kubernetes.io/managed-by: Helm
15 | helm.sh/chart: cert-manager-v1.5.3
16 | annotations:
17 | helm.sh/hook: post-install
18 | helm.sh/hook-delete-policy: hook-succeeded
19 | helm.sh/hook-weight: "1"
20 | spec:
21 | backoffLimit: 4
22 | template:
23 | metadata:
24 | labels:
25 | app: startupapicheck
26 | app.kubernetes.io/name: startupapicheck
27 | app.kubernetes.io/instance: cert-083
28 | app.kubernetes.io/component: "startupapicheck"
29 | app.kubernetes.io/version: "v1.5.3"
30 | app.kubernetes.io/managed-by: Helm
31 | helm.sh/chart: cert-manager-v1.5.3
32 | spec:
33 | restartPolicy: OnFailure
34 | serviceAccountName: cert-083-cert-manager-startupapicheck
35 | securityContext:
36 | runAsNonRoot: true
37 | containers:
38 | - name: cert-manager
39 | image: "quay.io/jetstack/cert-manager-ctl:v1.5.3"
40 | imagePullPolicy: IfNotPresent
41 | args:
42 | - check
43 | - api
44 | - --wait=1m
45 | resources:
46 | {}
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Job.cert-manager.cert-083-cert-manager-startupapicheck
File: /lessons/083/helm-generated-yaml/cert-manager/templates/startupapicheck-job.yaml:3-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
3 | apiVersion: batch/v1
4 | kind: Job
5 | metadata:
6 | name: cert-083-cert-manager-startupapicheck
7 | namespace: "cert-manager"
8 | labels:
9 | app: startupapicheck
10 | app.kubernetes.io/name: startupapicheck
11 | app.kubernetes.io/instance: cert-083
12 | app.kubernetes.io/component: "startupapicheck"
13 | app.kubernetes.io/version: "v1.5.3"
14 | app.kubernetes.io/managed-by: Helm
15 | helm.sh/chart: cert-manager-v1.5.3
16 | annotations:
17 | helm.sh/hook: post-install
18 | helm.sh/hook-delete-policy: hook-succeeded
19 | helm.sh/hook-weight: "1"
20 | spec:
21 | backoffLimit: 4
22 | template:
23 | metadata:
24 | labels:
25 | app: startupapicheck
26 | app.kubernetes.io/name: startupapicheck
27 | app.kubernetes.io/instance: cert-083
28 | app.kubernetes.io/component: "startupapicheck"
29 | app.kubernetes.io/version: "v1.5.3"
30 | app.kubernetes.io/managed-by: Helm
31 | helm.sh/chart: cert-manager-v1.5.3
32 | spec:
33 | restartPolicy: OnFailure
34 | serviceAccountName: cert-083-cert-manager-startupapicheck
35 | securityContext:
36 | runAsNonRoot: true
37 | containers:
38 | - name: cert-manager
39 | image: "quay.io/jetstack/cert-manager-ctl:v1.5.3"
40 | imagePullPolicy: IfNotPresent
41 | args:
42 | - check
43 | - api
44 | - --wait=1m
45 | resources:
46 | {}
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Job.cert-manager.cert-083-cert-manager-startupapicheck
File: /lessons/083/helm-generated-yaml/cert-manager/templates/startupapicheck-job.yaml:3-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
3 | apiVersion: batch/v1
4 | kind: Job
5 | metadata:
6 | name: cert-083-cert-manager-startupapicheck
7 | namespace: "cert-manager"
8 | labels:
9 | app: startupapicheck
10 | app.kubernetes.io/name: startupapicheck
11 | app.kubernetes.io/instance: cert-083
12 | app.kubernetes.io/component: "startupapicheck"
13 | app.kubernetes.io/version: "v1.5.3"
14 | app.kubernetes.io/managed-by: Helm
15 | helm.sh/chart: cert-manager-v1.5.3
16 | annotations:
17 | helm.sh/hook: post-install
18 | helm.sh/hook-delete-policy: hook-succeeded
19 | helm.sh/hook-weight: "1"
20 | spec:
21 | backoffLimit: 4
22 | template:
23 | metadata:
24 | labels:
25 | app: startupapicheck
26 | app.kubernetes.io/name: startupapicheck
27 | app.kubernetes.io/instance: cert-083
28 | app.kubernetes.io/component: "startupapicheck"
29 | app.kubernetes.io/version: "v1.5.3"
30 | app.kubernetes.io/managed-by: Helm
31 | helm.sh/chart: cert-manager-v1.5.3
32 | spec:
33 | restartPolicy: OnFailure
34 | serviceAccountName: cert-083-cert-manager-startupapicheck
35 | securityContext:
36 | runAsNonRoot: true
37 | containers:
38 | - name: cert-manager
39 | image: "quay.io/jetstack/cert-manager-ctl:v1.5.3"
40 | imagePullPolicy: IfNotPresent
41 | args:
42 | - check
43 | - api
44 | - --wait=1m
45 | resources:
46 | {}
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.cert-manager.cert-083-cert-manager-webhook
File: /lessons/083/helm-generated-yaml/cert-manager/templates/webhook-deployment.yaml:3-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.cert-manager.cert-083-cert-manager-webhook
File: /lessons/083/helm-generated-yaml/cert-manager/templates/webhook-deployment.yaml:3-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.cert-manager.cert-083-cert-manager-webhook
File: /lessons/083/helm-generated-yaml/cert-manager/templates/webhook-deployment.yaml:3-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.cert-manager.cert-083-cert-manager-webhook
File: /lessons/083/helm-generated-yaml/cert-manager/templates/webhook-deployment.yaml:3-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.cert-manager.cert-083-cert-manager-webhook
File: /lessons/083/helm-generated-yaml/cert-manager/templates/webhook-deployment.yaml:3-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.cert-manager.cert-083-cert-manager-webhook
File: /lessons/083/helm-generated-yaml/cert-manager/templates/webhook-deployment.yaml:3-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.cert-manager.cert-083-cert-manager-webhook
File: /lessons/083/helm-generated-yaml/cert-manager/templates/webhook-deployment.yaml:3-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.cert-manager.cert-083-cert-manager-webhook
File: /lessons/083/helm-generated-yaml/cert-manager/templates/webhook-deployment.yaml:3-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.cert-manager.cert-083-cert-manager-webhook
File: /lessons/083/helm-generated-yaml/cert-manager/templates/webhook-deployment.yaml:3-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.cert-manager.cert-083-cert-manager-webhook
File: /lessons/083/helm-generated-yaml/cert-manager/templates/webhook-deployment.yaml:3-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.cert-manager.cert-083-cert-manager-webhook
File: /lessons/083/helm-generated-yaml/cert-manager/templates/webhook-deployment.yaml:3-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.cert-manager.cert-083-cert-manager-webhook
File: /lessons/083/helm-generated-yaml/cert-manager/templates/webhook-deployment.yaml:3-77
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.cert-manager.cert-083-cert-manager-cainjector
File: /lessons/083/helm-generated-yaml/cert-manager/templates/cainjector-deployment.yaml:3-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
3 | apiVersion: apps/v1
4 | kind: Deployment
5 | metadata:
6 | name: cert-083-cert-manager-cainjector
7 | namespace: "cert-manager"
8 | labels:
9 | app: cainjector
10 | app.kubernetes.io/name: cainjector
11 | app.kubernetes.io/instance: cert-083
12 | app.kubernetes.io/component: "cainjector"
13 | app.kubernetes.io/version: "v1.5.3"
14 | app.kubernetes.io/managed-by: Helm
15 | helm.sh/chart: cert-manager-v1.5.3
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app.kubernetes.io/name: cainjector
21 | app.kubernetes.io/instance: cert-083
22 | app.kubernetes.io/component: "cainjector"
23 | template:
24 | metadata:
25 | labels:
26 | app: cainjector
27 | app.kubernetes.io/name: cainjector
28 | app.kubernetes.io/instance: cert-083
29 | app.kubernetes.io/component: "cainjector"
30 | app.kubernetes.io/version: "v1.5.3"
31 | app.kubernetes.io/managed-by: Helm
32 | helm.sh/chart: cert-manager-v1.5.3
33 | spec:
34 | serviceAccountName: cert-083-cert-manager-cainjector
35 | securityContext:
36 | runAsNonRoot: true
37 | containers:
38 | - name: cert-manager
39 | image: "quay.io/jetstack/cert-manager-cainjector:v1.5.3"
40 | imagePullPolicy: IfNotPresent
41 | args:
42 | - --v=2
43 | - --leader-election-namespace=kube-system
44 | env:
45 | - name: POD_NAMESPACE
46 | valueFrom:
47 | fieldRef:
48 | fieldPath: metadata.namespace
49 | resources:
50 | {}
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.cert-manager.cert-083-cert-manager-cainjector
File: /lessons/083/helm-generated-yaml/cert-manager/templates/cainjector-deployment.yaml:3-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
3 | apiVersion: apps/v1
4 | kind: Deployment
5 | metadata:
6 | name: cert-083-cert-manager-cainjector
7 | namespace: "cert-manager"
8 | labels:
9 | app: cainjector
10 | app.kubernetes.io/name: cainjector
11 | app.kubernetes.io/instance: cert-083
12 | app.kubernetes.io/component: "cainjector"
13 | app.kubernetes.io/version: "v1.5.3"
14 | app.kubernetes.io/managed-by: Helm
15 | helm.sh/chart: cert-manager-v1.5.3
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app.kubernetes.io/name: cainjector
21 | app.kubernetes.io/instance: cert-083
22 | app.kubernetes.io/component: "cainjector"
23 | template:
24 | metadata:
25 | labels:
26 | app: cainjector
27 | app.kubernetes.io/name: cainjector
28 | app.kubernetes.io/instance: cert-083
29 | app.kubernetes.io/component: "cainjector"
30 | app.kubernetes.io/version: "v1.5.3"
31 | app.kubernetes.io/managed-by: Helm
32 | helm.sh/chart: cert-manager-v1.5.3
33 | spec:
34 | serviceAccountName: cert-083-cert-manager-cainjector
35 | securityContext:
36 | runAsNonRoot: true
37 | containers:
38 | - name: cert-manager
39 | image: "quay.io/jetstack/cert-manager-cainjector:v1.5.3"
40 | imagePullPolicy: IfNotPresent
41 | args:
42 | - --v=2
43 | - --leader-election-namespace=kube-system
44 | env:
45 | - name: POD_NAMESPACE
46 | valueFrom:
47 | fieldRef:
48 | fieldPath: metadata.namespace
49 | resources:
50 | {}
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.cert-manager.cert-083-cert-manager-cainjector
File: /lessons/083/helm-generated-yaml/cert-manager/templates/cainjector-deployment.yaml:3-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
3 | apiVersion: apps/v1
4 | kind: Deployment
5 | metadata:
6 | name: cert-083-cert-manager-cainjector
7 | namespace: "cert-manager"
8 | labels:
9 | app: cainjector
10 | app.kubernetes.io/name: cainjector
11 | app.kubernetes.io/instance: cert-083
12 | app.kubernetes.io/component: "cainjector"
13 | app.kubernetes.io/version: "v1.5.3"
14 | app.kubernetes.io/managed-by: Helm
15 | helm.sh/chart: cert-manager-v1.5.3
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app.kubernetes.io/name: cainjector
21 | app.kubernetes.io/instance: cert-083
22 | app.kubernetes.io/component: "cainjector"
23 | template:
24 | metadata:
25 | labels:
26 | app: cainjector
27 | app.kubernetes.io/name: cainjector
28 | app.kubernetes.io/instance: cert-083
29 | app.kubernetes.io/component: "cainjector"
30 | app.kubernetes.io/version: "v1.5.3"
31 | app.kubernetes.io/managed-by: Helm
32 | helm.sh/chart: cert-manager-v1.5.3
33 | spec:
34 | serviceAccountName: cert-083-cert-manager-cainjector
35 | securityContext:
36 | runAsNonRoot: true
37 | containers:
38 | - name: cert-manager
39 | image: "quay.io/jetstack/cert-manager-cainjector:v1.5.3"
40 | imagePullPolicy: IfNotPresent
41 | args:
42 | - --v=2
43 | - --leader-election-namespace=kube-system
44 | env:
45 | - name: POD_NAMESPACE
46 | valueFrom:
47 | fieldRef:
48 | fieldPath: metadata.namespace
49 | resources:
50 | {}
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.cert-manager.cert-083-cert-manager-cainjector
File: /lessons/083/helm-generated-yaml/cert-manager/templates/cainjector-deployment.yaml:3-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
3 | apiVersion: apps/v1
4 | kind: Deployment
5 | metadata:
6 | name: cert-083-cert-manager-cainjector
7 | namespace: "cert-manager"
8 | labels:
9 | app: cainjector
10 | app.kubernetes.io/name: cainjector
11 | app.kubernetes.io/instance: cert-083
12 | app.kubernetes.io/component: "cainjector"
13 | app.kubernetes.io/version: "v1.5.3"
14 | app.kubernetes.io/managed-by: Helm
15 | helm.sh/chart: cert-manager-v1.5.3
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app.kubernetes.io/name: cainjector
21 | app.kubernetes.io/instance: cert-083
22 | app.kubernetes.io/component: "cainjector"
23 | template:
24 | metadata:
25 | labels:
26 | app: cainjector
27 | app.kubernetes.io/name: cainjector
28 | app.kubernetes.io/instance: cert-083
29 | app.kubernetes.io/component: "cainjector"
30 | app.kubernetes.io/version: "v1.5.3"
31 | app.kubernetes.io/managed-by: Helm
32 | helm.sh/chart: cert-manager-v1.5.3
33 | spec:
34 | serviceAccountName: cert-083-cert-manager-cainjector
35 | securityContext:
36 | runAsNonRoot: true
37 | containers:
38 | - name: cert-manager
39 | image: "quay.io/jetstack/cert-manager-cainjector:v1.5.3"
40 | imagePullPolicy: IfNotPresent
41 | args:
42 | - --v=2
43 | - --leader-election-namespace=kube-system
44 | env:
45 | - name: POD_NAMESPACE
46 | valueFrom:
47 | fieldRef:
48 | fieldPath: metadata.namespace
49 | resources:
50 | {}
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.cert-manager.cert-083-cert-manager-cainjector
File: /lessons/083/helm-generated-yaml/cert-manager/templates/cainjector-deployment.yaml:3-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
3 | apiVersion: apps/v1
4 | kind: Deployment
5 | metadata:
6 | name: cert-083-cert-manager-cainjector
7 | namespace: "cert-manager"
8 | labels:
9 | app: cainjector
10 | app.kubernetes.io/name: cainjector
11 | app.kubernetes.io/instance: cert-083
12 | app.kubernetes.io/component: "cainjector"
13 | app.kubernetes.io/version: "v1.5.3"
14 | app.kubernetes.io/managed-by: Helm
15 | helm.sh/chart: cert-manager-v1.5.3
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app.kubernetes.io/name: cainjector
21 | app.kubernetes.io/instance: cert-083
22 | app.kubernetes.io/component: "cainjector"
23 | template:
24 | metadata:
25 | labels:
26 | app: cainjector
27 | app.kubernetes.io/name: cainjector
28 | app.kubernetes.io/instance: cert-083
29 | app.kubernetes.io/component: "cainjector"
30 | app.kubernetes.io/version: "v1.5.3"
31 | app.kubernetes.io/managed-by: Helm
32 | helm.sh/chart: cert-manager-v1.5.3
33 | spec:
34 | serviceAccountName: cert-083-cert-manager-cainjector
35 | securityContext:
36 | runAsNonRoot: true
37 | containers:
38 | - name: cert-manager
39 | image: "quay.io/jetstack/cert-manager-cainjector:v1.5.3"
40 | imagePullPolicy: IfNotPresent
41 | args:
42 | - --v=2
43 | - --leader-election-namespace=kube-system
44 | env:
45 | - name: POD_NAMESPACE
46 | valueFrom:
47 | fieldRef:
48 | fieldPath: metadata.namespace
49 | resources:
50 | {}
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.cert-manager.cert-083-cert-manager-cainjector
File: /lessons/083/helm-generated-yaml/cert-manager/templates/cainjector-deployment.yaml:3-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
3 | apiVersion: apps/v1
4 | kind: Deployment
5 | metadata:
6 | name: cert-083-cert-manager-cainjector
7 | namespace: "cert-manager"
8 | labels:
9 | app: cainjector
10 | app.kubernetes.io/name: cainjector
11 | app.kubernetes.io/instance: cert-083
12 | app.kubernetes.io/component: "cainjector"
13 | app.kubernetes.io/version: "v1.5.3"
14 | app.kubernetes.io/managed-by: Helm
15 | helm.sh/chart: cert-manager-v1.5.3
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app.kubernetes.io/name: cainjector
21 | app.kubernetes.io/instance: cert-083
22 | app.kubernetes.io/component: "cainjector"
23 | template:
24 | metadata:
25 | labels:
26 | app: cainjector
27 | app.kubernetes.io/name: cainjector
28 | app.kubernetes.io/instance: cert-083
29 | app.kubernetes.io/component: "cainjector"
30 | app.kubernetes.io/version: "v1.5.3"
31 | app.kubernetes.io/managed-by: Helm
32 | helm.sh/chart: cert-manager-v1.5.3
33 | spec:
34 | serviceAccountName: cert-083-cert-manager-cainjector
35 | securityContext:
36 | runAsNonRoot: true
37 | containers:
38 | - name: cert-manager
39 | image: "quay.io/jetstack/cert-manager-cainjector:v1.5.3"
40 | imagePullPolicy: IfNotPresent
41 | args:
42 | - --v=2
43 | - --leader-election-namespace=kube-system
44 | env:
45 | - name: POD_NAMESPACE
46 | valueFrom:
47 | fieldRef:
48 | fieldPath: metadata.namespace
49 | resources:
50 | {}
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.cert-manager.cert-083-cert-manager-cainjector
File: /lessons/083/helm-generated-yaml/cert-manager/templates/cainjector-deployment.yaml:3-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
3 | apiVersion: apps/v1
4 | kind: Deployment
5 | metadata:
6 | name: cert-083-cert-manager-cainjector
7 | namespace: "cert-manager"
8 | labels:
9 | app: cainjector
10 | app.kubernetes.io/name: cainjector
11 | app.kubernetes.io/instance: cert-083
12 | app.kubernetes.io/component: "cainjector"
13 | app.kubernetes.io/version: "v1.5.3"
14 | app.kubernetes.io/managed-by: Helm
15 | helm.sh/chart: cert-manager-v1.5.3
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app.kubernetes.io/name: cainjector
21 | app.kubernetes.io/instance: cert-083
22 | app.kubernetes.io/component: "cainjector"
23 | template:
24 | metadata:
25 | labels:
26 | app: cainjector
27 | app.kubernetes.io/name: cainjector
28 | app.kubernetes.io/instance: cert-083
29 | app.kubernetes.io/component: "cainjector"
30 | app.kubernetes.io/version: "v1.5.3"
31 | app.kubernetes.io/managed-by: Helm
32 | helm.sh/chart: cert-manager-v1.5.3
33 | spec:
34 | serviceAccountName: cert-083-cert-manager-cainjector
35 | securityContext:
36 | runAsNonRoot: true
37 | containers:
38 | - name: cert-manager
39 | image: "quay.io/jetstack/cert-manager-cainjector:v1.5.3"
40 | imagePullPolicy: IfNotPresent
41 | args:
42 | - --v=2
43 | - --leader-election-namespace=kube-system
44 | env:
45 | - name: POD_NAMESPACE
46 | valueFrom:
47 | fieldRef:
48 | fieldPath: metadata.namespace
49 | resources:
50 | {}
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.cert-manager.cert-083-cert-manager-cainjector
File: /lessons/083/helm-generated-yaml/cert-manager/templates/cainjector-deployment.yaml:3-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
3 | apiVersion: apps/v1
4 | kind: Deployment
5 | metadata:
6 | name: cert-083-cert-manager-cainjector
7 | namespace: "cert-manager"
8 | labels:
9 | app: cainjector
10 | app.kubernetes.io/name: cainjector
11 | app.kubernetes.io/instance: cert-083
12 | app.kubernetes.io/component: "cainjector"
13 | app.kubernetes.io/version: "v1.5.3"
14 | app.kubernetes.io/managed-by: Helm
15 | helm.sh/chart: cert-manager-v1.5.3
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app.kubernetes.io/name: cainjector
21 | app.kubernetes.io/instance: cert-083
22 | app.kubernetes.io/component: "cainjector"
23 | template:
24 | metadata:
25 | labels:
26 | app: cainjector
27 | app.kubernetes.io/name: cainjector
28 | app.kubernetes.io/instance: cert-083
29 | app.kubernetes.io/component: "cainjector"
30 | app.kubernetes.io/version: "v1.5.3"
31 | app.kubernetes.io/managed-by: Helm
32 | helm.sh/chart: cert-manager-v1.5.3
33 | spec:
34 | serviceAccountName: cert-083-cert-manager-cainjector
35 | securityContext:
36 | runAsNonRoot: true
37 | containers:
38 | - name: cert-manager
39 | image: "quay.io/jetstack/cert-manager-cainjector:v1.5.3"
40 | imagePullPolicy: IfNotPresent
41 | args:
42 | - --v=2
43 | - --leader-election-namespace=kube-system
44 | env:
45 | - name: POD_NAMESPACE
46 | valueFrom:
47 | fieldRef:
48 | fieldPath: metadata.namespace
49 | resources:
50 | {}
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.cert-manager.cert-083-cert-manager-cainjector
File: /lessons/083/helm-generated-yaml/cert-manager/templates/cainjector-deployment.yaml:3-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
3 | apiVersion: apps/v1
4 | kind: Deployment
5 | metadata:
6 | name: cert-083-cert-manager-cainjector
7 | namespace: "cert-manager"
8 | labels:
9 | app: cainjector
10 | app.kubernetes.io/name: cainjector
11 | app.kubernetes.io/instance: cert-083
12 | app.kubernetes.io/component: "cainjector"
13 | app.kubernetes.io/version: "v1.5.3"
14 | app.kubernetes.io/managed-by: Helm
15 | helm.sh/chart: cert-manager-v1.5.3
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app.kubernetes.io/name: cainjector
21 | app.kubernetes.io/instance: cert-083
22 | app.kubernetes.io/component: "cainjector"
23 | template:
24 | metadata:
25 | labels:
26 | app: cainjector
27 | app.kubernetes.io/name: cainjector
28 | app.kubernetes.io/instance: cert-083
29 | app.kubernetes.io/component: "cainjector"
30 | app.kubernetes.io/version: "v1.5.3"
31 | app.kubernetes.io/managed-by: Helm
32 | helm.sh/chart: cert-manager-v1.5.3
33 | spec:
34 | serviceAccountName: cert-083-cert-manager-cainjector
35 | securityContext:
36 | runAsNonRoot: true
37 | containers:
38 | - name: cert-manager
39 | image: "quay.io/jetstack/cert-manager-cainjector:v1.5.3"
40 | imagePullPolicy: IfNotPresent
41 | args:
42 | - --v=2
43 | - --leader-election-namespace=kube-system
44 | env:
45 | - name: POD_NAMESPACE
46 | valueFrom:
47 | fieldRef:
48 | fieldPath: metadata.namespace
49 | resources:
50 | {}
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.cert-manager.cert-083-cert-manager-cainjector
File: /lessons/083/helm-generated-yaml/cert-manager/templates/cainjector-deployment.yaml:3-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
3 | apiVersion: apps/v1
4 | kind: Deployment
5 | metadata:
6 | name: cert-083-cert-manager-cainjector
7 | namespace: "cert-manager"
8 | labels:
9 | app: cainjector
10 | app.kubernetes.io/name: cainjector
11 | app.kubernetes.io/instance: cert-083
12 | app.kubernetes.io/component: "cainjector"
13 | app.kubernetes.io/version: "v1.5.3"
14 | app.kubernetes.io/managed-by: Helm
15 | helm.sh/chart: cert-manager-v1.5.3
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app.kubernetes.io/name: cainjector
21 | app.kubernetes.io/instance: cert-083
22 | app.kubernetes.io/component: "cainjector"
23 | template:
24 | metadata:
25 | labels:
26 | app: cainjector
27 | app.kubernetes.io/name: cainjector
28 | app.kubernetes.io/instance: cert-083
29 | app.kubernetes.io/component: "cainjector"
30 | app.kubernetes.io/version: "v1.5.3"
31 | app.kubernetes.io/managed-by: Helm
32 | helm.sh/chart: cert-manager-v1.5.3
33 | spec:
34 | serviceAccountName: cert-083-cert-manager-cainjector
35 | securityContext:
36 | runAsNonRoot: true
37 | containers:
38 | - name: cert-manager
39 | image: "quay.io/jetstack/cert-manager-cainjector:v1.5.3"
40 | imagePullPolicy: IfNotPresent
41 | args:
42 | - --v=2
43 | - --leader-election-namespace=kube-system
44 | env:
45 | - name: POD_NAMESPACE
46 | valueFrom:
47 | fieldRef:
48 | fieldPath: metadata.namespace
49 | resources:
50 | {}
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.cert-manager.cert-083-cert-manager-cainjector
File: /lessons/083/helm-generated-yaml/cert-manager/templates/cainjector-deployment.yaml:3-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
3 | apiVersion: apps/v1
4 | kind: Deployment
5 | metadata:
6 | name: cert-083-cert-manager-cainjector
7 | namespace: "cert-manager"
8 | labels:
9 | app: cainjector
10 | app.kubernetes.io/name: cainjector
11 | app.kubernetes.io/instance: cert-083
12 | app.kubernetes.io/component: "cainjector"
13 | app.kubernetes.io/version: "v1.5.3"
14 | app.kubernetes.io/managed-by: Helm
15 | helm.sh/chart: cert-manager-v1.5.3
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app.kubernetes.io/name: cainjector
21 | app.kubernetes.io/instance: cert-083
22 | app.kubernetes.io/component: "cainjector"
23 | template:
24 | metadata:
25 | labels:
26 | app: cainjector
27 | app.kubernetes.io/name: cainjector
28 | app.kubernetes.io/instance: cert-083
29 | app.kubernetes.io/component: "cainjector"
30 | app.kubernetes.io/version: "v1.5.3"
31 | app.kubernetes.io/managed-by: Helm
32 | helm.sh/chart: cert-manager-v1.5.3
33 | spec:
34 | serviceAccountName: cert-083-cert-manager-cainjector
35 | securityContext:
36 | runAsNonRoot: true
37 | containers:
38 | - name: cert-manager
39 | image: "quay.io/jetstack/cert-manager-cainjector:v1.5.3"
40 | imagePullPolicy: IfNotPresent
41 | args:
42 | - --v=2
43 | - --leader-election-namespace=kube-system
44 | env:
45 | - name: POD_NAMESPACE
46 | valueFrom:
47 | fieldRef:
48 | fieldPath: metadata.namespace
49 | resources:
50 | {}
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.cert-manager.cert-083-cert-manager-cainjector
File: /lessons/083/helm-generated-yaml/cert-manager/templates/cainjector-deployment.yaml:3-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
3 | apiVersion: apps/v1
4 | kind: Deployment
5 | metadata:
6 | name: cert-083-cert-manager-cainjector
7 | namespace: "cert-manager"
8 | labels:
9 | app: cainjector
10 | app.kubernetes.io/name: cainjector
11 | app.kubernetes.io/instance: cert-083
12 | app.kubernetes.io/component: "cainjector"
13 | app.kubernetes.io/version: "v1.5.3"
14 | app.kubernetes.io/managed-by: Helm
15 | helm.sh/chart: cert-manager-v1.5.3
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app.kubernetes.io/name: cainjector
21 | app.kubernetes.io/instance: cert-083
22 | app.kubernetes.io/component: "cainjector"
23 | template:
24 | metadata:
25 | labels:
26 | app: cainjector
27 | app.kubernetes.io/name: cainjector
28 | app.kubernetes.io/instance: cert-083
29 | app.kubernetes.io/component: "cainjector"
30 | app.kubernetes.io/version: "v1.5.3"
31 | app.kubernetes.io/managed-by: Helm
32 | helm.sh/chart: cert-manager-v1.5.3
33 | spec:
34 | serviceAccountName: cert-083-cert-manager-cainjector
35 | securityContext:
36 | runAsNonRoot: true
37 | containers:
38 | - name: cert-manager
39 | image: "quay.io/jetstack/cert-manager-cainjector:v1.5.3"
40 | imagePullPolicy: IfNotPresent
41 | args:
42 | - --v=2
43 | - --leader-election-namespace=kube-system
44 | env:
45 | - name: POD_NAMESPACE
46 | valueFrom:
47 | fieldRef:
48 | fieldPath: metadata.namespace
49 | resources:
50 | {}
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.cert-manager.cert-083-cert-manager-cainjector
File: /lessons/083/helm-generated-yaml/cert-manager/templates/cainjector-deployment.yaml:3-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
3 | apiVersion: apps/v1
4 | kind: Deployment
5 | metadata:
6 | name: cert-083-cert-manager-cainjector
7 | namespace: "cert-manager"
8 | labels:
9 | app: cainjector
10 | app.kubernetes.io/name: cainjector
11 | app.kubernetes.io/instance: cert-083
12 | app.kubernetes.io/component: "cainjector"
13 | app.kubernetes.io/version: "v1.5.3"
14 | app.kubernetes.io/managed-by: Helm
15 | helm.sh/chart: cert-manager-v1.5.3
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app.kubernetes.io/name: cainjector
21 | app.kubernetes.io/instance: cert-083
22 | app.kubernetes.io/component: "cainjector"
23 | template:
24 | metadata:
25 | labels:
26 | app: cainjector
27 | app.kubernetes.io/name: cainjector
28 | app.kubernetes.io/instance: cert-083
29 | app.kubernetes.io/component: "cainjector"
30 | app.kubernetes.io/version: "v1.5.3"
31 | app.kubernetes.io/managed-by: Helm
32 | helm.sh/chart: cert-manager-v1.5.3
33 | spec:
34 | serviceAccountName: cert-083-cert-manager-cainjector
35 | securityContext:
36 | runAsNonRoot: true
37 | containers:
38 | - name: cert-manager
39 | image: "quay.io/jetstack/cert-manager-cainjector:v1.5.3"
40 | imagePullPolicy: IfNotPresent
41 | args:
42 | - --v=2
43 | - --leader-election-namespace=kube-system
44 | env:
45 | - name: POD_NAMESPACE
46 | valueFrom:
47 | fieldRef:
48 | fieldPath: metadata.namespace
49 | resources:
50 | {}
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.cert-manager.cert-083-cert-manager-cainjector
File: /lessons/083/helm-generated-yaml/cert-manager/templates/cainjector-deployment.yaml:3-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
3 | apiVersion: apps/v1
4 | kind: Deployment
5 | metadata:
6 | name: cert-083-cert-manager-cainjector
7 | namespace: "cert-manager"
8 | labels:
9 | app: cainjector
10 | app.kubernetes.io/name: cainjector
11 | app.kubernetes.io/instance: cert-083
12 | app.kubernetes.io/component: "cainjector"
13 | app.kubernetes.io/version: "v1.5.3"
14 | app.kubernetes.io/managed-by: Helm
15 | helm.sh/chart: cert-manager-v1.5.3
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app.kubernetes.io/name: cainjector
21 | app.kubernetes.io/instance: cert-083
22 | app.kubernetes.io/component: "cainjector"
23 | template:
24 | metadata:
25 | labels:
26 | app: cainjector
27 | app.kubernetes.io/name: cainjector
28 | app.kubernetes.io/instance: cert-083
29 | app.kubernetes.io/component: "cainjector"
30 | app.kubernetes.io/version: "v1.5.3"
31 | app.kubernetes.io/managed-by: Helm
32 | helm.sh/chart: cert-manager-v1.5.3
33 | spec:
34 | serviceAccountName: cert-083-cert-manager-cainjector
35 | securityContext:
36 | runAsNonRoot: true
37 | containers:
38 | - name: cert-manager
39 | image: "quay.io/jetstack/cert-manager-cainjector:v1.5.3"
40 | imagePullPolicy: IfNotPresent
41 | args:
42 | - --v=2
43 | - --leader-election-namespace=kube-system
44 | env:
45 | - name: POD_NAMESPACE
46 | valueFrom:
47 | fieldRef:
48 | fieldPath: metadata.namespace
49 | resources:
50 | {}
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.cert-manager.cert-083-cert-manager
File: /lessons/083/helm-generated-yaml/cert-manager/templates/deployment.yaml:3-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.cert-manager.cert-083-cert-manager
File: /lessons/083/helm-generated-yaml/cert-manager/templates/deployment.yaml:3-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.cert-manager.cert-083-cert-manager
File: /lessons/083/helm-generated-yaml/cert-manager/templates/deployment.yaml:3-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.cert-manager.cert-083-cert-manager
File: /lessons/083/helm-generated-yaml/cert-manager/templates/deployment.yaml:3-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.cert-manager.cert-083-cert-manager
File: /lessons/083/helm-generated-yaml/cert-manager/templates/deployment.yaml:3-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.cert-manager.cert-083-cert-manager
File: /lessons/083/helm-generated-yaml/cert-manager/templates/deployment.yaml:3-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.cert-manager.cert-083-cert-manager
File: /lessons/083/helm-generated-yaml/cert-manager/templates/deployment.yaml:3-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.cert-manager.cert-083-cert-manager
File: /lessons/083/helm-generated-yaml/cert-manager/templates/deployment.yaml:3-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.cert-manager.cert-083-cert-manager
File: /lessons/083/helm-generated-yaml/cert-manager/templates/deployment.yaml:3-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.cert-manager.cert-083-cert-manager
File: /lessons/083/helm-generated-yaml/cert-manager/templates/deployment.yaml:3-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.cert-manager.cert-083-cert-manager
File: /lessons/083/helm-generated-yaml/cert-manager/templates/deployment.yaml:3-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.cert-manager.cert-083-cert-manager
File: /lessons/083/helm-generated-yaml/cert-manager/templates/deployment.yaml:3-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.cert-manager.cert-083-cert-manager
File: /lessons/083/helm-generated-yaml/cert-manager/templates/deployment.yaml:3-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.cert-manager.cert-083-cert-manager
File: /lessons/083/helm-generated-yaml/cert-manager/templates/deployment.yaml:3-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: ClusterRole.default.prometheus-operator
File: /lessons/083/prometheus/1-prometheus-operator/3-cluster-role.yaml:2-76
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/083/prometheus/1-prometheus-operator/5-deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: prometheus-operator
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: prometheus-operator
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: prometheus-operator
16 | spec:
17 | containers:
18 | - args:
19 | - --kubelet-service=kube-system/kubelet
20 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.50.0
21 | image: quay.io/prometheus-operator/prometheus-operator:v0.50.0
22 | name: prometheus-operator
23 | ports:
24 | - containerPort: 8080
25 | name: http
26 | resources:
27 | limits:
28 | cpu: 200m
29 | memory: 200Mi
30 | requests:
31 | cpu: 100m
32 | memory: 100Mi
33 | securityContext:
34 | allowPrivilegeEscalation: false
35 | nodeSelector:
36 | kubernetes.io/os: linux
37 | securityContext:
38 | runAsNonRoot: true
39 | runAsUser: 65534
40 | serviceAccountName: prometheus-operator
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/083/prometheus/1-prometheus-operator/5-deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: prometheus-operator
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: prometheus-operator
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: prometheus-operator
16 | spec:
17 | containers:
18 | - args:
19 | - --kubelet-service=kube-system/kubelet
20 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.50.0
21 | image: quay.io/prometheus-operator/prometheus-operator:v0.50.0
22 | name: prometheus-operator
23 | ports:
24 | - containerPort: 8080
25 | name: http
26 | resources:
27 | limits:
28 | cpu: 200m
29 | memory: 200Mi
30 | requests:
31 | cpu: 100m
32 | memory: 100Mi
33 | securityContext:
34 | allowPrivilegeEscalation: false
35 | nodeSelector:
36 | kubernetes.io/os: linux
37 | securityContext:
38 | runAsNonRoot: true
39 | runAsUser: 65534
40 | serviceAccountName: prometheus-operator
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/083/prometheus/1-prometheus-operator/5-deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: prometheus-operator
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: prometheus-operator
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: prometheus-operator
16 | spec:
17 | containers:
18 | - args:
19 | - --kubelet-service=kube-system/kubelet
20 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.50.0
21 | image: quay.io/prometheus-operator/prometheus-operator:v0.50.0
22 | name: prometheus-operator
23 | ports:
24 | - containerPort: 8080
25 | name: http
26 | resources:
27 | limits:
28 | cpu: 200m
29 | memory: 200Mi
30 | requests:
31 | cpu: 100m
32 | memory: 100Mi
33 | securityContext:
34 | allowPrivilegeEscalation: false
35 | nodeSelector:
36 | kubernetes.io/os: linux
37 | securityContext:
38 | runAsNonRoot: true
39 | runAsUser: 65534
40 | serviceAccountName: prometheus-operator
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/083/prometheus/1-prometheus-operator/5-deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: prometheus-operator
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: prometheus-operator
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: prometheus-operator
16 | spec:
17 | containers:
18 | - args:
19 | - --kubelet-service=kube-system/kubelet
20 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.50.0
21 | image: quay.io/prometheus-operator/prometheus-operator:v0.50.0
22 | name: prometheus-operator
23 | ports:
24 | - containerPort: 8080
25 | name: http
26 | resources:
27 | limits:
28 | cpu: 200m
29 | memory: 200Mi
30 | requests:
31 | cpu: 100m
32 | memory: 100Mi
33 | securityContext:
34 | allowPrivilegeEscalation: false
35 | nodeSelector:
36 | kubernetes.io/os: linux
37 | securityContext:
38 | runAsNonRoot: true
39 | runAsUser: 65534
40 | serviceAccountName: prometheus-operator
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/083/prometheus/1-prometheus-operator/5-deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: prometheus-operator
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: prometheus-operator
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: prometheus-operator
16 | spec:
17 | containers:
18 | - args:
19 | - --kubelet-service=kube-system/kubelet
20 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.50.0
21 | image: quay.io/prometheus-operator/prometheus-operator:v0.50.0
22 | name: prometheus-operator
23 | ports:
24 | - containerPort: 8080
25 | name: http
26 | resources:
27 | limits:
28 | cpu: 200m
29 | memory: 200Mi
30 | requests:
31 | cpu: 100m
32 | memory: 100Mi
33 | securityContext:
34 | allowPrivilegeEscalation: false
35 | nodeSelector:
36 | kubernetes.io/os: linux
37 | securityContext:
38 | runAsNonRoot: true
39 | runAsUser: 65534
40 | serviceAccountName: prometheus-operator
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/083/prometheus/1-prometheus-operator/5-deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: prometheus-operator
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: prometheus-operator
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: prometheus-operator
16 | spec:
17 | containers:
18 | - args:
19 | - --kubelet-service=kube-system/kubelet
20 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.50.0
21 | image: quay.io/prometheus-operator/prometheus-operator:v0.50.0
22 | name: prometheus-operator
23 | ports:
24 | - containerPort: 8080
25 | name: http
26 | resources:
27 | limits:
28 | cpu: 200m
29 | memory: 200Mi
30 | requests:
31 | cpu: 100m
32 | memory: 100Mi
33 | securityContext:
34 | allowPrivilegeEscalation: false
35 | nodeSelector:
36 | kubernetes.io/os: linux
37 | securityContext:
38 | runAsNonRoot: true
39 | runAsUser: 65534
40 | serviceAccountName: prometheus-operator
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/083/prometheus/1-prometheus-operator/5-deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: prometheus-operator
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: prometheus-operator
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: prometheus-operator
16 | spec:
17 | containers:
18 | - args:
19 | - --kubelet-service=kube-system/kubelet
20 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.50.0
21 | image: quay.io/prometheus-operator/prometheus-operator:v0.50.0
22 | name: prometheus-operator
23 | ports:
24 | - containerPort: 8080
25 | name: http
26 | resources:
27 | limits:
28 | cpu: 200m
29 | memory: 200Mi
30 | requests:
31 | cpu: 100m
32 | memory: 100Mi
33 | securityContext:
34 | allowPrivilegeEscalation: false
35 | nodeSelector:
36 | kubernetes.io/os: linux
37 | securityContext:
38 | runAsNonRoot: true
39 | runAsUser: 65534
40 | serviceAccountName: prometheus-operator
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/083/prometheus/1-prometheus-operator/5-deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: prometheus-operator
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: prometheus-operator
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: prometheus-operator
16 | spec:
17 | containers:
18 | - args:
19 | - --kubelet-service=kube-system/kubelet
20 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.50.0
21 | image: quay.io/prometheus-operator/prometheus-operator:v0.50.0
22 | name: prometheus-operator
23 | ports:
24 | - containerPort: 8080
25 | name: http
26 | resources:
27 | limits:
28 | cpu: 200m
29 | memory: 200Mi
30 | requests:
31 | cpu: 100m
32 | memory: 100Mi
33 | securityContext:
34 | allowPrivilegeEscalation: false
35 | nodeSelector:
36 | kubernetes.io/os: linux
37 | securityContext:
38 | runAsNonRoot: true
39 | runAsUser: 65534
40 | serviceAccountName: prometheus-operator
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/083/prometheus/1-prometheus-operator/5-deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: prometheus-operator
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: prometheus-operator
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: prometheus-operator
16 | spec:
17 | containers:
18 | - args:
19 | - --kubelet-service=kube-system/kubelet
20 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.50.0
21 | image: quay.io/prometheus-operator/prometheus-operator:v0.50.0
22 | name: prometheus-operator
23 | ports:
24 | - containerPort: 8080
25 | name: http
26 | resources:
27 | limits:
28 | cpu: 200m
29 | memory: 200Mi
30 | requests:
31 | cpu: 100m
32 | memory: 100Mi
33 | securityContext:
34 | allowPrivilegeEscalation: false
35 | nodeSelector:
36 | kubernetes.io/os: linux
37 | securityContext:
38 | runAsNonRoot: true
39 | runAsUser: 65534
40 | serviceAccountName: prometheus-operator
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: ClusterRole.default.prometheus-operator
File: /lessons/073/3-prometheus-operator/0-rbac.yaml:12-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/073/3-prometheus-operator/1-deployment.yaml:2-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | labels:
6 | app.kubernetes.io/component: controller
7 | app.kubernetes.io/name: prometheus-operator
8 | app.kubernetes.io/version: 0.48.1
9 | name: prometheus-operator
10 | namespace: monitoring
11 | spec:
12 | replicas: 1
13 | selector:
14 | matchLabels:
15 | app.kubernetes.io/component: controller
16 | app.kubernetes.io/name: prometheus-operator
17 | template:
18 | metadata:
19 | annotations:
20 | kubectl.kubernetes.io/default-container: prometheus-operator
21 | labels:
22 | app.kubernetes.io/component: controller
23 | app.kubernetes.io/name: prometheus-operator
24 | app.kubernetes.io/version: 0.48.1
25 | spec:
26 | containers:
27 | - args:
28 | - --kubelet-service=kube-system/kubelet
29 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.48.1
30 | image: quay.io/prometheus-operator/prometheus-operator:v0.48.1
31 | name: prometheus-operator
32 | ports:
33 | - containerPort: 8080
34 | name: http
35 | resources:
36 | limits:
37 | cpu: 200m
38 | memory: 200Mi
39 | requests:
40 | cpu: 100m
41 | memory: 100Mi
42 | securityContext:
43 | allowPrivilegeEscalation: false
44 | nodeSelector:
45 | kubernetes.io/os: linux
46 | securityContext:
47 | runAsNonRoot: true
48 | runAsUser: 65534
49 | serviceAccountName: prometheus-operator
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/073/3-prometheus-operator/1-deployment.yaml:2-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | labels:
6 | app.kubernetes.io/component: controller
7 | app.kubernetes.io/name: prometheus-operator
8 | app.kubernetes.io/version: 0.48.1
9 | name: prometheus-operator
10 | namespace: monitoring
11 | spec:
12 | replicas: 1
13 | selector:
14 | matchLabels:
15 | app.kubernetes.io/component: controller
16 | app.kubernetes.io/name: prometheus-operator
17 | template:
18 | metadata:
19 | annotations:
20 | kubectl.kubernetes.io/default-container: prometheus-operator
21 | labels:
22 | app.kubernetes.io/component: controller
23 | app.kubernetes.io/name: prometheus-operator
24 | app.kubernetes.io/version: 0.48.1
25 | spec:
26 | containers:
27 | - args:
28 | - --kubelet-service=kube-system/kubelet
29 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.48.1
30 | image: quay.io/prometheus-operator/prometheus-operator:v0.48.1
31 | name: prometheus-operator
32 | ports:
33 | - containerPort: 8080
34 | name: http
35 | resources:
36 | limits:
37 | cpu: 200m
38 | memory: 200Mi
39 | requests:
40 | cpu: 100m
41 | memory: 100Mi
42 | securityContext:
43 | allowPrivilegeEscalation: false
44 | nodeSelector:
45 | kubernetes.io/os: linux
46 | securityContext:
47 | runAsNonRoot: true
48 | runAsUser: 65534
49 | serviceAccountName: prometheus-operator
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/073/3-prometheus-operator/1-deployment.yaml:2-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | labels:
6 | app.kubernetes.io/component: controller
7 | app.kubernetes.io/name: prometheus-operator
8 | app.kubernetes.io/version: 0.48.1
9 | name: prometheus-operator
10 | namespace: monitoring
11 | spec:
12 | replicas: 1
13 | selector:
14 | matchLabels:
15 | app.kubernetes.io/component: controller
16 | app.kubernetes.io/name: prometheus-operator
17 | template:
18 | metadata:
19 | annotations:
20 | kubectl.kubernetes.io/default-container: prometheus-operator
21 | labels:
22 | app.kubernetes.io/component: controller
23 | app.kubernetes.io/name: prometheus-operator
24 | app.kubernetes.io/version: 0.48.1
25 | spec:
26 | containers:
27 | - args:
28 | - --kubelet-service=kube-system/kubelet
29 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.48.1
30 | image: quay.io/prometheus-operator/prometheus-operator:v0.48.1
31 | name: prometheus-operator
32 | ports:
33 | - containerPort: 8080
34 | name: http
35 | resources:
36 | limits:
37 | cpu: 200m
38 | memory: 200Mi
39 | requests:
40 | cpu: 100m
41 | memory: 100Mi
42 | securityContext:
43 | allowPrivilegeEscalation: false
44 | nodeSelector:
45 | kubernetes.io/os: linux
46 | securityContext:
47 | runAsNonRoot: true
48 | runAsUser: 65534
49 | serviceAccountName: prometheus-operator
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/073/3-prometheus-operator/1-deployment.yaml:2-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | labels:
6 | app.kubernetes.io/component: controller
7 | app.kubernetes.io/name: prometheus-operator
8 | app.kubernetes.io/version: 0.48.1
9 | name: prometheus-operator
10 | namespace: monitoring
11 | spec:
12 | replicas: 1
13 | selector:
14 | matchLabels:
15 | app.kubernetes.io/component: controller
16 | app.kubernetes.io/name: prometheus-operator
17 | template:
18 | metadata:
19 | annotations:
20 | kubectl.kubernetes.io/default-container: prometheus-operator
21 | labels:
22 | app.kubernetes.io/component: controller
23 | app.kubernetes.io/name: prometheus-operator
24 | app.kubernetes.io/version: 0.48.1
25 | spec:
26 | containers:
27 | - args:
28 | - --kubelet-service=kube-system/kubelet
29 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.48.1
30 | image: quay.io/prometheus-operator/prometheus-operator:v0.48.1
31 | name: prometheus-operator
32 | ports:
33 | - containerPort: 8080
34 | name: http
35 | resources:
36 | limits:
37 | cpu: 200m
38 | memory: 200Mi
39 | requests:
40 | cpu: 100m
41 | memory: 100Mi
42 | securityContext:
43 | allowPrivilegeEscalation: false
44 | nodeSelector:
45 | kubernetes.io/os: linux
46 | securityContext:
47 | runAsNonRoot: true
48 | runAsUser: 65534
49 | serviceAccountName: prometheus-operator
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/073/3-prometheus-operator/1-deployment.yaml:2-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | labels:
6 | app.kubernetes.io/component: controller
7 | app.kubernetes.io/name: prometheus-operator
8 | app.kubernetes.io/version: 0.48.1
9 | name: prometheus-operator
10 | namespace: monitoring
11 | spec:
12 | replicas: 1
13 | selector:
14 | matchLabels:
15 | app.kubernetes.io/component: controller
16 | app.kubernetes.io/name: prometheus-operator
17 | template:
18 | metadata:
19 | annotations:
20 | kubectl.kubernetes.io/default-container: prometheus-operator
21 | labels:
22 | app.kubernetes.io/component: controller
23 | app.kubernetes.io/name: prometheus-operator
24 | app.kubernetes.io/version: 0.48.1
25 | spec:
26 | containers:
27 | - args:
28 | - --kubelet-service=kube-system/kubelet
29 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.48.1
30 | image: quay.io/prometheus-operator/prometheus-operator:v0.48.1
31 | name: prometheus-operator
32 | ports:
33 | - containerPort: 8080
34 | name: http
35 | resources:
36 | limits:
37 | cpu: 200m
38 | memory: 200Mi
39 | requests:
40 | cpu: 100m
41 | memory: 100Mi
42 | securityContext:
43 | allowPrivilegeEscalation: false
44 | nodeSelector:
45 | kubernetes.io/os: linux
46 | securityContext:
47 | runAsNonRoot: true
48 | runAsUser: 65534
49 | serviceAccountName: prometheus-operator
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/073/3-prometheus-operator/1-deployment.yaml:2-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | labels:
6 | app.kubernetes.io/component: controller
7 | app.kubernetes.io/name: prometheus-operator
8 | app.kubernetes.io/version: 0.48.1
9 | name: prometheus-operator
10 | namespace: monitoring
11 | spec:
12 | replicas: 1
13 | selector:
14 | matchLabels:
15 | app.kubernetes.io/component: controller
16 | app.kubernetes.io/name: prometheus-operator
17 | template:
18 | metadata:
19 | annotations:
20 | kubectl.kubernetes.io/default-container: prometheus-operator
21 | labels:
22 | app.kubernetes.io/component: controller
23 | app.kubernetes.io/name: prometheus-operator
24 | app.kubernetes.io/version: 0.48.1
25 | spec:
26 | containers:
27 | - args:
28 | - --kubelet-service=kube-system/kubelet
29 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.48.1
30 | image: quay.io/prometheus-operator/prometheus-operator:v0.48.1
31 | name: prometheus-operator
32 | ports:
33 | - containerPort: 8080
34 | name: http
35 | resources:
36 | limits:
37 | cpu: 200m
38 | memory: 200Mi
39 | requests:
40 | cpu: 100m
41 | memory: 100Mi
42 | securityContext:
43 | allowPrivilegeEscalation: false
44 | nodeSelector:
45 | kubernetes.io/os: linux
46 | securityContext:
47 | runAsNonRoot: true
48 | runAsUser: 65534
49 | serviceAccountName: prometheus-operator
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/073/3-prometheus-operator/1-deployment.yaml:2-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | labels:
6 | app.kubernetes.io/component: controller
7 | app.kubernetes.io/name: prometheus-operator
8 | app.kubernetes.io/version: 0.48.1
9 | name: prometheus-operator
10 | namespace: monitoring
11 | spec:
12 | replicas: 1
13 | selector:
14 | matchLabels:
15 | app.kubernetes.io/component: controller
16 | app.kubernetes.io/name: prometheus-operator
17 | template:
18 | metadata:
19 | annotations:
20 | kubectl.kubernetes.io/default-container: prometheus-operator
21 | labels:
22 | app.kubernetes.io/component: controller
23 | app.kubernetes.io/name: prometheus-operator
24 | app.kubernetes.io/version: 0.48.1
25 | spec:
26 | containers:
27 | - args:
28 | - --kubelet-service=kube-system/kubelet
29 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.48.1
30 | image: quay.io/prometheus-operator/prometheus-operator:v0.48.1
31 | name: prometheus-operator
32 | ports:
33 | - containerPort: 8080
34 | name: http
35 | resources:
36 | limits:
37 | cpu: 200m
38 | memory: 200Mi
39 | requests:
40 | cpu: 100m
41 | memory: 100Mi
42 | securityContext:
43 | allowPrivilegeEscalation: false
44 | nodeSelector:
45 | kubernetes.io/os: linux
46 | securityContext:
47 | runAsNonRoot: true
48 | runAsUser: 65534
49 | serviceAccountName: prometheus-operator
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/073/3-prometheus-operator/1-deployment.yaml:2-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | labels:
6 | app.kubernetes.io/component: controller
7 | app.kubernetes.io/name: prometheus-operator
8 | app.kubernetes.io/version: 0.48.1
9 | name: prometheus-operator
10 | namespace: monitoring
11 | spec:
12 | replicas: 1
13 | selector:
14 | matchLabels:
15 | app.kubernetes.io/component: controller
16 | app.kubernetes.io/name: prometheus-operator
17 | template:
18 | metadata:
19 | annotations:
20 | kubectl.kubernetes.io/default-container: prometheus-operator
21 | labels:
22 | app.kubernetes.io/component: controller
23 | app.kubernetes.io/name: prometheus-operator
24 | app.kubernetes.io/version: 0.48.1
25 | spec:
26 | containers:
27 | - args:
28 | - --kubelet-service=kube-system/kubelet
29 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.48.1
30 | image: quay.io/prometheus-operator/prometheus-operator:v0.48.1
31 | name: prometheus-operator
32 | ports:
33 | - containerPort: 8080
34 | name: http
35 | resources:
36 | limits:
37 | cpu: 200m
38 | memory: 200Mi
39 | requests:
40 | cpu: 100m
41 | memory: 100Mi
42 | securityContext:
43 | allowPrivilegeEscalation: false
44 | nodeSelector:
45 | kubernetes.io/os: linux
46 | securityContext:
47 | runAsNonRoot: true
48 | runAsUser: 65534
49 | serviceAccountName: prometheus-operator
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/073/3-prometheus-operator/1-deployment.yaml:2-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | labels:
6 | app.kubernetes.io/component: controller
7 | app.kubernetes.io/name: prometheus-operator
8 | app.kubernetes.io/version: 0.48.1
9 | name: prometheus-operator
10 | namespace: monitoring
11 | spec:
12 | replicas: 1
13 | selector:
14 | matchLabels:
15 | app.kubernetes.io/component: controller
16 | app.kubernetes.io/name: prometheus-operator
17 | template:
18 | metadata:
19 | annotations:
20 | kubectl.kubernetes.io/default-container: prometheus-operator
21 | labels:
22 | app.kubernetes.io/component: controller
23 | app.kubernetes.io/name: prometheus-operator
24 | app.kubernetes.io/version: 0.48.1
25 | spec:
26 | containers:
27 | - args:
28 | - --kubelet-service=kube-system/kubelet
29 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.48.1
30 | image: quay.io/prometheus-operator/prometheus-operator:v0.48.1
31 | name: prometheus-operator
32 | ports:
33 | - containerPort: 8080
34 | name: http
35 | resources:
36 | limits:
37 | cpu: 200m
38 | memory: 200Mi
39 | requests:
40 | cpu: 100m
41 | memory: 100Mi
42 | securityContext:
43 | allowPrivilegeEscalation: false
44 | nodeSelector:
45 | kubernetes.io/os: linux
46 | securityContext:
47 | runAsNonRoot: true
48 | runAsUser: 65534
49 | serviceAccountName: prometheus-operator
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: ClusterRole.default.prometheus-adapter-server-resources
File: /lessons/073/6-prometheus-adapter/1-custom-metrics/0-rbac.yaml:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | apiVersion: rbac.authorization.k8s.io/v1
3 | kind: ClusterRole
4 | metadata:
5 | labels:
6 | app: prometheus-adapter
7 | name: prometheus-adapter-server-resources
8 | rules:
9 | - apiGroups:
10 | - custom.metrics.k8s.io
11 | resources: ["*"]
12 | verbs: ["*"]
13 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.custom-metrics-prometheus-adapter
File: /lessons/073/6-prometheus-adapter/0-adapter/2-deployment.yaml:2-76
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.monitoring.custom-metrics-prometheus-adapter
File: /lessons/073/6-prometheus-adapter/0-adapter/2-deployment.yaml:2-76
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.custom-metrics-prometheus-adapter
File: /lessons/073/6-prometheus-adapter/0-adapter/2-deployment.yaml:2-76
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.custom-metrics-prometheus-adapter
File: /lessons/073/6-prometheus-adapter/0-adapter/2-deployment.yaml:2-76
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.custom-metrics-prometheus-adapter
File: /lessons/073/6-prometheus-adapter/0-adapter/2-deployment.yaml:2-76
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_6: "Do not admit root containers"
FAILED for resource: PodSecurityPolicy.default.cadvisor
File: /lessons/073/7-cadvisor/1-podsecuritypolicy.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-5.html
2 | apiVersion: policy/v1beta1
3 | kind: PodSecurityPolicy
4 | metadata:
5 | name: cadvisor
6 | spec:
7 | seLinux:
8 | rule: RunAsAny
9 | supplementalGroups:
10 | rule: RunAsAny
11 | runAsUser:
12 | rule: RunAsAny
13 | fsGroup:
14 | rule: RunAsAny
15 | volumes:
16 | - '*'
17 | allowedHostPaths:
18 | - pathPrefix: "/"
19 | - pathPrefix: "/var/run"
20 | - pathPrefix: "/sys"
21 | - pathPrefix: "/var/lib/docker"
22 | - pathPrefix: "/dev/disk"
Check: CKV_K8S_7: "Do not admit containers with the NET_RAW capability"
FAILED for resource: PodSecurityPolicy.default.cadvisor
File: /lessons/073/7-cadvisor/1-podsecuritypolicy.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-6.html
2 | apiVersion: policy/v1beta1
3 | kind: PodSecurityPolicy
4 | metadata:
5 | name: cadvisor
6 | spec:
7 | seLinux:
8 | rule: RunAsAny
9 | supplementalGroups:
10 | rule: RunAsAny
11 | runAsUser:
12 | rule: RunAsAny
13 | fsGroup:
14 | rule: RunAsAny
15 | volumes:
16 | - '*'
17 | allowedHostPaths:
18 | - pathPrefix: "/"
19 | - pathPrefix: "/var/run"
20 | - pathPrefix: "/sys"
21 | - pathPrefix: "/var/lib/docker"
22 | - pathPrefix: "/dev/disk"
Check: CKV_K8S_36: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: PodSecurityPolicy.default.cadvisor
File: /lessons/073/7-cadvisor/1-podsecuritypolicy.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/minimize-the-admission-of-containers-with-capabilities-assigned.html
2 | apiVersion: policy/v1beta1
3 | kind: PodSecurityPolicy
4 | metadata:
5 | name: cadvisor
6 | spec:
7 | seLinux:
8 | rule: RunAsAny
9 | supplementalGroups:
10 | rule: RunAsAny
11 | runAsUser:
12 | rule: RunAsAny
13 | fsGroup:
14 | rule: RunAsAny
15 | volumes:
16 | - '*'
17 | allowedHostPaths:
18 | - pathPrefix: "/"
19 | - pathPrefix: "/var/run"
20 | - pathPrefix: "/sys"
21 | - pathPrefix: "/var/lib/docker"
22 | - pathPrefix: "/dev/disk"
Check: CKV_K8S_32: "Ensure default seccomp profile set to docker/default or runtime/default"
FAILED for resource: PodSecurityPolicy.default.cadvisor
File: /lessons/073/7-cadvisor/1-podsecuritypolicy.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-30.html
2 | apiVersion: policy/v1beta1
3 | kind: PodSecurityPolicy
4 | metadata:
5 | name: cadvisor
6 | spec:
7 | seLinux:
8 | rule: RunAsAny
9 | supplementalGroups:
10 | rule: RunAsAny
11 | runAsUser:
12 | rule: RunAsAny
13 | fsGroup:
14 | rule: RunAsAny
15 | volumes:
16 | - '*'
17 | allowedHostPaths:
18 | - pathPrefix: "/"
19 | - pathPrefix: "/var/run"
20 | - pathPrefix: "/sys"
21 | - pathPrefix: "/var/lib/docker"
22 | - pathPrefix: "/dev/disk"
Check: CKV_K8S_5: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: PodSecurityPolicy.default.cadvisor
File: /lessons/073/7-cadvisor/1-podsecuritypolicy.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-containers-do-not-run-with-allowprivilegeescalation.html
2 | apiVersion: policy/v1beta1
3 | kind: PodSecurityPolicy
4 | metadata:
5 | name: cadvisor
6 | spec:
7 | seLinux:
8 | rule: RunAsAny
9 | supplementalGroups:
10 | rule: RunAsAny
11 | runAsUser:
12 | rule: RunAsAny
13 | fsGroup:
14 | rule: RunAsAny
15 | volumes:
16 | - '*'
17 | allowedHostPaths:
18 | - pathPrefix: "/"
19 | - pathPrefix: "/var/run"
20 | - pathPrefix: "/sys"
21 | - pathPrefix: "/var/lib/docker"
22 | - pathPrefix: "/dev/disk"
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/073/7-cadvisor/2-daemonset.yaml:2-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/073/7-cadvisor/2-daemonset.yaml:2-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/073/7-cadvisor/2-daemonset.yaml:2-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/073/7-cadvisor/2-daemonset.yaml:2-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/073/7-cadvisor/2-daemonset.yaml:2-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/073/7-cadvisor/2-daemonset.yaml:2-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/073/7-cadvisor/2-daemonset.yaml:2-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/073/7-cadvisor/2-daemonset.yaml:2-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/073/7-cadvisor/2-daemonset.yaml:2-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/073/7-cadvisor/2-daemonset.yaml:2-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/073/7-cadvisor/2-daemonset.yaml:2-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/073/7-cadvisor/2-daemonset.yaml:2-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/073/7-cadvisor/2-daemonset.yaml:2-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.demo.express
File: /lessons/073/5-demo/0-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: demo
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: express
11 | template:
12 | metadata:
13 | labels:
14 | app: express
15 | spec:
16 | containers:
17 | - image: aputra/express-073:latest
18 | name: express
19 | ports:
20 | - name: http
21 | containerPort: 8081
22 | resources:
23 | limits:
24 | cpu: 500m
25 | memory: 256Mi
26 | requests:
27 | cpu: 200m
28 | memory: 128Mi
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.demo.express
File: /lessons/073/5-demo/0-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: demo
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: express
11 | template:
12 | metadata:
13 | labels:
14 | app: express
15 | spec:
16 | containers:
17 | - image: aputra/express-073:latest
18 | name: express
19 | ports:
20 | - name: http
21 | containerPort: 8081
22 | resources:
23 | limits:
24 | cpu: 500m
25 | memory: 256Mi
26 | requests:
27 | cpu: 200m
28 | memory: 128Mi
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.demo.express
File: /lessons/073/5-demo/0-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: demo
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: express
11 | template:
12 | metadata:
13 | labels:
14 | app: express
15 | spec:
16 | containers:
17 | - image: aputra/express-073:latest
18 | name: express
19 | ports:
20 | - name: http
21 | containerPort: 8081
22 | resources:
23 | limits:
24 | cpu: 500m
25 | memory: 256Mi
26 | requests:
27 | cpu: 200m
28 | memory: 128Mi
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.demo.express
File: /lessons/073/5-demo/0-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: demo
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: express
11 | template:
12 | metadata:
13 | labels:
14 | app: express
15 | spec:
16 | containers:
17 | - image: aputra/express-073:latest
18 | name: express
19 | ports:
20 | - name: http
21 | containerPort: 8081
22 | resources:
23 | limits:
24 | cpu: 500m
25 | memory: 256Mi
26 | requests:
27 | cpu: 200m
28 | memory: 128Mi
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.demo.express
File: /lessons/073/5-demo/0-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: demo
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: express
11 | template:
12 | metadata:
13 | labels:
14 | app: express
15 | spec:
16 | containers:
17 | - image: aputra/express-073:latest
18 | name: express
19 | ports:
20 | - name: http
21 | containerPort: 8081
22 | resources:
23 | limits:
24 | cpu: 500m
25 | memory: 256Mi
26 | requests:
27 | cpu: 200m
28 | memory: 128Mi
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.demo.express
File: /lessons/073/5-demo/0-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: demo
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: express
11 | template:
12 | metadata:
13 | labels:
14 | app: express
15 | spec:
16 | containers:
17 | - image: aputra/express-073:latest
18 | name: express
19 | ports:
20 | - name: http
21 | containerPort: 8081
22 | resources:
23 | limits:
24 | cpu: 500m
25 | memory: 256Mi
26 | requests:
27 | cpu: 200m
28 | memory: 128Mi
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.demo.express
File: /lessons/073/5-demo/0-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: demo
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: express
11 | template:
12 | metadata:
13 | labels:
14 | app: express
15 | spec:
16 | containers:
17 | - image: aputra/express-073:latest
18 | name: express
19 | ports:
20 | - name: http
21 | containerPort: 8081
22 | resources:
23 | limits:
24 | cpu: 500m
25 | memory: 256Mi
26 | requests:
27 | cpu: 200m
28 | memory: 128Mi
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.demo.express
File: /lessons/073/5-demo/0-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: demo
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: express
11 | template:
12 | metadata:
13 | labels:
14 | app: express
15 | spec:
16 | containers:
17 | - image: aputra/express-073:latest
18 | name: express
19 | ports:
20 | - name: http
21 | containerPort: 8081
22 | resources:
23 | limits:
24 | cpu: 500m
25 | memory: 256Mi
26 | requests:
27 | cpu: 200m
28 | memory: 128Mi
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.demo.express
File: /lessons/073/5-demo/0-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: demo
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: express
11 | template:
12 | metadata:
13 | labels:
14 | app: express
15 | spec:
16 | containers:
17 | - image: aputra/express-073:latest
18 | name: express
19 | ports:
20 | - name: http
21 | containerPort: 8081
22 | resources:
23 | limits:
24 | cpu: 500m
25 | memory: 256Mi
26 | requests:
27 | cpu: 200m
28 | memory: 128Mi
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.demo.express
File: /lessons/073/5-demo/0-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: demo
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: express
11 | template:
12 | metadata:
13 | labels:
14 | app: express
15 | spec:
16 | containers:
17 | - image: aputra/express-073:latest
18 | name: express
19 | ports:
20 | - name: http
21 | containerPort: 8081
22 | resources:
23 | limits:
24 | cpu: 500m
25 | memory: 256Mi
26 | requests:
27 | cpu: 200m
28 | memory: 128Mi
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.demo.express
File: /lessons/073/5-demo/0-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: demo
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: express
11 | template:
12 | metadata:
13 | labels:
14 | app: express
15 | spec:
16 | containers:
17 | - image: aputra/express-073:latest
18 | name: express
19 | ports:
20 | - name: http
21 | containerPort: 8081
22 | resources:
23 | limits:
24 | cpu: 500m
25 | memory: 256Mi
26 | requests:
27 | cpu: 200m
28 | memory: 128Mi
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.demo.express
File: /lessons/073/5-demo/0-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: demo
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: express
11 | template:
12 | metadata:
13 | labels:
14 | app: express
15 | spec:
16 | containers:
17 | - image: aputra/express-073:latest
18 | name: express
19 | ports:
20 | - name: http
21 | containerPort: 8081
22 | resources:
23 | limits:
24 | cpu: 500m
25 | memory: 256Mi
26 | requests:
27 | cpu: 200m
28 | memory: 128Mi
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.demo.express
File: /lessons/073/5-demo/0-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: demo
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: express
11 | template:
12 | metadata:
13 | labels:
14 | app: express
15 | spec:
16 | containers:
17 | - image: aputra/express-073:latest
18 | name: express
19 | ports:
20 | - name: http
21 | containerPort: 8081
22 | resources:
23 | limits:
24 | cpu: 500m
25 | memory: 256Mi
26 | requests:
27 | cpu: 200m
28 | memory: 128Mi
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.demo.express
File: /lessons/073/5-demo/0-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: express
6 | namespace: demo
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: express
11 | template:
12 | metadata:
13 | labels:
14 | app: express
15 | spec:
16 | containers:
17 | - image: aputra/express-073:latest
18 | name: express
19 | ports:
20 | - name: http
21 | containerPort: 8081
22 | resources:
23 | limits:
24 | cpu: 500m
25 | memory: 256Mi
26 | requests:
27 | cpu: 200m
28 | memory: 128Mi
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.hamster
File: /lessons/074/1-demo/0-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: hamster
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hamster
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: hamster
16 | spec:
17 | containers:
18 | - name: hamster
19 | image: k8s.gcr.io/ubuntu-slim:0.1
20 | resources:
21 | requests:
22 | cpu: 180m
23 | memory: 50Mi
24 | limits:
25 | cpu: 600m
26 | memory: 100Mi
27 | command: ["/bin/sh"]
28 | args:
29 | - "-c"
30 | - "while true; do timeout 0.2s yes >/dev/null; sleep 0.5s; done"
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.hamster
File: /lessons/074/1-demo/0-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: hamster
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hamster
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: hamster
16 | spec:
17 | containers:
18 | - name: hamster
19 | image: k8s.gcr.io/ubuntu-slim:0.1
20 | resources:
21 | requests:
22 | cpu: 180m
23 | memory: 50Mi
24 | limits:
25 | cpu: 600m
26 | memory: 100Mi
27 | command: ["/bin/sh"]
28 | args:
29 | - "-c"
30 | - "while true; do timeout 0.2s yes >/dev/null; sleep 0.5s; done"
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.hamster
File: /lessons/074/1-demo/0-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: hamster
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hamster
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: hamster
16 | spec:
17 | containers:
18 | - name: hamster
19 | image: k8s.gcr.io/ubuntu-slim:0.1
20 | resources:
21 | requests:
22 | cpu: 180m
23 | memory: 50Mi
24 | limits:
25 | cpu: 600m
26 | memory: 100Mi
27 | command: ["/bin/sh"]
28 | args:
29 | - "-c"
30 | - "while true; do timeout 0.2s yes >/dev/null; sleep 0.5s; done"
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.hamster
File: /lessons/074/1-demo/0-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: hamster
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hamster
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: hamster
16 | spec:
17 | containers:
18 | - name: hamster
19 | image: k8s.gcr.io/ubuntu-slim:0.1
20 | resources:
21 | requests:
22 | cpu: 180m
23 | memory: 50Mi
24 | limits:
25 | cpu: 600m
26 | memory: 100Mi
27 | command: ["/bin/sh"]
28 | args:
29 | - "-c"
30 | - "while true; do timeout 0.2s yes >/dev/null; sleep 0.5s; done"
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.hamster
File: /lessons/074/1-demo/0-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: hamster
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hamster
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: hamster
16 | spec:
17 | containers:
18 | - name: hamster
19 | image: k8s.gcr.io/ubuntu-slim:0.1
20 | resources:
21 | requests:
22 | cpu: 180m
23 | memory: 50Mi
24 | limits:
25 | cpu: 600m
26 | memory: 100Mi
27 | command: ["/bin/sh"]
28 | args:
29 | - "-c"
30 | - "while true; do timeout 0.2s yes >/dev/null; sleep 0.5s; done"
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.hamster
File: /lessons/074/1-demo/0-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: hamster
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hamster
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: hamster
16 | spec:
17 | containers:
18 | - name: hamster
19 | image: k8s.gcr.io/ubuntu-slim:0.1
20 | resources:
21 | requests:
22 | cpu: 180m
23 | memory: 50Mi
24 | limits:
25 | cpu: 600m
26 | memory: 100Mi
27 | command: ["/bin/sh"]
28 | args:
29 | - "-c"
30 | - "while true; do timeout 0.2s yes >/dev/null; sleep 0.5s; done"
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.hamster
File: /lessons/074/1-demo/0-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: hamster
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hamster
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: hamster
16 | spec:
17 | containers:
18 | - name: hamster
19 | image: k8s.gcr.io/ubuntu-slim:0.1
20 | resources:
21 | requests:
22 | cpu: 180m
23 | memory: 50Mi
24 | limits:
25 | cpu: 600m
26 | memory: 100Mi
27 | command: ["/bin/sh"]
28 | args:
29 | - "-c"
30 | - "while true; do timeout 0.2s yes >/dev/null; sleep 0.5s; done"
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.hamster
File: /lessons/074/1-demo/0-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: hamster
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hamster
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: hamster
16 | spec:
17 | containers:
18 | - name: hamster
19 | image: k8s.gcr.io/ubuntu-slim:0.1
20 | resources:
21 | requests:
22 | cpu: 180m
23 | memory: 50Mi
24 | limits:
25 | cpu: 600m
26 | memory: 100Mi
27 | command: ["/bin/sh"]
28 | args:
29 | - "-c"
30 | - "while true; do timeout 0.2s yes >/dev/null; sleep 0.5s; done"
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.hamster
File: /lessons/074/1-demo/0-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: hamster
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hamster
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: hamster
16 | spec:
17 | containers:
18 | - name: hamster
19 | image: k8s.gcr.io/ubuntu-slim:0.1
20 | resources:
21 | requests:
22 | cpu: 180m
23 | memory: 50Mi
24 | limits:
25 | cpu: 600m
26 | memory: 100Mi
27 | command: ["/bin/sh"]
28 | args:
29 | - "-c"
30 | - "while true; do timeout 0.2s yes >/dev/null; sleep 0.5s; done"
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.hamster
File: /lessons/074/1-demo/0-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: hamster
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hamster
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: hamster
16 | spec:
17 | containers:
18 | - name: hamster
19 | image: k8s.gcr.io/ubuntu-slim:0.1
20 | resources:
21 | requests:
22 | cpu: 180m
23 | memory: 50Mi
24 | limits:
25 | cpu: 600m
26 | memory: 100Mi
27 | command: ["/bin/sh"]
28 | args:
29 | - "-c"
30 | - "while true; do timeout 0.2s yes >/dev/null; sleep 0.5s; done"
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.hamster
File: /lessons/074/1-demo/0-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: hamster
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hamster
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: hamster
16 | spec:
17 | containers:
18 | - name: hamster
19 | image: k8s.gcr.io/ubuntu-slim:0.1
20 | resources:
21 | requests:
22 | cpu: 180m
23 | memory: 50Mi
24 | limits:
25 | cpu: 600m
26 | memory: 100Mi
27 | command: ["/bin/sh"]
28 | args:
29 | - "-c"
30 | - "while true; do timeout 0.2s yes >/dev/null; sleep 0.5s; done"
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.hamster
File: /lessons/074/1-demo/0-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: hamster
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hamster
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: hamster
16 | spec:
17 | containers:
18 | - name: hamster
19 | image: k8s.gcr.io/ubuntu-slim:0.1
20 | resources:
21 | requests:
22 | cpu: 180m
23 | memory: 50Mi
24 | limits:
25 | cpu: 600m
26 | memory: 100Mi
27 | command: ["/bin/sh"]
28 | args:
29 | - "-c"
30 | - "while true; do timeout 0.2s yes >/dev/null; sleep 0.5s; done"
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.hamster
File: /lessons/074/1-demo/0-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: hamster
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hamster
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: hamster
16 | spec:
17 | containers:
18 | - name: hamster
19 | image: k8s.gcr.io/ubuntu-slim:0.1
20 | resources:
21 | requests:
22 | cpu: 180m
23 | memory: 50Mi
24 | limits:
25 | cpu: 600m
26 | memory: 100Mi
27 | command: ["/bin/sh"]
28 | args:
29 | - "-c"
30 | - "while true; do timeout 0.2s yes >/dev/null; sleep 0.5s; done"
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.hamster
File: /lessons/074/1-demo/0-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: hamster
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hamster
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: hamster
16 | spec:
17 | containers:
18 | - name: hamster
19 | image: k8s.gcr.io/ubuntu-slim:0.1
20 | resources:
21 | requests:
22 | cpu: 180m
23 | memory: 50Mi
24 | limits:
25 | cpu: 600m
26 | memory: 100Mi
27 | command: ["/bin/sh"]
28 | args:
29 | - "-c"
30 | - "while true; do timeout 0.2s yes >/dev/null; sleep 0.5s; done"
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.hamster
File: /lessons/074/1-demo/0-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: hamster
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hamster
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: hamster
16 | spec:
17 | containers:
18 | - name: hamster
19 | image: k8s.gcr.io/ubuntu-slim:0.1
20 | resources:
21 | requests:
22 | cpu: 180m
23 | memory: 50Mi
24 | limits:
25 | cpu: 600m
26 | memory: 100Mi
27 | command: ["/bin/sh"]
28 | args:
29 | - "-c"
30 | - "while true; do timeout 0.2s yes >/dev/null; sleep 0.5s; done"
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.kube-system.metrics-server
File: /lessons/074/0-metrics-server/5-deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.kube-system.metrics-server
File: /lessons/074/0-metrics-server/5-deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.kube-system.metrics-server
File: /lessons/074/0-metrics-server/5-deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.kube-system.metrics-server
File: /lessons/074/0-metrics-server/5-deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.kube-system.metrics-server
File: /lessons/074/0-metrics-server/5-deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.kube-system.metrics-server
File: /lessons/074/0-metrics-server/5-deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.kube-system.metrics-server
File: /lessons/074/0-metrics-server/5-deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.kube-system.metrics-server
File: /lessons/074/0-metrics-server/5-deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.kube-system.metrics-server
File: /lessons/074/0-metrics-server/5-deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.kube-system.metrics-server
File: /lessons/074/0-metrics-server/5-deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.kube-system.metrics-server
File: /lessons/074/0-metrics-server/5-deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/114/k8s/deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | resources:
22 | requests:
23 | cpu: "4"
24 | memory: 4Gi
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/114/k8s/deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | resources:
22 | requests:
23 | cpu: "4"
24 | memory: 4Gi
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/114/k8s/deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | resources:
22 | requests:
23 | cpu: "4"
24 | memory: 4Gi
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/114/k8s/deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | resources:
22 | requests:
23 | cpu: "4"
24 | memory: 4Gi
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/114/k8s/deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | resources:
22 | requests:
23 | cpu: "4"
24 | memory: 4Gi
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/114/k8s/deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | resources:
22 | requests:
23 | cpu: "4"
24 | memory: 4Gi
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/114/k8s/deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | resources:
22 | requests:
23 | cpu: "4"
24 | memory: 4Gi
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/114/k8s/deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | resources:
22 | requests:
23 | cpu: "4"
24 | memory: 4Gi
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/114/k8s/deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | resources:
22 | requests:
23 | cpu: "4"
24 | memory: 4Gi
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/114/k8s/deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | resources:
22 | requests:
23 | cpu: "4"
24 | memory: 4Gi
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/114/k8s/deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | resources:
22 | requests:
23 | cpu: "4"
24 | memory: 4Gi
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/114/k8s/deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | resources:
22 | requests:
23 | cpu: "4"
24 | memory: 4Gi
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/114/k8s/deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | resources:
22 | requests:
23 | cpu: "4"
24 | memory: 4Gi
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/114/k8s/deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | resources:
22 | requests:
23 | cpu: "4"
24 | memory: 4Gi
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/114/k8s/deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | resources:
22 | requests:
23 | cpu: "4"
24 | memory: 4Gi
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/114/k8s/deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | resources:
22 | requests:
23 | cpu: "4"
24 | memory: 4Gi
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/114/k8s/deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 5
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | resources:
22 | requests:
23 | cpu: "4"
24 | memory: 4Gi
25 | ports:
26 | - containerPort: 80
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: ClusterRole.default.reader
File: /lessons/038/k8s/rbac.yaml:2-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | apiVersion: rbac.authorization.k8s.io/v1
3 | kind: ClusterRole
4 | metadata:
5 | name: reader
6 | rules:
7 | - apiGroups: ["*"]
8 | resources: ["deployments", "configmaps", "pods", "secrets", "services"]
9 | verbs: ["get", "list", "watch"]
10 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/038/k8s/app.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx
File: /lessons/038/k8s/app.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/038/k8s/app.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx
File: /lessons/038/k8s/app.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/038/k8s/app.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/038/k8s/app.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /lessons/038/k8s/app.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx
File: /lessons/038/k8s/app.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx
File: /lessons/038/k8s/app.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/038/k8s/app.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /lessons/038/k8s/app.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx
File: /lessons/038/k8s/app.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/038/k8s/app.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx
File: /lessons/038/k8s/app.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx
File: /lessons/038/k8s/app.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx
File: /lessons/038/k8s/app.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/038/k8s/app.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.nginx
File: /lessons/038/k8s/app.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx
File: /lessons/038/k8s/app.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | labels:
7 | app: nginx
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: nginx:1.14.2
21 | ports:
22 | - containerPort: 80
23 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.internal-nginx-service
File: /lessons/038/k8s/app.yaml:24-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
24 | apiVersion: v1
25 | kind: Service
26 | metadata:
27 | name: internal-nginx-service
28 | annotations:
29 | service.beta.kubernetes.io/aws-load-balancer-type: nlb
30 | service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
31 | service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
32 | spec:
33 | selector:
34 | app: nginx
35 | type: LoadBalancer
36 | ports:
37 | - protocol: TCP
38 | port: 80
39 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.external-nginx-service
File: /lessons/038/k8s/app.yaml:40-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
40 | apiVersion: v1
41 | kind: Service
42 | metadata:
43 | name: external-nginx-service
44 | annotations:
45 | service.beta.kubernetes.io/aws-load-balancer-type: nlb
46 | service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
47 | spec:
48 | selector:
49 | app: nginx
50 | type: LoadBalancer
51 | ports:
52 | - protocol: TCP
53 | port: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/147/monitoring/cadvison/daemonset.yaml:2-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/147/monitoring/cadvison/daemonset.yaml:2-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/147/monitoring/cadvison/daemonset.yaml:2-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/147/monitoring/cadvison/daemonset.yaml:2-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/147/monitoring/cadvison/daemonset.yaml:2-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/147/monitoring/cadvison/daemonset.yaml:2-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/147/monitoring/cadvison/daemonset.yaml:2-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/147/monitoring/cadvison/daemonset.yaml:2-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/147/monitoring/cadvison/daemonset.yaml:2-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/147/monitoring/cadvison/daemonset.yaml:2-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/147/monitoring/cadvison/daemonset.yaml:2-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/147/monitoring/cadvison/daemonset.yaml:2-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/147/monitoring/cadvison/daemonset.yaml:2-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/147/monitoring/grafana/deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/147/monitoring/grafana/deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/147/monitoring/grafana/deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/147/monitoring/grafana/deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/147/monitoring/grafana/deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/147/monitoring/grafana/deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/147/monitoring/grafana/deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/147/monitoring/grafana/deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/147/monitoring/grafana/deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/147/monitoring/grafana/deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/147/monitoring/grafana/deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: ClusterRole.default.prometheus-operator
File: /lessons/147/monitoring/prometheus-operator/rbac.yaml:19-98
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/147/monitoring/prometheus-operator/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/147/monitoring/prometheus-operator/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/147/monitoring/prometheus-operator/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/147/monitoring/prometheus-operator/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/147/monitoring/prometheus-operator/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/147/monitoring/prometheus-operator/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/147/monitoring/kube-state-metrics/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/147/monitoring/kube-state-metrics/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/147/monitoring/kube-state-metrics/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/147/monitoring/kube-state-metrics/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/147/monitoring/kube-state-metrics/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.go-app-tls
File: /lessons/147/go-app/deploy/deployment-tls.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.go-app-tls
File: /lessons/147/go-app/deploy/deployment-tls.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.go-app-tls
File: /lessons/147/go-app/deploy/deployment-tls.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.staging.go-app-tls
File: /lessons/147/go-app/deploy/deployment-tls.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.go-app-tls
File: /lessons/147/go-app/deploy/deployment-tls.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.go-app-tls
File: /lessons/147/go-app/deploy/deployment-tls.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.go-app-tls
File: /lessons/147/go-app/deploy/deployment-tls.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.staging.go-app-tls
File: /lessons/147/go-app/deploy/deployment-tls.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.go-app-tls
File: /lessons/147/go-app/deploy/deployment-tls.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.go-app-tls
File: /lessons/147/go-app/deploy/deployment-tls.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.go-app-tls
File: /lessons/147/go-app/deploy/deployment-tls.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.go-app-tls
File: /lessons/147/go-app/deploy/deployment-tls.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.staging.go-app-tls
File: /lessons/147/go-app/deploy/deployment-tls.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.go-app-tls
File: /lessons/147/go-app/deploy/deployment-tls.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.go-app
File: /lessons/147/go-app/deploy/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.go-app
File: /lessons/147/go-app/deploy/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.go-app
File: /lessons/147/go-app/deploy/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.staging.go-app
File: /lessons/147/go-app/deploy/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.go-app
File: /lessons/147/go-app/deploy/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.go-app
File: /lessons/147/go-app/deploy/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.go-app
File: /lessons/147/go-app/deploy/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.staging.go-app
File: /lessons/147/go-app/deploy/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.go-app
File: /lessons/147/go-app/deploy/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.go-app
File: /lessons/147/go-app/deploy/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.go-app
File: /lessons/147/go-app/deploy/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.go-app
File: /lessons/147/go-app/deploy/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.staging.go-app
File: /lessons/147/go-app/deploy/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.go-app
File: /lessons/147/go-app/deploy/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.rust-app-tls
File: /lessons/147/rust-app/deploy/deployment-tls.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.rust-app-tls
File: /lessons/147/rust-app/deploy/deployment-tls.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.rust-app-tls
File: /lessons/147/rust-app/deploy/deployment-tls.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.staging.rust-app-tls
File: /lessons/147/rust-app/deploy/deployment-tls.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.rust-app-tls
File: /lessons/147/rust-app/deploy/deployment-tls.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.rust-app-tls
File: /lessons/147/rust-app/deploy/deployment-tls.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.rust-app-tls
File: /lessons/147/rust-app/deploy/deployment-tls.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.staging.rust-app-tls
File: /lessons/147/rust-app/deploy/deployment-tls.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.rust-app-tls
File: /lessons/147/rust-app/deploy/deployment-tls.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.rust-app-tls
File: /lessons/147/rust-app/deploy/deployment-tls.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.rust-app-tls
File: /lessons/147/rust-app/deploy/deployment-tls.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.rust-app-tls
File: /lessons/147/rust-app/deploy/deployment-tls.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.staging.rust-app-tls
File: /lessons/147/rust-app/deploy/deployment-tls.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.rust-app-tls
File: /lessons/147/rust-app/deploy/deployment-tls.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.rust-app
File: /lessons/147/rust-app/deploy/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.rust-app
File: /lessons/147/rust-app/deploy/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.rust-app
File: /lessons/147/rust-app/deploy/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.staging.rust-app
File: /lessons/147/rust-app/deploy/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.rust-app
File: /lessons/147/rust-app/deploy/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.rust-app
File: /lessons/147/rust-app/deploy/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.rust-app
File: /lessons/147/rust-app/deploy/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.staging.rust-app
File: /lessons/147/rust-app/deploy/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.rust-app
File: /lessons/147/rust-app/deploy/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.rust-app
File: /lessons/147/rust-app/deploy/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.rust-app
File: /lessons/147/rust-app/deploy/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.rust-app
File: /lessons/147/rust-app/deploy/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.staging.rust-app
File: /lessons/147/rust-app/deploy/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.rust-app
File: /lessons/147/rust-app/deploy/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: StatefulSet.mongodb.mongodb-standalone
File: /lessons/105/aws-terraform/mongo-exported.yaml:1-232
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: StatefulSet.mongodb.mongodb-standalone
File: /lessons/105/aws-terraform/mongo-exported.yaml:1-232
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: StatefulSet.mongodb.mongodb-standalone
File: /lessons/105/aws-terraform/mongo-exported.yaml:1-232
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: StatefulSet.mongodb.mongodb-standalone
File: /lessons/105/aws-terraform/mongo-exported.yaml:1-232
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: StatefulSet.mongodb.mongodb-standalone
File: /lessons/105/aws-terraform/mongo-exported.yaml:1-232
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: StatefulSet.mongodb.mongodb-standalone
File: /lessons/105/aws-terraform/mongo-exported.yaml:1-232
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: StatefulSet.mongodb.mongodb-standalone
File: /lessons/105/aws-terraform/mongo-exported.yaml:1-232
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: StatefulSet.mongodb.mongodb-standalone
File: /lessons/105/aws-terraform/mongo-exported.yaml:1-232
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: StatefulSet.mongodb.mongodb-standalone
File: /lessons/105/aws-terraform/mongo-exported.yaml:1-232
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: StatefulSet.mongodb.mongodb-standalone
File: /lessons/105/aws-terraform/mongo-exported.yaml:1-232
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: StatefulSet.mongodb.mongodb-standalone
File: /lessons/105/aws-terraform/mongo-exported.yaml:1-232
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: StatefulSet.mongodb.mongodb-standalone
File: /lessons/105/aws-terraform/mongo-exported.yaml:1-232
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: StatefulSet.mongodb.mongodb-standalone
File: /lessons/105/aws-terraform/mongo-exported.yaml:1-232
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: StatefulSet.mongodb.mongodb-standalone
File: /lessons/105/aws-terraform/mongo-exported.yaml:1-232
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/105/k8s/cadvisor/daemonset.yaml:2-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/105/k8s/cadvisor/daemonset.yaml:2-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/105/k8s/cadvisor/daemonset.yaml:2-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/105/k8s/cadvisor/daemonset.yaml:2-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/105/k8s/cadvisor/daemonset.yaml:2-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/105/k8s/cadvisor/daemonset.yaml:2-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/105/k8s/cadvisor/daemonset.yaml:2-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/105/k8s/cadvisor/daemonset.yaml:2-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/105/k8s/cadvisor/daemonset.yaml:2-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/105/k8s/cadvisor/daemonset.yaml:2-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/105/k8s/cadvisor/daemonset.yaml:2-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/105/k8s/cadvisor/daemonset.yaml:2-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/105/k8s/cadvisor/daemonset.yaml:2-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/105/k8s/grafana/deployment.yaml:2-124
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/105/k8s/grafana/deployment.yaml:2-124
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/105/k8s/grafana/deployment.yaml:2-124
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/105/k8s/grafana/deployment.yaml:2-124
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/105/k8s/grafana/deployment.yaml:2-124
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/105/k8s/grafana/deployment.yaml:2-124
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/105/k8s/grafana/deployment.yaml:2-124
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/105/k8s/grafana/deployment.yaml:2-124
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/105/k8s/grafana/deployment.yaml:2-124
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/105/k8s/grafana/deployment.yaml:2-124
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/105/k8s/grafana/deployment.yaml:2-124
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/105/k8s/grafana/deployment.yaml:2-124
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.mongodb.mongodb-kubernetes-operator
File: /lessons/105/k8s/mongodb/operator.yaml:2-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.mongodb.mongodb-kubernetes-operator
File: /lessons/105/k8s/mongodb/operator.yaml:2-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.mongodb.mongodb-kubernetes-operator
File: /lessons/105/k8s/mongodb/operator.yaml:2-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.mongodb.mongodb-kubernetes-operator
File: /lessons/105/k8s/mongodb/operator.yaml:2-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.mongodb.mongodb-kubernetes-operator
File: /lessons/105/k8s/mongodb/operator.yaml:2-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.mongodb.mongodb-kubernetes-operator
File: /lessons/105/k8s/mongodb/operator.yaml:2-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.mongodb.mongodb-kubernetes-operator
File: /lessons/105/k8s/mongodb/operator.yaml:2-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.mongodb.mongodb-kubernetes-operator
File: /lessons/105/k8s/mongodb/operator.yaml:2-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.mongodb.mongodb-kubernetes-operator
File: /lessons/105/k8s/mongodb/operator.yaml:2-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.mongodb.mongodb-kubernetes-operator
File: /lessons/105/k8s/mongodb/operator.yaml:2-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.mongodb.mongodb-exporter
File: /lessons/105/k8s/mongodb/exporter/deployment.yaml:2-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: mongodb-exporter
6 | namespace: mongodb
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: mongodb-exporter
12 | template:
13 | metadata:
14 | labels:
15 | app: mongodb-exporter
16 | spec:
17 | containers:
18 | - name: mongodb-exporter
19 | image: percona/mongodb_exporter:0.30
20 | args:
21 | - "--mongodb.direct-connect=false"
22 | - "--mongodb.uri=mongodb+srv://admin-user:[email protected]/admin?ssl=true&tlsCAFile=/var/lib/tls/ca/ca.crt&tlsCertificateKeyFile=/var/lib/tls/server/certificateKey.pem"
23 | ports:
24 | - name: metrics
25 | containerPort: 9216
26 | resources:
27 | requests:
28 | memory: 128Mi
29 | cpu: 250m
30 | volumeMounts:
31 | - mountPath: /var/lib/tls/ca/
32 | name: tls-ca
33 | readOnly: true
34 | - mountPath: /var/lib/tls/server/certificateKey.pem
35 | name: tls-secret
36 | subPathExpr: 847a4797b0b13045ba3c76ff71dd689334b2f15b25857791c0e88ac39983d03e.pem
37 | readOnly: true
38 | volumes:
39 | - name: tls-ca
40 | secret:
41 | defaultMode: 416
42 | secretName: mongodb-external-key-pair
43 | - name: tls-secret
44 | secret:
45 | defaultMode: 416
46 | secretName: my-mongodb-server-certificate-key
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.mongodb.mongodb-exporter
File: /lessons/105/k8s/mongodb/exporter/deployment.yaml:2-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: mongodb-exporter
6 | namespace: mongodb
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: mongodb-exporter
12 | template:
13 | metadata:
14 | labels:
15 | app: mongodb-exporter
16 | spec:
17 | containers:
18 | - name: mongodb-exporter
19 | image: percona/mongodb_exporter:0.30
20 | args:
21 | - "--mongodb.direct-connect=false"
22 | - "--mongodb.uri=mongodb+srv://admin-user:[email protected]/admin?ssl=true&tlsCAFile=/var/lib/tls/ca/ca.crt&tlsCertificateKeyFile=/var/lib/tls/server/certificateKey.pem"
23 | ports:
24 | - name: metrics
25 | containerPort: 9216
26 | resources:
27 | requests:
28 | memory: 128Mi
29 | cpu: 250m
30 | volumeMounts:
31 | - mountPath: /var/lib/tls/ca/
32 | name: tls-ca
33 | readOnly: true
34 | - mountPath: /var/lib/tls/server/certificateKey.pem
35 | name: tls-secret
36 | subPathExpr: 847a4797b0b13045ba3c76ff71dd689334b2f15b25857791c0e88ac39983d03e.pem
37 | readOnly: true
38 | volumes:
39 | - name: tls-ca
40 | secret:
41 | defaultMode: 416
42 | secretName: mongodb-external-key-pair
43 | - name: tls-secret
44 | secret:
45 | defaultMode: 416
46 | secretName: my-mongodb-server-certificate-key
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.mongodb.mongodb-exporter
File: /lessons/105/k8s/mongodb/exporter/deployment.yaml:2-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: mongodb-exporter
6 | namespace: mongodb
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: mongodb-exporter
12 | template:
13 | metadata:
14 | labels:
15 | app: mongodb-exporter
16 | spec:
17 | containers:
18 | - name: mongodb-exporter
19 | image: percona/mongodb_exporter:0.30
20 | args:
21 | - "--mongodb.direct-connect=false"
22 | - "--mongodb.uri=mongodb+srv://admin-user:[email protected]/admin?ssl=true&tlsCAFile=/var/lib/tls/ca/ca.crt&tlsCertificateKeyFile=/var/lib/tls/server/certificateKey.pem"
23 | ports:
24 | - name: metrics
25 | containerPort: 9216
26 | resources:
27 | requests:
28 | memory: 128Mi
29 | cpu: 250m
30 | volumeMounts:
31 | - mountPath: /var/lib/tls/ca/
32 | name: tls-ca
33 | readOnly: true
34 | - mountPath: /var/lib/tls/server/certificateKey.pem
35 | name: tls-secret
36 | subPathExpr: 847a4797b0b13045ba3c76ff71dd689334b2f15b25857791c0e88ac39983d03e.pem
37 | readOnly: true
38 | volumes:
39 | - name: tls-ca
40 | secret:
41 | defaultMode: 416
42 | secretName: mongodb-external-key-pair
43 | - name: tls-secret
44 | secret:
45 | defaultMode: 416
46 | secretName: my-mongodb-server-certificate-key
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.mongodb.mongodb-exporter
File: /lessons/105/k8s/mongodb/exporter/deployment.yaml:2-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: mongodb-exporter
6 | namespace: mongodb
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: mongodb-exporter
12 | template:
13 | metadata:
14 | labels:
15 | app: mongodb-exporter
16 | spec:
17 | containers:
18 | - name: mongodb-exporter
19 | image: percona/mongodb_exporter:0.30
20 | args:
21 | - "--mongodb.direct-connect=false"
22 | - "--mongodb.uri=mongodb+srv://admin-user:[email protected]/admin?ssl=true&tlsCAFile=/var/lib/tls/ca/ca.crt&tlsCertificateKeyFile=/var/lib/tls/server/certificateKey.pem"
23 | ports:
24 | - name: metrics
25 | containerPort: 9216
26 | resources:
27 | requests:
28 | memory: 128Mi
29 | cpu: 250m
30 | volumeMounts:
31 | - mountPath: /var/lib/tls/ca/
32 | name: tls-ca
33 | readOnly: true
34 | - mountPath: /var/lib/tls/server/certificateKey.pem
35 | name: tls-secret
36 | subPathExpr: 847a4797b0b13045ba3c76ff71dd689334b2f15b25857791c0e88ac39983d03e.pem
37 | readOnly: true
38 | volumes:
39 | - name: tls-ca
40 | secret:
41 | defaultMode: 416
42 | secretName: mongodb-external-key-pair
43 | - name: tls-secret
44 | secret:
45 | defaultMode: 416
46 | secretName: my-mongodb-server-certificate-key
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.mongodb.mongodb-exporter
File: /lessons/105/k8s/mongodb/exporter/deployment.yaml:2-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: mongodb-exporter
6 | namespace: mongodb
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: mongodb-exporter
12 | template:
13 | metadata:
14 | labels:
15 | app: mongodb-exporter
16 | spec:
17 | containers:
18 | - name: mongodb-exporter
19 | image: percona/mongodb_exporter:0.30
20 | args:
21 | - "--mongodb.direct-connect=false"
22 | - "--mongodb.uri=mongodb+srv://admin-user:[email protected]/admin?ssl=true&tlsCAFile=/var/lib/tls/ca/ca.crt&tlsCertificateKeyFile=/var/lib/tls/server/certificateKey.pem"
23 | ports:
24 | - name: metrics
25 | containerPort: 9216
26 | resources:
27 | requests:
28 | memory: 128Mi
29 | cpu: 250m
30 | volumeMounts:
31 | - mountPath: /var/lib/tls/ca/
32 | name: tls-ca
33 | readOnly: true
34 | - mountPath: /var/lib/tls/server/certificateKey.pem
35 | name: tls-secret
36 | subPathExpr: 847a4797b0b13045ba3c76ff71dd689334b2f15b25857791c0e88ac39983d03e.pem
37 | readOnly: true
38 | volumes:
39 | - name: tls-ca
40 | secret:
41 | defaultMode: 416
42 | secretName: mongodb-external-key-pair
43 | - name: tls-secret
44 | secret:
45 | defaultMode: 416
46 | secretName: my-mongodb-server-certificate-key
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.mongodb.mongodb-exporter
File: /lessons/105/k8s/mongodb/exporter/deployment.yaml:2-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: mongodb-exporter
6 | namespace: mongodb
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: mongodb-exporter
12 | template:
13 | metadata:
14 | labels:
15 | app: mongodb-exporter
16 | spec:
17 | containers:
18 | - name: mongodb-exporter
19 | image: percona/mongodb_exporter:0.30
20 | args:
21 | - "--mongodb.direct-connect=false"
22 | - "--mongodb.uri=mongodb+srv://admin-user:[email protected]/admin?ssl=true&tlsCAFile=/var/lib/tls/ca/ca.crt&tlsCertificateKeyFile=/var/lib/tls/server/certificateKey.pem"
23 | ports:
24 | - name: metrics
25 | containerPort: 9216
26 | resources:
27 | requests:
28 | memory: 128Mi
29 | cpu: 250m
30 | volumeMounts:
31 | - mountPath: /var/lib/tls/ca/
32 | name: tls-ca
33 | readOnly: true
34 | - mountPath: /var/lib/tls/server/certificateKey.pem
35 | name: tls-secret
36 | subPathExpr: 847a4797b0b13045ba3c76ff71dd689334b2f15b25857791c0e88ac39983d03e.pem
37 | readOnly: true
38 | volumes:
39 | - name: tls-ca
40 | secret:
41 | defaultMode: 416
42 | secretName: mongodb-external-key-pair
43 | - name: tls-secret
44 | secret:
45 | defaultMode: 416
46 | secretName: my-mongodb-server-certificate-key
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.mongodb.mongodb-exporter
File: /lessons/105/k8s/mongodb/exporter/deployment.yaml:2-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: mongodb-exporter
6 | namespace: mongodb
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: mongodb-exporter
12 | template:
13 | metadata:
14 | labels:
15 | app: mongodb-exporter
16 | spec:
17 | containers:
18 | - name: mongodb-exporter
19 | image: percona/mongodb_exporter:0.30
20 | args:
21 | - "--mongodb.direct-connect=false"
22 | - "--mongodb.uri=mongodb+srv://admin-user:[email protected]/admin?ssl=true&tlsCAFile=/var/lib/tls/ca/ca.crt&tlsCertificateKeyFile=/var/lib/tls/server/certificateKey.pem"
23 | ports:
24 | - name: metrics
25 | containerPort: 9216
26 | resources:
27 | requests:
28 | memory: 128Mi
29 | cpu: 250m
30 | volumeMounts:
31 | - mountPath: /var/lib/tls/ca/
32 | name: tls-ca
33 | readOnly: true
34 | - mountPath: /var/lib/tls/server/certificateKey.pem
35 | name: tls-secret
36 | subPathExpr: 847a4797b0b13045ba3c76ff71dd689334b2f15b25857791c0e88ac39983d03e.pem
37 | readOnly: true
38 | volumes:
39 | - name: tls-ca
40 | secret:
41 | defaultMode: 416
42 | secretName: mongodb-external-key-pair
43 | - name: tls-secret
44 | secret:
45 | defaultMode: 416
46 | secretName: my-mongodb-server-certificate-key
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.mongodb.mongodb-exporter
File: /lessons/105/k8s/mongodb/exporter/deployment.yaml:2-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: mongodb-exporter
6 | namespace: mongodb
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: mongodb-exporter
12 | template:
13 | metadata:
14 | labels:
15 | app: mongodb-exporter
16 | spec:
17 | containers:
18 | - name: mongodb-exporter
19 | image: percona/mongodb_exporter:0.30
20 | args:
21 | - "--mongodb.direct-connect=false"
22 | - "--mongodb.uri=mongodb+srv://admin-user:[email protected]/admin?ssl=true&tlsCAFile=/var/lib/tls/ca/ca.crt&tlsCertificateKeyFile=/var/lib/tls/server/certificateKey.pem"
23 | ports:
24 | - name: metrics
25 | containerPort: 9216
26 | resources:
27 | requests:
28 | memory: 128Mi
29 | cpu: 250m
30 | volumeMounts:
31 | - mountPath: /var/lib/tls/ca/
32 | name: tls-ca
33 | readOnly: true
34 | - mountPath: /var/lib/tls/server/certificateKey.pem
35 | name: tls-secret
36 | subPathExpr: 847a4797b0b13045ba3c76ff71dd689334b2f15b25857791c0e88ac39983d03e.pem
37 | readOnly: true
38 | volumes:
39 | - name: tls-ca
40 | secret:
41 | defaultMode: 416
42 | secretName: mongodb-external-key-pair
43 | - name: tls-secret
44 | secret:
45 | defaultMode: 416
46 | secretName: my-mongodb-server-certificate-key
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.mongodb.mongodb-exporter
File: /lessons/105/k8s/mongodb/exporter/deployment.yaml:2-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: mongodb-exporter
6 | namespace: mongodb
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: mongodb-exporter
12 | template:
13 | metadata:
14 | labels:
15 | app: mongodb-exporter
16 | spec:
17 | containers:
18 | - name: mongodb-exporter
19 | image: percona/mongodb_exporter:0.30
20 | args:
21 | - "--mongodb.direct-connect=false"
22 | - "--mongodb.uri=mongodb+srv://admin-user:[email protected]/admin?ssl=true&tlsCAFile=/var/lib/tls/ca/ca.crt&tlsCertificateKeyFile=/var/lib/tls/server/certificateKey.pem"
23 | ports:
24 | - name: metrics
25 | containerPort: 9216
26 | resources:
27 | requests:
28 | memory: 128Mi
29 | cpu: 250m
30 | volumeMounts:
31 | - mountPath: /var/lib/tls/ca/
32 | name: tls-ca
33 | readOnly: true
34 | - mountPath: /var/lib/tls/server/certificateKey.pem
35 | name: tls-secret
36 | subPathExpr: 847a4797b0b13045ba3c76ff71dd689334b2f15b25857791c0e88ac39983d03e.pem
37 | readOnly: true
38 | volumes:
39 | - name: tls-ca
40 | secret:
41 | defaultMode: 416
42 | secretName: mongodb-external-key-pair
43 | - name: tls-secret
44 | secret:
45 | defaultMode: 416
46 | secretName: my-mongodb-server-certificate-key
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.mongodb.mongodb-exporter
File: /lessons/105/k8s/mongodb/exporter/deployment.yaml:2-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: mongodb-exporter
6 | namespace: mongodb
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: mongodb-exporter
12 | template:
13 | metadata:
14 | labels:
15 | app: mongodb-exporter
16 | spec:
17 | containers:
18 | - name: mongodb-exporter
19 | image: percona/mongodb_exporter:0.30
20 | args:
21 | - "--mongodb.direct-connect=false"
22 | - "--mongodb.uri=mongodb+srv://admin-user:[email protected]/admin?ssl=true&tlsCAFile=/var/lib/tls/ca/ca.crt&tlsCertificateKeyFile=/var/lib/tls/server/certificateKey.pem"
23 | ports:
24 | - name: metrics
25 | containerPort: 9216
26 | resources:
27 | requests:
28 | memory: 128Mi
29 | cpu: 250m
30 | volumeMounts:
31 | - mountPath: /var/lib/tls/ca/
32 | name: tls-ca
33 | readOnly: true
34 | - mountPath: /var/lib/tls/server/certificateKey.pem
35 | name: tls-secret
36 | subPathExpr: 847a4797b0b13045ba3c76ff71dd689334b2f15b25857791c0e88ac39983d03e.pem
37 | readOnly: true
38 | volumes:
39 | - name: tls-ca
40 | secret:
41 | defaultMode: 416
42 | secretName: mongodb-external-key-pair
43 | - name: tls-secret
44 | secret:
45 | defaultMode: 416
46 | secretName: my-mongodb-server-certificate-key
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.mongodb.mongodb-exporter
File: /lessons/105/k8s/mongodb/exporter/deployment.yaml:2-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: mongodb-exporter
6 | namespace: mongodb
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: mongodb-exporter
12 | template:
13 | metadata:
14 | labels:
15 | app: mongodb-exporter
16 | spec:
17 | containers:
18 | - name: mongodb-exporter
19 | image: percona/mongodb_exporter:0.30
20 | args:
21 | - "--mongodb.direct-connect=false"
22 | - "--mongodb.uri=mongodb+srv://admin-user:[email protected]/admin?ssl=true&tlsCAFile=/var/lib/tls/ca/ca.crt&tlsCertificateKeyFile=/var/lib/tls/server/certificateKey.pem"
23 | ports:
24 | - name: metrics
25 | containerPort: 9216
26 | resources:
27 | requests:
28 | memory: 128Mi
29 | cpu: 250m
30 | volumeMounts:
31 | - mountPath: /var/lib/tls/ca/
32 | name: tls-ca
33 | readOnly: true
34 | - mountPath: /var/lib/tls/server/certificateKey.pem
35 | name: tls-secret
36 | subPathExpr: 847a4797b0b13045ba3c76ff71dd689334b2f15b25857791c0e88ac39983d03e.pem
37 | readOnly: true
38 | volumes:
39 | - name: tls-ca
40 | secret:
41 | defaultMode: 416
42 | secretName: mongodb-external-key-pair
43 | - name: tls-secret
44 | secret:
45 | defaultMode: 416
46 | secretName: my-mongodb-server-certificate-key
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.mongodb.mongodb-exporter
File: /lessons/105/k8s/mongodb/exporter/deployment.yaml:2-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: mongodb-exporter
6 | namespace: mongodb
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: mongodb-exporter
12 | template:
13 | metadata:
14 | labels:
15 | app: mongodb-exporter
16 | spec:
17 | containers:
18 | - name: mongodb-exporter
19 | image: percona/mongodb_exporter:0.30
20 | args:
21 | - "--mongodb.direct-connect=false"
22 | - "--mongodb.uri=mongodb+srv://admin-user:[email protected]/admin?ssl=true&tlsCAFile=/var/lib/tls/ca/ca.crt&tlsCertificateKeyFile=/var/lib/tls/server/certificateKey.pem"
23 | ports:
24 | - name: metrics
25 | containerPort: 9216
26 | resources:
27 | requests:
28 | memory: 128Mi
29 | cpu: 250m
30 | volumeMounts:
31 | - mountPath: /var/lib/tls/ca/
32 | name: tls-ca
33 | readOnly: true
34 | - mountPath: /var/lib/tls/server/certificateKey.pem
35 | name: tls-secret
36 | subPathExpr: 847a4797b0b13045ba3c76ff71dd689334b2f15b25857791c0e88ac39983d03e.pem
37 | readOnly: true
38 | volumes:
39 | - name: tls-ca
40 | secret:
41 | defaultMode: 416
42 | secretName: mongodb-external-key-pair
43 | - name: tls-secret
44 | secret:
45 | defaultMode: 416
46 | secretName: my-mongodb-server-certificate-key
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.mongodb.mongodb-exporter
File: /lessons/105/k8s/mongodb/exporter/deployment.yaml:2-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: mongodb-exporter
6 | namespace: mongodb
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: mongodb-exporter
12 | template:
13 | metadata:
14 | labels:
15 | app: mongodb-exporter
16 | spec:
17 | containers:
18 | - name: mongodb-exporter
19 | image: percona/mongodb_exporter:0.30
20 | args:
21 | - "--mongodb.direct-connect=false"
22 | - "--mongodb.uri=mongodb+srv://admin-user:[email protected]/admin?ssl=true&tlsCAFile=/var/lib/tls/ca/ca.crt&tlsCertificateKeyFile=/var/lib/tls/server/certificateKey.pem"
23 | ports:
24 | - name: metrics
25 | containerPort: 9216
26 | resources:
27 | requests:
28 | memory: 128Mi
29 | cpu: 250m
30 | volumeMounts:
31 | - mountPath: /var/lib/tls/ca/
32 | name: tls-ca
33 | readOnly: true
34 | - mountPath: /var/lib/tls/server/certificateKey.pem
35 | name: tls-secret
36 | subPathExpr: 847a4797b0b13045ba3c76ff71dd689334b2f15b25857791c0e88ac39983d03e.pem
37 | readOnly: true
38 | volumes:
39 | - name: tls-ca
40 | secret:
41 | defaultMode: 416
42 | secretName: mongodb-external-key-pair
43 | - name: tls-secret
44 | secret:
45 | defaultMode: 416
46 | secretName: my-mongodb-server-certificate-key
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.mongodb.mongodb-exporter
File: /lessons/105/k8s/mongodb/exporter/deployment.yaml:2-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: mongodb-exporter
6 | namespace: mongodb
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: mongodb-exporter
12 | template:
13 | metadata:
14 | labels:
15 | app: mongodb-exporter
16 | spec:
17 | containers:
18 | - name: mongodb-exporter
19 | image: percona/mongodb_exporter:0.30
20 | args:
21 | - "--mongodb.direct-connect=false"
22 | - "--mongodb.uri=mongodb+srv://admin-user:[email protected]/admin?ssl=true&tlsCAFile=/var/lib/tls/ca/ca.crt&tlsCertificateKeyFile=/var/lib/tls/server/certificateKey.pem"
23 | ports:
24 | - name: metrics
25 | containerPort: 9216
26 | resources:
27 | requests:
28 | memory: 128Mi
29 | cpu: 250m
30 | volumeMounts:
31 | - mountPath: /var/lib/tls/ca/
32 | name: tls-ca
33 | readOnly: true
34 | - mountPath: /var/lib/tls/server/certificateKey.pem
35 | name: tls-secret
36 | subPathExpr: 847a4797b0b13045ba3c76ff71dd689334b2f15b25857791c0e88ac39983d03e.pem
37 | readOnly: true
38 | volumes:
39 | - name: tls-ca
40 | secret:
41 | defaultMode: 416
42 | secretName: mongodb-external-key-pair
43 | - name: tls-secret
44 | secret:
45 | defaultMode: 416
46 | secretName: my-mongodb-server-certificate-key
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.mongodb.mongodb-exporter
File: /lessons/105/k8s/mongodb/exporter/deployment.yaml:2-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: mongodb-exporter
6 | namespace: mongodb
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: mongodb-exporter
12 | template:
13 | metadata:
14 | labels:
15 | app: mongodb-exporter
16 | spec:
17 | containers:
18 | - name: mongodb-exporter
19 | image: percona/mongodb_exporter:0.30
20 | args:
21 | - "--mongodb.direct-connect=false"
22 | - "--mongodb.uri=mongodb+srv://admin-user:[email protected]/admin?ssl=true&tlsCAFile=/var/lib/tls/ca/ca.crt&tlsCertificateKeyFile=/var/lib/tls/server/certificateKey.pem"
23 | ports:
24 | - name: metrics
25 | containerPort: 9216
26 | resources:
27 | requests:
28 | memory: 128Mi
29 | cpu: 250m
30 | volumeMounts:
31 | - mountPath: /var/lib/tls/ca/
32 | name: tls-ca
33 | readOnly: true
34 | - mountPath: /var/lib/tls/server/certificateKey.pem
35 | name: tls-secret
36 | subPathExpr: 847a4797b0b13045ba3c76ff71dd689334b2f15b25857791c0e88ac39983d03e.pem
37 | readOnly: true
38 | volumes:
39 | - name: tls-ca
40 | secret:
41 | defaultMode: 416
42 | secretName: mongodb-external-key-pair
43 | - name: tls-secret
44 | secret:
45 | defaultMode: 416
46 | secretName: my-mongodb-server-certificate-key
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.mongodb.mongodb-exporter
File: /lessons/105/k8s/mongodb/exporter/deployment.yaml:2-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: mongodb-exporter
6 | namespace: mongodb
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: mongodb-exporter
12 | template:
13 | metadata:
14 | labels:
15 | app: mongodb-exporter
16 | spec:
17 | containers:
18 | - name: mongodb-exporter
19 | image: percona/mongodb_exporter:0.30
20 | args:
21 | - "--mongodb.direct-connect=false"
22 | - "--mongodb.uri=mongodb+srv://admin-user:[email protected]/admin?ssl=true&tlsCAFile=/var/lib/tls/ca/ca.crt&tlsCertificateKeyFile=/var/lib/tls/server/certificateKey.pem"
23 | ports:
24 | - name: metrics
25 | containerPort: 9216
26 | resources:
27 | requests:
28 | memory: 128Mi
29 | cpu: 250m
30 | volumeMounts:
31 | - mountPath: /var/lib/tls/ca/
32 | name: tls-ca
33 | readOnly: true
34 | - mountPath: /var/lib/tls/server/certificateKey.pem
35 | name: tls-secret
36 | subPathExpr: 847a4797b0b13045ba3c76ff71dd689334b2f15b25857791c0e88ac39983d03e.pem
37 | readOnly: true
38 | volumes:
39 | - name: tls-ca
40 | secret:
41 | defaultMode: 416
42 | secretName: mongodb-external-key-pair
43 | - name: tls-secret
44 | secret:
45 | defaultMode: 416
46 | secretName: my-mongodb-server-certificate-key
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: ClusterRole.default.prometheus-operator
File: /lessons/105/k8s/prometheus-operator/rbac/cluster-role.yaml:2-80
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/105/k8s/prometheus-operator/deployment/deployment.yaml:2-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | labels:
6 | app.kubernetes.io/component: controller
7 | app.kubernetes.io/name: prometheus-operator
8 | app.kubernetes.io/version: 0.53.1
9 | name: prometheus-operator
10 | namespace: monitoring
11 | spec:
12 | replicas: 1
13 | selector:
14 | matchLabels:
15 | app.kubernetes.io/component: controller
16 | app.kubernetes.io/name: prometheus-operator
17 | template:
18 | metadata:
19 | annotations:
20 | kubectl.kubernetes.io/default-container: prometheus-operator
21 | labels:
22 | app.kubernetes.io/component: controller
23 | app.kubernetes.io/name: prometheus-operator
24 | app.kubernetes.io/version: 0.53.1
25 | spec:
26 | containers:
27 | - args:
28 | - --kubelet-service=kube-system/kubelet
29 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.53.1
30 | image: quay.io/prometheus-operator/prometheus-operator:v0.53.1
31 | name: prometheus-operator
32 | ports:
33 | - containerPort: 8080
34 | name: http
35 | resources:
36 | limits:
37 | cpu: 200m
38 | memory: 200Mi
39 | requests:
40 | cpu: 100m
41 | memory: 100Mi
42 | securityContext:
43 | allowPrivilegeEscalation: false
44 | nodeSelector:
45 | kubernetes.io/os: linux
46 | securityContext:
47 | runAsNonRoot: true
48 | runAsUser: 65534
49 | serviceAccountName: prometheus-operator
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/105/k8s/prometheus-operator/deployment/deployment.yaml:2-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | labels:
6 | app.kubernetes.io/component: controller
7 | app.kubernetes.io/name: prometheus-operator
8 | app.kubernetes.io/version: 0.53.1
9 | name: prometheus-operator
10 | namespace: monitoring
11 | spec:
12 | replicas: 1
13 | selector:
14 | matchLabels:
15 | app.kubernetes.io/component: controller
16 | app.kubernetes.io/name: prometheus-operator
17 | template:
18 | metadata:
19 | annotations:
20 | kubectl.kubernetes.io/default-container: prometheus-operator
21 | labels:
22 | app.kubernetes.io/component: controller
23 | app.kubernetes.io/name: prometheus-operator
24 | app.kubernetes.io/version: 0.53.1
25 | spec:
26 | containers:
27 | - args:
28 | - --kubelet-service=kube-system/kubelet
29 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.53.1
30 | image: quay.io/prometheus-operator/prometheus-operator:v0.53.1
31 | name: prometheus-operator
32 | ports:
33 | - containerPort: 8080
34 | name: http
35 | resources:
36 | limits:
37 | cpu: 200m
38 | memory: 200Mi
39 | requests:
40 | cpu: 100m
41 | memory: 100Mi
42 | securityContext:
43 | allowPrivilegeEscalation: false
44 | nodeSelector:
45 | kubernetes.io/os: linux
46 | securityContext:
47 | runAsNonRoot: true
48 | runAsUser: 65534
49 | serviceAccountName: prometheus-operator
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/105/k8s/prometheus-operator/deployment/deployment.yaml:2-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | labels:
6 | app.kubernetes.io/component: controller
7 | app.kubernetes.io/name: prometheus-operator
8 | app.kubernetes.io/version: 0.53.1
9 | name: prometheus-operator
10 | namespace: monitoring
11 | spec:
12 | replicas: 1
13 | selector:
14 | matchLabels:
15 | app.kubernetes.io/component: controller
16 | app.kubernetes.io/name: prometheus-operator
17 | template:
18 | metadata:
19 | annotations:
20 | kubectl.kubernetes.io/default-container: prometheus-operator
21 | labels:
22 | app.kubernetes.io/component: controller
23 | app.kubernetes.io/name: prometheus-operator
24 | app.kubernetes.io/version: 0.53.1
25 | spec:
26 | containers:
27 | - args:
28 | - --kubelet-service=kube-system/kubelet
29 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.53.1
30 | image: quay.io/prometheus-operator/prometheus-operator:v0.53.1
31 | name: prometheus-operator
32 | ports:
33 | - containerPort: 8080
34 | name: http
35 | resources:
36 | limits:
37 | cpu: 200m
38 | memory: 200Mi
39 | requests:
40 | cpu: 100m
41 | memory: 100Mi
42 | securityContext:
43 | allowPrivilegeEscalation: false
44 | nodeSelector:
45 | kubernetes.io/os: linux
46 | securityContext:
47 | runAsNonRoot: true
48 | runAsUser: 65534
49 | serviceAccountName: prometheus-operator
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/105/k8s/prometheus-operator/deployment/deployment.yaml:2-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | labels:
6 | app.kubernetes.io/component: controller
7 | app.kubernetes.io/name: prometheus-operator
8 | app.kubernetes.io/version: 0.53.1
9 | name: prometheus-operator
10 | namespace: monitoring
11 | spec:
12 | replicas: 1
13 | selector:
14 | matchLabels:
15 | app.kubernetes.io/component: controller
16 | app.kubernetes.io/name: prometheus-operator
17 | template:
18 | metadata:
19 | annotations:
20 | kubectl.kubernetes.io/default-container: prometheus-operator
21 | labels:
22 | app.kubernetes.io/component: controller
23 | app.kubernetes.io/name: prometheus-operator
24 | app.kubernetes.io/version: 0.53.1
25 | spec:
26 | containers:
27 | - args:
28 | - --kubelet-service=kube-system/kubelet
29 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.53.1
30 | image: quay.io/prometheus-operator/prometheus-operator:v0.53.1
31 | name: prometheus-operator
32 | ports:
33 | - containerPort: 8080
34 | name: http
35 | resources:
36 | limits:
37 | cpu: 200m
38 | memory: 200Mi
39 | requests:
40 | cpu: 100m
41 | memory: 100Mi
42 | securityContext:
43 | allowPrivilegeEscalation: false
44 | nodeSelector:
45 | kubernetes.io/os: linux
46 | securityContext:
47 | runAsNonRoot: true
48 | runAsUser: 65534
49 | serviceAccountName: prometheus-operator
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/105/k8s/prometheus-operator/deployment/deployment.yaml:2-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | labels:
6 | app.kubernetes.io/component: controller
7 | app.kubernetes.io/name: prometheus-operator
8 | app.kubernetes.io/version: 0.53.1
9 | name: prometheus-operator
10 | namespace: monitoring
11 | spec:
12 | replicas: 1
13 | selector:
14 | matchLabels:
15 | app.kubernetes.io/component: controller
16 | app.kubernetes.io/name: prometheus-operator
17 | template:
18 | metadata:
19 | annotations:
20 | kubectl.kubernetes.io/default-container: prometheus-operator
21 | labels:
22 | app.kubernetes.io/component: controller
23 | app.kubernetes.io/name: prometheus-operator
24 | app.kubernetes.io/version: 0.53.1
25 | spec:
26 | containers:
27 | - args:
28 | - --kubelet-service=kube-system/kubelet
29 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.53.1
30 | image: quay.io/prometheus-operator/prometheus-operator:v0.53.1
31 | name: prometheus-operator
32 | ports:
33 | - containerPort: 8080
34 | name: http
35 | resources:
36 | limits:
37 | cpu: 200m
38 | memory: 200Mi
39 | requests:
40 | cpu: 100m
41 | memory: 100Mi
42 | securityContext:
43 | allowPrivilegeEscalation: false
44 | nodeSelector:
45 | kubernetes.io/os: linux
46 | securityContext:
47 | runAsNonRoot: true
48 | runAsUser: 65534
49 | serviceAccountName: prometheus-operator
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/105/k8s/prometheus-operator/deployment/deployment.yaml:2-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | labels:
6 | app.kubernetes.io/component: controller
7 | app.kubernetes.io/name: prometheus-operator
8 | app.kubernetes.io/version: 0.53.1
9 | name: prometheus-operator
10 | namespace: monitoring
11 | spec:
12 | replicas: 1
13 | selector:
14 | matchLabels:
15 | app.kubernetes.io/component: controller
16 | app.kubernetes.io/name: prometheus-operator
17 | template:
18 | metadata:
19 | annotations:
20 | kubectl.kubernetes.io/default-container: prometheus-operator
21 | labels:
22 | app.kubernetes.io/component: controller
23 | app.kubernetes.io/name: prometheus-operator
24 | app.kubernetes.io/version: 0.53.1
25 | spec:
26 | containers:
27 | - args:
28 | - --kubelet-service=kube-system/kubelet
29 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.53.1
30 | image: quay.io/prometheus-operator/prometheus-operator:v0.53.1
31 | name: prometheus-operator
32 | ports:
33 | - containerPort: 8080
34 | name: http
35 | resources:
36 | limits:
37 | cpu: 200m
38 | memory: 200Mi
39 | requests:
40 | cpu: 100m
41 | memory: 100Mi
42 | securityContext:
43 | allowPrivilegeEscalation: false
44 | nodeSelector:
45 | kubernetes.io/os: linux
46 | securityContext:
47 | runAsNonRoot: true
48 | runAsUser: 65534
49 | serviceAccountName: prometheus-operator
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/105/k8s/prometheus-operator/deployment/deployment.yaml:2-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | labels:
6 | app.kubernetes.io/component: controller
7 | app.kubernetes.io/name: prometheus-operator
8 | app.kubernetes.io/version: 0.53.1
9 | name: prometheus-operator
10 | namespace: monitoring
11 | spec:
12 | replicas: 1
13 | selector:
14 | matchLabels:
15 | app.kubernetes.io/component: controller
16 | app.kubernetes.io/name: prometheus-operator
17 | template:
18 | metadata:
19 | annotations:
20 | kubectl.kubernetes.io/default-container: prometheus-operator
21 | labels:
22 | app.kubernetes.io/component: controller
23 | app.kubernetes.io/name: prometheus-operator
24 | app.kubernetes.io/version: 0.53.1
25 | spec:
26 | containers:
27 | - args:
28 | - --kubelet-service=kube-system/kubelet
29 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.53.1
30 | image: quay.io/prometheus-operator/prometheus-operator:v0.53.1
31 | name: prometheus-operator
32 | ports:
33 | - containerPort: 8080
34 | name: http
35 | resources:
36 | limits:
37 | cpu: 200m
38 | memory: 200Mi
39 | requests:
40 | cpu: 100m
41 | memory: 100Mi
42 | securityContext:
43 | allowPrivilegeEscalation: false
44 | nodeSelector:
45 | kubernetes.io/os: linux
46 | securityContext:
47 | runAsNonRoot: true
48 | runAsUser: 65534
49 | serviceAccountName: prometheus-operator
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/105/k8s/prometheus-operator/deployment/deployment.yaml:2-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | labels:
6 | app.kubernetes.io/component: controller
7 | app.kubernetes.io/name: prometheus-operator
8 | app.kubernetes.io/version: 0.53.1
9 | name: prometheus-operator
10 | namespace: monitoring
11 | spec:
12 | replicas: 1
13 | selector:
14 | matchLabels:
15 | app.kubernetes.io/component: controller
16 | app.kubernetes.io/name: prometheus-operator
17 | template:
18 | metadata:
19 | annotations:
20 | kubectl.kubernetes.io/default-container: prometheus-operator
21 | labels:
22 | app.kubernetes.io/component: controller
23 | app.kubernetes.io/name: prometheus-operator
24 | app.kubernetes.io/version: 0.53.1
25 | spec:
26 | containers:
27 | - args:
28 | - --kubelet-service=kube-system/kubelet
29 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.53.1
30 | image: quay.io/prometheus-operator/prometheus-operator:v0.53.1
31 | name: prometheus-operator
32 | ports:
33 | - containerPort: 8080
34 | name: http
35 | resources:
36 | limits:
37 | cpu: 200m
38 | memory: 200Mi
39 | requests:
40 | cpu: 100m
41 | memory: 100Mi
42 | securityContext:
43 | allowPrivilegeEscalation: false
44 | nodeSelector:
45 | kubernetes.io/os: linux
46 | securityContext:
47 | runAsNonRoot: true
48 | runAsUser: 65534
49 | serviceAccountName: prometheus-operator
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/105/k8s/prometheus-operator/deployment/deployment.yaml:2-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | labels:
6 | app.kubernetes.io/component: controller
7 | app.kubernetes.io/name: prometheus-operator
8 | app.kubernetes.io/version: 0.53.1
9 | name: prometheus-operator
10 | namespace: monitoring
11 | spec:
12 | replicas: 1
13 | selector:
14 | matchLabels:
15 | app.kubernetes.io/component: controller
16 | app.kubernetes.io/name: prometheus-operator
17 | template:
18 | metadata:
19 | annotations:
20 | kubectl.kubernetes.io/default-container: prometheus-operator
21 | labels:
22 | app.kubernetes.io/component: controller
23 | app.kubernetes.io/name: prometheus-operator
24 | app.kubernetes.io/version: 0.53.1
25 | spec:
26 | containers:
27 | - args:
28 | - --kubelet-service=kube-system/kubelet
29 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.53.1
30 | image: quay.io/prometheus-operator/prometheus-operator:v0.53.1
31 | name: prometheus-operator
32 | ports:
33 | - containerPort: 8080
34 | name: http
35 | resources:
36 | limits:
37 | cpu: 200m
38 | memory: 200Mi
39 | requests:
40 | cpu: 100m
41 | memory: 100Mi
42 | securityContext:
43 | allowPrivilegeEscalation: false
44 | nodeSelector:
45 | kubernetes.io/os: linux
46 | securityContext:
47 | runAsNonRoot: true
48 | runAsUser: 65534
49 | serviceAccountName: prometheus-operator
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/143/monitoring/cadvison/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/143/monitoring/cadvison/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/143/monitoring/cadvison/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/143/monitoring/cadvison/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/143/monitoring/cadvison/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/143/monitoring/cadvison/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/143/monitoring/cadvison/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/143/monitoring/cadvison/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/143/monitoring/cadvison/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/143/monitoring/cadvison/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/143/monitoring/cadvison/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/143/monitoring/cadvison/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/143/monitoring/cadvison/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/143/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/143/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/143/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/143/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/143/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/143/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/143/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/143/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/143/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/143/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/143/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/143/monitoring/prometheus-operator/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/143/monitoring/prometheus-operator/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/143/monitoring/prometheus-operator/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/143/monitoring/prometheus-operator/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/143/monitoring/prometheus-operator/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/143/monitoring/prometheus-operator/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: ClusterRole.default.prometheus-operator
File: /lessons/143/monitoring/prometheus-operator/1-cluster-role.yaml:2-81
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/143/monitoring/kube-state-metrics/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/143/monitoring/kube-state-metrics/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/143/monitoring/kube-state-metrics/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/143/monitoring/kube-state-metrics/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/143/monitoring/kube-state-metrics/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.istio-system.kiali
File: /lessons/143/monitoring/kiali/deployment.yaml:2-106
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.istio-system.kiali
File: /lessons/143/monitoring/kiali/deployment.yaml:2-106
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.istio-system.kiali
File: /lessons/143/monitoring/kiali/deployment.yaml:2-106
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.istio-system.kiali
File: /lessons/143/monitoring/kiali/deployment.yaml:2-106
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.istio-system.kiali
File: /lessons/143/monitoring/kiali/deployment.yaml:2-106
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.istio-system.kiali
File: /lessons/143/monitoring/kiali/deployment.yaml:2-106
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.golang.service-b
File: /lessons/143/go-app/deploy/service-b/1-deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.golang.service-b
File: /lessons/143/go-app/deploy/service-b/1-deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.golang.service-b
File: /lessons/143/go-app/deploy/service-b/1-deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.golang.service-b
File: /lessons/143/go-app/deploy/service-b/1-deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.golang.service-b
File: /lessons/143/go-app/deploy/service-b/1-deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.golang.service-b
File: /lessons/143/go-app/deploy/service-b/1-deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.golang.service-b
File: /lessons/143/go-app/deploy/service-b/1-deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.golang.service-b
File: /lessons/143/go-app/deploy/service-b/1-deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.golang.service-b
File: /lessons/143/go-app/deploy/service-b/1-deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.golang.service-b
File: /lessons/143/go-app/deploy/service-b/1-deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.golang.service-b
File: /lessons/143/go-app/deploy/service-b/1-deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.golang.service-b
File: /lessons/143/go-app/deploy/service-b/1-deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.golang.service-b
File: /lessons/143/go-app/deploy/service-b/1-deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.golang.service-a
File: /lessons/143/go-app/deploy/service-a/1-deployment.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.golang.service-a
File: /lessons/143/go-app/deploy/service-a/1-deployment.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.golang.service-a
File: /lessons/143/go-app/deploy/service-a/1-deployment.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.golang.service-a
File: /lessons/143/go-app/deploy/service-a/1-deployment.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.golang.service-a
File: /lessons/143/go-app/deploy/service-a/1-deployment.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.golang.service-a
File: /lessons/143/go-app/deploy/service-a/1-deployment.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.golang.service-a
File: /lessons/143/go-app/deploy/service-a/1-deployment.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.golang.service-a
File: /lessons/143/go-app/deploy/service-a/1-deployment.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.golang.service-a
File: /lessons/143/go-app/deploy/service-a/1-deployment.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.golang.service-a
File: /lessons/143/go-app/deploy/service-a/1-deployment.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.golang.service-a
File: /lessons/143/go-app/deploy/service-a/1-deployment.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.golang.service-a
File: /lessons/143/go-app/deploy/service-a/1-deployment.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.golang.service-a
File: /lessons/143/go-app/deploy/service-a/1-deployment.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.nodejs.service-b
File: /lessons/143/node-app/deploy/service-b/1-deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.nodejs.service-b
File: /lessons/143/node-app/deploy/service-b/1-deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.nodejs.service-b
File: /lessons/143/node-app/deploy/service-b/1-deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.nodejs.service-b
File: /lessons/143/node-app/deploy/service-b/1-deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.nodejs.service-b
File: /lessons/143/node-app/deploy/service-b/1-deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.nodejs.service-b
File: /lessons/143/node-app/deploy/service-b/1-deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.nodejs.service-b
File: /lessons/143/node-app/deploy/service-b/1-deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.nodejs.service-b
File: /lessons/143/node-app/deploy/service-b/1-deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.nodejs.service-b
File: /lessons/143/node-app/deploy/service-b/1-deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.nodejs.service-b
File: /lessons/143/node-app/deploy/service-b/1-deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.nodejs.service-b
File: /lessons/143/node-app/deploy/service-b/1-deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.nodejs.service-b
File: /lessons/143/node-app/deploy/service-b/1-deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.nodejs.service-b
File: /lessons/143/node-app/deploy/service-b/1-deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.nodejs.service-a
File: /lessons/143/node-app/deploy/service-a/1-deployment.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.nodejs.service-a
File: /lessons/143/node-app/deploy/service-a/1-deployment.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.nodejs.service-a
File: /lessons/143/node-app/deploy/service-a/1-deployment.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.nodejs.service-a
File: /lessons/143/node-app/deploy/service-a/1-deployment.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.nodejs.service-a
File: /lessons/143/node-app/deploy/service-a/1-deployment.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.nodejs.service-a
File: /lessons/143/node-app/deploy/service-a/1-deployment.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.nodejs.service-a
File: /lessons/143/node-app/deploy/service-a/1-deployment.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.nodejs.service-a
File: /lessons/143/node-app/deploy/service-a/1-deployment.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.nodejs.service-a
File: /lessons/143/node-app/deploy/service-a/1-deployment.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.nodejs.service-a
File: /lessons/143/node-app/deploy/service-a/1-deployment.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.nodejs.service-a
File: /lessons/143/node-app/deploy/service-a/1-deployment.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.nodejs.service-a
File: /lessons/143/node-app/deploy/service-a/1-deployment.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.nodejs.service-a
File: /lessons/143/node-app/deploy/service-a/1-deployment.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/143/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: [ "/bin/sh", "/config/add-user" ]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/143/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: [ "/bin/sh", "/config/add-user" ]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/143/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: [ "/bin/sh", "/config/add-user" ]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/143/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: [ "/bin/sh", "/config/add-user" ]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/143/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: [ "/bin/sh", "/config/add-user" ]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/143/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: [ "/bin/sh", "/config/add-user" ]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/143/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: [ "/bin/sh", "/config/add-user" ]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/143/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: [ "/bin/sh", "/config/add-user" ]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/143/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: [ "/bin/sh", "/config/add-user" ]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/143/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: [ "/bin/sh", "/config/add-user" ]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/143/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: [ "/bin/sh", "/config/add-user" ]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/143/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: [ "/bin/sh", "/config/add-user" ]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/143/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: [ "/bin/sh", "/config/add-user" ]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/143/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: [ "/bin/sh", "/config/add-user" ]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/143/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: [ "/bin/sh", "/config/add-user" ]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.minio.minio
File: /lessons/143/minio/deployment.yaml:2-88
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.minio.minio
File: /lessons/143/minio/deployment.yaml:2-88
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.minio.minio
File: /lessons/143/minio/deployment.yaml:2-88
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.minio.minio
File: /lessons/143/minio/deployment.yaml:2-88
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.minio.minio
File: /lessons/143/minio/deployment.yaml:2-88
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.minio.minio
File: /lessons/143/minio/deployment.yaml:2-88
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.minio.minio
File: /lessons/143/minio/deployment.yaml:2-88
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: Deployment.minio.minio
File: /lessons/143/minio/deployment.yaml:2-88
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.minio.minio
File: /lessons/143/minio/deployment.yaml:2-88
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.minio.minio
File: /lessons/143/minio/deployment.yaml:2-88
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.minio.minio
File: /lessons/143/minio/deployment.yaml:2-88
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.minio.minio
File: /lessons/143/minio/deployment.yaml:2-88
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.minio.minio
File: /lessons/143/minio/deployment.yaml:2-88
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_156: "Minimize ClusterRoles that grant permissions to approve CertificateSigningRequests"
FAILED for resource: ClusterRole.default.istiod-clusterrole-istio-system
File: /lessons/143/istiod/clusterrole.yaml:3-109
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-permissions-to-approve-certificatesigningrequests-are-minimized.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_155: "Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations"
FAILED for resource: ClusterRole.default.istiod-clusterrole-istio-system
File: /lessons/143/istiod/clusterrole.yaml:3-109
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-control-over-validating-or-mutating-admission-webhook-configurations-are-minimized.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: ClusterRole.default.istio-reader-clusterrole-istio-system
File: /lessons/143/istiod/reader-clusterrole.yaml:3-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
3 | apiVersion: rbac.authorization.k8s.io/v1
4 | kind: ClusterRole
5 | metadata:
6 | name: istio-reader-clusterrole-istio-system
7 | labels:
8 | app: istio-reader
9 | release: test
10 | rules:
11 | - apiGroups:
12 | - "config.istio.io"
13 | - "security.istio.io"
14 | - "networking.istio.io"
15 | - "authentication.istio.io"
16 | - "rbac.istio.io"
17 | resources: ["*"]
18 | verbs: ["get", "list", "watch"]
19 | - apiGroups: [""]
20 | resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
21 | verbs: ["get", "list", "watch"]
22 | - apiGroups: ["networking.istio.io"]
23 | verbs: [ "get", "watch", "list" ]
24 | resources: [ "workloadentries" ]
25 | - apiGroups: ["apiextensions.k8s.io"]
26 | resources: ["customresourcedefinitions"]
27 | verbs: ["get", "list", "watch"]
28 | - apiGroups: ["discovery.k8s.io"]
29 | resources: ["endpointslices"]
30 | verbs: ["get", "list", "watch"]
31 | - apiGroups: ["multicluster.x-k8s.io"]
32 | resources: ["serviceexports"]
33 | verbs: ["get", "list", "watch", "create", "delete"]
34 | - apiGroups: ["multicluster.x-k8s.io"]
35 | resources: ["serviceimports"]
36 | verbs: ["get", "list", "watch"]
37 | - apiGroups: ["apps"]
38 | resources: ["replicasets"]
39 | verbs: ["get", "list", "watch"]
40 | - apiGroups: ["authentication.k8s.io"]
41 | resources: ["tokenreviews"]
42 | verbs: ["create"]
43 | - apiGroups: ["authorization.k8s.io"]
44 | resources: ["subjectaccessreviews"]
45 | verbs: ["create"]
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.istio-system.istiod
File: /lessons/143/istiod/deployment.yaml:3-163
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.istio-system.istiod
File: /lessons/143/istiod/deployment.yaml:3-163
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.istio-system.istiod
File: /lessons/143/istiod/deployment.yaml:3-163
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.istio-system.istiod
File: /lessons/143/istiod/deployment.yaml:3-163
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.istio-system.istiod
File: /lessons/143/istiod/deployment.yaml:3-163
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.istio-system.istiod
File: /lessons/143/istiod/deployment.yaml:3-163
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.istio-system.istiod
File: /lessons/143/istiod/deployment.yaml:3-163
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.istio-system.istiod
File: /lessons/143/istiod/deployment.yaml:3-163
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.mongodb.mongodb
File: /lessons/143/mongodb/deployment.yaml:2-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.mongodb.mongodb
File: /lessons/143/mongodb/deployment.yaml:2-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.mongodb.mongodb
File: /lessons/143/mongodb/deployment.yaml:2-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.mongodb.mongodb
File: /lessons/143/mongodb/deployment.yaml:2-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: Deployment.mongodb.mongodb
File: /lessons/143/mongodb/deployment.yaml:2-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.mongodb.mongodb
File: /lessons/143/mongodb/deployment.yaml:2-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.mongodb.mongodb
File: /lessons/143/mongodb/deployment.yaml:2-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.mongodb.mongodb
File: /lessons/143/mongodb/deployment.yaml:2-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.mongodb.mongodb
File: /lessons/143/mongodb/deployment.yaml:2-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.mongodb.mongodb
File: /lessons/143/mongodb/deployment.yaml:2-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/150/monitoring/cadvison/daemonset.yaml:2-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/150/monitoring/cadvison/daemonset.yaml:2-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/150/monitoring/cadvison/daemonset.yaml:2-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/150/monitoring/cadvison/daemonset.yaml:2-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/150/monitoring/cadvison/daemonset.yaml:2-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/150/monitoring/cadvison/daemonset.yaml:2-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/150/monitoring/cadvison/daemonset.yaml:2-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/150/monitoring/cadvison/daemonset.yaml:2-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/150/monitoring/cadvison/daemonset.yaml:2-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/150/monitoring/cadvison/daemonset.yaml:2-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/150/monitoring/cadvison/daemonset.yaml:2-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/150/monitoring/cadvison/daemonset.yaml:2-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/150/monitoring/cadvison/daemonset.yaml:2-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: ClusterRole.default.prometheus-operator
File: /lessons/150/monitoring/prometheus-operator/rbac.yaml:19-98
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/150/monitoring/prometheus-operator/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/150/monitoring/prometheus-operator/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/150/monitoring/prometheus-operator/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/150/monitoring/prometheus-operator/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/150/monitoring/prometheus-operator/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/150/monitoring/prometheus-operator/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/150/node-exporter-amd64/daemon-set.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/150/node-exporter-amd64/daemon-set.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_19: "Containers should not share the host network namespace"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/150/node-exporter-amd64/daemon-set.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-18.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/150/node-exporter-amd64/daemon-set.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/150/node-exporter-amd64/daemon-set.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_17: "Containers should not share the host process ID namespace"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/150/node-exporter-amd64/daemon-set.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-16.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/150/node-exporter-amd64/daemon-set.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/150/node-exporter-amd64/daemon-set.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/150/node-exporter-amd64/daemon-set.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/150/node-exporter-amd64/daemon-set.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/150/node-exporter-amd64/daemon-set.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.go-app
File: /lessons/150/go-app/deploy/amd64/deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.go-app
File: /lessons/150/go-app/deploy/amd64/deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.go-app
File: /lessons/150/go-app/deploy/amd64/deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.go-app
File: /lessons/150/go-app/deploy/amd64/deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.go-app
File: /lessons/150/go-app/deploy/amd64/deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.go-app
File: /lessons/150/go-app/deploy/amd64/deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.go-app
File: /lessons/150/go-app/deploy/amd64/deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.go-app
File: /lessons/150/go-app/deploy/amd64/deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.go-app
File: /lessons/150/go-app/deploy/amd64/deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.go-app
File: /lessons/150/go-app/deploy/amd64/deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.staging.go-app
File: /lessons/150/go-app/deploy/amd64/deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.go-app
File: /lessons/150/go-app/deploy/amd64/deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.go-app
File: /lessons/150/go-app/deploy/arm64/deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.go-app
File: /lessons/150/go-app/deploy/arm64/deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.go-app
File: /lessons/150/go-app/deploy/arm64/deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.go-app
File: /lessons/150/go-app/deploy/arm64/deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.go-app
File: /lessons/150/go-app/deploy/arm64/deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.go-app
File: /lessons/150/go-app/deploy/arm64/deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.go-app
File: /lessons/150/go-app/deploy/arm64/deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.go-app
File: /lessons/150/go-app/deploy/arm64/deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.go-app
File: /lessons/150/go-app/deploy/arm64/deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.go-app
File: /lessons/150/go-app/deploy/arm64/deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.staging.go-app
File: /lessons/150/go-app/deploy/arm64/deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.go-app
File: /lessons/150/go-app/deploy/arm64/deployment.yaml:2-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/150/node-exporter-arm64/daemon-set.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/150/node-exporter-arm64/daemon-set.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_19: "Containers should not share the host network namespace"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/150/node-exporter-arm64/daemon-set.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-18.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/150/node-exporter-arm64/daemon-set.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/150/node-exporter-arm64/daemon-set.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_17: "Containers should not share the host process ID namespace"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/150/node-exporter-arm64/daemon-set.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-16.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/150/node-exporter-arm64/daemon-set.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/150/node-exporter-arm64/daemon-set.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/150/node-exporter-arm64/daemon-set.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/150/node-exporter-arm64/daemon-set.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /lessons/150/node-exporter-arm64/daemon-set.yaml:2-72
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.default.ubuntu-pod-1
File: /lessons/135/stress-test.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: ubuntu-pod-1
6 | namespace: default
7 | labels:
8 | app: ubuntu-pod
9 | spec:
10 | containers:
11 | - name: ubuntu
12 | image: ubuntu:22.04
13 | command: [ "/bin/bash", "-c", "--" ]
14 | args: [ "while true; do sleep 30; done;" ]
15 | resources:
16 | requests:
17 | cpu: 500m
18 | memory: 512Mi
19 | limits:
20 | cpu: 800m
21 | memory: 1Gi
22 | affinity:
23 | podAntiAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | - labelSelector:
26 | matchExpressions:
27 | - key: app
28 | operator: In
29 | values:
30 | - ubuntu-pod
31 | topologyKey: "kubernetes.io/hostname"
32 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Pod.default.ubuntu-pod-1
File: /lessons/135/stress-test.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: ubuntu-pod-1
6 | namespace: default
7 | labels:
8 | app: ubuntu-pod
9 | spec:
10 | containers:
11 | - name: ubuntu
12 | image: ubuntu:22.04
13 | command: [ "/bin/bash", "-c", "--" ]
14 | args: [ "while true; do sleep 30; done;" ]
15 | resources:
16 | requests:
17 | cpu: 500m
18 | memory: 512Mi
19 | limits:
20 | cpu: 800m
21 | memory: 1Gi
22 | affinity:
23 | podAntiAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | - labelSelector:
26 | matchExpressions:
27 | - key: app
28 | operator: In
29 | values:
30 | - ubuntu-pod
31 | topologyKey: "kubernetes.io/hostname"
32 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.default.ubuntu-pod-1
File: /lessons/135/stress-test.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: ubuntu-pod-1
6 | namespace: default
7 | labels:
8 | app: ubuntu-pod
9 | spec:
10 | containers:
11 | - name: ubuntu
12 | image: ubuntu:22.04
13 | command: [ "/bin/bash", "-c", "--" ]
14 | args: [ "while true; do sleep 30; done;" ]
15 | resources:
16 | requests:
17 | cpu: 500m
18 | memory: 512Mi
19 | limits:
20 | cpu: 800m
21 | memory: 1Gi
22 | affinity:
23 | podAntiAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | - labelSelector:
26 | matchExpressions:
27 | - key: app
28 | operator: In
29 | values:
30 | - ubuntu-pod
31 | topologyKey: "kubernetes.io/hostname"
32 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.default.ubuntu-pod-1
File: /lessons/135/stress-test.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: ubuntu-pod-1
6 | namespace: default
7 | labels:
8 | app: ubuntu-pod
9 | spec:
10 | containers:
11 | - name: ubuntu
12 | image: ubuntu:22.04
13 | command: [ "/bin/bash", "-c", "--" ]
14 | args: [ "while true; do sleep 30; done;" ]
15 | resources:
16 | requests:
17 | cpu: 500m
18 | memory: 512Mi
19 | limits:
20 | cpu: 800m
21 | memory: 1Gi
22 | affinity:
23 | podAntiAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | - labelSelector:
26 | matchExpressions:
27 | - key: app
28 | operator: In
29 | values:
30 | - ubuntu-pod
31 | topologyKey: "kubernetes.io/hostname"
32 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.default.ubuntu-pod-1
File: /lessons/135/stress-test.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: ubuntu-pod-1
6 | namespace: default
7 | labels:
8 | app: ubuntu-pod
9 | spec:
10 | containers:
11 | - name: ubuntu
12 | image: ubuntu:22.04
13 | command: [ "/bin/bash", "-c", "--" ]
14 | args: [ "while true; do sleep 30; done;" ]
15 | resources:
16 | requests:
17 | cpu: 500m
18 | memory: 512Mi
19 | limits:
20 | cpu: 800m
21 | memory: 1Gi
22 | affinity:
23 | podAntiAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | - labelSelector:
26 | matchExpressions:
27 | - key: app
28 | operator: In
29 | values:
30 | - ubuntu-pod
31 | topologyKey: "kubernetes.io/hostname"
32 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.default.ubuntu-pod-1
File: /lessons/135/stress-test.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: ubuntu-pod-1
6 | namespace: default
7 | labels:
8 | app: ubuntu-pod
9 | spec:
10 | containers:
11 | - name: ubuntu
12 | image: ubuntu:22.04
13 | command: [ "/bin/bash", "-c", "--" ]
14 | args: [ "while true; do sleep 30; done;" ]
15 | resources:
16 | requests:
17 | cpu: 500m
18 | memory: 512Mi
19 | limits:
20 | cpu: 800m
21 | memory: 1Gi
22 | affinity:
23 | podAntiAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | - labelSelector:
26 | matchExpressions:
27 | - key: app
28 | operator: In
29 | values:
30 | - ubuntu-pod
31 | topologyKey: "kubernetes.io/hostname"
32 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.default.ubuntu-pod-1
File: /lessons/135/stress-test.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: ubuntu-pod-1
6 | namespace: default
7 | labels:
8 | app: ubuntu-pod
9 | spec:
10 | containers:
11 | - name: ubuntu
12 | image: ubuntu:22.04
13 | command: [ "/bin/bash", "-c", "--" ]
14 | args: [ "while true; do sleep 30; done;" ]
15 | resources:
16 | requests:
17 | cpu: 500m
18 | memory: 512Mi
19 | limits:
20 | cpu: 800m
21 | memory: 1Gi
22 | affinity:
23 | podAntiAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | - labelSelector:
26 | matchExpressions:
27 | - key: app
28 | operator: In
29 | values:
30 | - ubuntu-pod
31 | topologyKey: "kubernetes.io/hostname"
32 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.default.ubuntu-pod-1
File: /lessons/135/stress-test.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: ubuntu-pod-1
6 | namespace: default
7 | labels:
8 | app: ubuntu-pod
9 | spec:
10 | containers:
11 | - name: ubuntu
12 | image: ubuntu:22.04
13 | command: [ "/bin/bash", "-c", "--" ]
14 | args: [ "while true; do sleep 30; done;" ]
15 | resources:
16 | requests:
17 | cpu: 500m
18 | memory: 512Mi
19 | limits:
20 | cpu: 800m
21 | memory: 1Gi
22 | affinity:
23 | podAntiAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | - labelSelector:
26 | matchExpressions:
27 | - key: app
28 | operator: In
29 | values:
30 | - ubuntu-pod
31 | topologyKey: "kubernetes.io/hostname"
32 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.default.ubuntu-pod-1
File: /lessons/135/stress-test.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: ubuntu-pod-1
6 | namespace: default
7 | labels:
8 | app: ubuntu-pod
9 | spec:
10 | containers:
11 | - name: ubuntu
12 | image: ubuntu:22.04
13 | command: [ "/bin/bash", "-c", "--" ]
14 | args: [ "while true; do sleep 30; done;" ]
15 | resources:
16 | requests:
17 | cpu: 500m
18 | memory: 512Mi
19 | limits:
20 | cpu: 800m
21 | memory: 1Gi
22 | affinity:
23 | podAntiAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | - labelSelector:
26 | matchExpressions:
27 | - key: app
28 | operator: In
29 | values:
30 | - ubuntu-pod
31 | topologyKey: "kubernetes.io/hostname"
32 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.default.ubuntu-pod-1
File: /lessons/135/stress-test.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: ubuntu-pod-1
6 | namespace: default
7 | labels:
8 | app: ubuntu-pod
9 | spec:
10 | containers:
11 | - name: ubuntu
12 | image: ubuntu:22.04
13 | command: [ "/bin/bash", "-c", "--" ]
14 | args: [ "while true; do sleep 30; done;" ]
15 | resources:
16 | requests:
17 | cpu: 500m
18 | memory: 512Mi
19 | limits:
20 | cpu: 800m
21 | memory: 1Gi
22 | affinity:
23 | podAntiAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | - labelSelector:
26 | matchExpressions:
27 | - key: app
28 | operator: In
29 | values:
30 | - ubuntu-pod
31 | topologyKey: "kubernetes.io/hostname"
32 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.default.ubuntu-pod-1
File: /lessons/135/stress-test.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: ubuntu-pod-1
6 | namespace: default
7 | labels:
8 | app: ubuntu-pod
9 | spec:
10 | containers:
11 | - name: ubuntu
12 | image: ubuntu:22.04
13 | command: [ "/bin/bash", "-c", "--" ]
14 | args: [ "while true; do sleep 30; done;" ]
15 | resources:
16 | requests:
17 | cpu: 500m
18 | memory: 512Mi
19 | limits:
20 | cpu: 800m
21 | memory: 1Gi
22 | affinity:
23 | podAntiAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | - labelSelector:
26 | matchExpressions:
27 | - key: app
28 | operator: In
29 | values:
30 | - ubuntu-pod
31 | topologyKey: "kubernetes.io/hostname"
32 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.default.ubuntu-pod-1
File: /lessons/135/stress-test.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: ubuntu-pod-1
6 | namespace: default
7 | labels:
8 | app: ubuntu-pod
9 | spec:
10 | containers:
11 | - name: ubuntu
12 | image: ubuntu:22.04
13 | command: [ "/bin/bash", "-c", "--" ]
14 | args: [ "while true; do sleep 30; done;" ]
15 | resources:
16 | requests:
17 | cpu: 500m
18 | memory: 512Mi
19 | limits:
20 | cpu: 800m
21 | memory: 1Gi
22 | affinity:
23 | podAntiAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | - labelSelector:
26 | matchExpressions:
27 | - key: app
28 | operator: In
29 | values:
30 | - ubuntu-pod
31 | topologyKey: "kubernetes.io/hostname"
32 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.default.ubuntu-pod-1
File: /lessons/135/stress-test.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: ubuntu-pod-1
6 | namespace: default
7 | labels:
8 | app: ubuntu-pod
9 | spec:
10 | containers:
11 | - name: ubuntu
12 | image: ubuntu:22.04
13 | command: [ "/bin/bash", "-c", "--" ]
14 | args: [ "while true; do sleep 30; done;" ]
15 | resources:
16 | requests:
17 | cpu: 500m
18 | memory: 512Mi
19 | limits:
20 | cpu: 800m
21 | memory: 1Gi
22 | affinity:
23 | podAntiAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | - labelSelector:
26 | matchExpressions:
27 | - key: app
28 | operator: In
29 | values:
30 | - ubuntu-pod
31 | topologyKey: "kubernetes.io/hostname"
32 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Pod.default.ubuntu-pod-1
File: /lessons/135/stress-test.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: ubuntu-pod-1
6 | namespace: default
7 | labels:
8 | app: ubuntu-pod
9 | spec:
10 | containers:
11 | - name: ubuntu
12 | image: ubuntu:22.04
13 | command: [ "/bin/bash", "-c", "--" ]
14 | args: [ "while true; do sleep 30; done;" ]
15 | resources:
16 | requests:
17 | cpu: 500m
18 | memory: 512Mi
19 | limits:
20 | cpu: 800m
21 | memory: 1Gi
22 | affinity:
23 | podAntiAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | - labelSelector:
26 | matchExpressions:
27 | - key: app
28 | operator: In
29 | values:
30 | - ubuntu-pod
31 | topologyKey: "kubernetes.io/hostname"
32 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.default.ubuntu-pod-1
File: /lessons/135/stress-test.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: ubuntu-pod-1
6 | namespace: default
7 | labels:
8 | app: ubuntu-pod
9 | spec:
10 | containers:
11 | - name: ubuntu
12 | image: ubuntu:22.04
13 | command: [ "/bin/bash", "-c", "--" ]
14 | args: [ "while true; do sleep 30; done;" ]
15 | resources:
16 | requests:
17 | cpu: 500m
18 | memory: 512Mi
19 | limits:
20 | cpu: 800m
21 | memory: 1Gi
22 | affinity:
23 | podAntiAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | - labelSelector:
26 | matchExpressions:
27 | - key: app
28 | operator: In
29 | values:
30 | - ubuntu-pod
31 | topologyKey: "kubernetes.io/hostname"
32 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.default.ubuntu-pod-2
File: /lessons/135/stress-test.yaml:33-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
33 | apiVersion: v1
34 | kind: Pod
35 | metadata:
36 | name: ubuntu-pod-2
37 | namespace: default
38 | labels:
39 | app: ubuntu-pod
40 | spec:
41 | containers:
42 | - name: ubuntu
43 | image: ubuntu:22.04
44 | command: [ "/bin/bash", "-c", "--" ]
45 | args: [ "while true; do sleep 30; done;" ]
46 | resources:
47 | requests:
48 | cpu: 500m
49 | memory: 256Mi
50 | limits:
51 | cpu: 1500m
52 | memory: 512Mi
53 | affinity:
54 | podAntiAffinity:
55 | requiredDuringSchedulingIgnoredDuringExecution:
56 | - labelSelector:
57 | matchExpressions:
58 | - key: app
59 | operator: In
60 | values:
61 | - ubuntu-pod
62 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Pod.default.ubuntu-pod-2
File: /lessons/135/stress-test.yaml:33-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
33 | apiVersion: v1
34 | kind: Pod
35 | metadata:
36 | name: ubuntu-pod-2
37 | namespace: default
38 | labels:
39 | app: ubuntu-pod
40 | spec:
41 | containers:
42 | - name: ubuntu
43 | image: ubuntu:22.04
44 | command: [ "/bin/bash", "-c", "--" ]
45 | args: [ "while true; do sleep 30; done;" ]
46 | resources:
47 | requests:
48 | cpu: 500m
49 | memory: 256Mi
50 | limits:
51 | cpu: 1500m
52 | memory: 512Mi
53 | affinity:
54 | podAntiAffinity:
55 | requiredDuringSchedulingIgnoredDuringExecution:
56 | - labelSelector:
57 | matchExpressions:
58 | - key: app
59 | operator: In
60 | values:
61 | - ubuntu-pod
62 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.default.ubuntu-pod-2
File: /lessons/135/stress-test.yaml:33-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
33 | apiVersion: v1
34 | kind: Pod
35 | metadata:
36 | name: ubuntu-pod-2
37 | namespace: default
38 | labels:
39 | app: ubuntu-pod
40 | spec:
41 | containers:
42 | - name: ubuntu
43 | image: ubuntu:22.04
44 | command: [ "/bin/bash", "-c", "--" ]
45 | args: [ "while true; do sleep 30; done;" ]
46 | resources:
47 | requests:
48 | cpu: 500m
49 | memory: 256Mi
50 | limits:
51 | cpu: 1500m
52 | memory: 512Mi
53 | affinity:
54 | podAntiAffinity:
55 | requiredDuringSchedulingIgnoredDuringExecution:
56 | - labelSelector:
57 | matchExpressions:
58 | - key: app
59 | operator: In
60 | values:
61 | - ubuntu-pod
62 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.default.ubuntu-pod-2
File: /lessons/135/stress-test.yaml:33-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
33 | apiVersion: v1
34 | kind: Pod
35 | metadata:
36 | name: ubuntu-pod-2
37 | namespace: default
38 | labels:
39 | app: ubuntu-pod
40 | spec:
41 | containers:
42 | - name: ubuntu
43 | image: ubuntu:22.04
44 | command: [ "/bin/bash", "-c", "--" ]
45 | args: [ "while true; do sleep 30; done;" ]
46 | resources:
47 | requests:
48 | cpu: 500m
49 | memory: 256Mi
50 | limits:
51 | cpu: 1500m
52 | memory: 512Mi
53 | affinity:
54 | podAntiAffinity:
55 | requiredDuringSchedulingIgnoredDuringExecution:
56 | - labelSelector:
57 | matchExpressions:
58 | - key: app
59 | operator: In
60 | values:
61 | - ubuntu-pod
62 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.default.ubuntu-pod-2
File: /lessons/135/stress-test.yaml:33-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
33 | apiVersion: v1
34 | kind: Pod
35 | metadata:
36 | name: ubuntu-pod-2
37 | namespace: default
38 | labels:
39 | app: ubuntu-pod
40 | spec:
41 | containers:
42 | - name: ubuntu
43 | image: ubuntu:22.04
44 | command: [ "/bin/bash", "-c", "--" ]
45 | args: [ "while true; do sleep 30; done;" ]
46 | resources:
47 | requests:
48 | cpu: 500m
49 | memory: 256Mi
50 | limits:
51 | cpu: 1500m
52 | memory: 512Mi
53 | affinity:
54 | podAntiAffinity:
55 | requiredDuringSchedulingIgnoredDuringExecution:
56 | - labelSelector:
57 | matchExpressions:
58 | - key: app
59 | operator: In
60 | values:
61 | - ubuntu-pod
62 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.default.ubuntu-pod-2
File: /lessons/135/stress-test.yaml:33-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
33 | apiVersion: v1
34 | kind: Pod
35 | metadata:
36 | name: ubuntu-pod-2
37 | namespace: default
38 | labels:
39 | app: ubuntu-pod
40 | spec:
41 | containers:
42 | - name: ubuntu
43 | image: ubuntu:22.04
44 | command: [ "/bin/bash", "-c", "--" ]
45 | args: [ "while true; do sleep 30; done;" ]
46 | resources:
47 | requests:
48 | cpu: 500m
49 | memory: 256Mi
50 | limits:
51 | cpu: 1500m
52 | memory: 512Mi
53 | affinity:
54 | podAntiAffinity:
55 | requiredDuringSchedulingIgnoredDuringExecution:
56 | - labelSelector:
57 | matchExpressions:
58 | - key: app
59 | operator: In
60 | values:
61 | - ubuntu-pod
62 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.default.ubuntu-pod-2
File: /lessons/135/stress-test.yaml:33-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
33 | apiVersion: v1
34 | kind: Pod
35 | metadata:
36 | name: ubuntu-pod-2
37 | namespace: default
38 | labels:
39 | app: ubuntu-pod
40 | spec:
41 | containers:
42 | - name: ubuntu
43 | image: ubuntu:22.04
44 | command: [ "/bin/bash", "-c", "--" ]
45 | args: [ "while true; do sleep 30; done;" ]
46 | resources:
47 | requests:
48 | cpu: 500m
49 | memory: 256Mi
50 | limits:
51 | cpu: 1500m
52 | memory: 512Mi
53 | affinity:
54 | podAntiAffinity:
55 | requiredDuringSchedulingIgnoredDuringExecution:
56 | - labelSelector:
57 | matchExpressions:
58 | - key: app
59 | operator: In
60 | values:
61 | - ubuntu-pod
62 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.default.ubuntu-pod-2
File: /lessons/135/stress-test.yaml:33-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
33 | apiVersion: v1
34 | kind: Pod
35 | metadata:
36 | name: ubuntu-pod-2
37 | namespace: default
38 | labels:
39 | app: ubuntu-pod
40 | spec:
41 | containers:
42 | - name: ubuntu
43 | image: ubuntu:22.04
44 | command: [ "/bin/bash", "-c", "--" ]
45 | args: [ "while true; do sleep 30; done;" ]
46 | resources:
47 | requests:
48 | cpu: 500m
49 | memory: 256Mi
50 | limits:
51 | cpu: 1500m
52 | memory: 512Mi
53 | affinity:
54 | podAntiAffinity:
55 | requiredDuringSchedulingIgnoredDuringExecution:
56 | - labelSelector:
57 | matchExpressions:
58 | - key: app
59 | operator: In
60 | values:
61 | - ubuntu-pod
62 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.default.ubuntu-pod-2
File: /lessons/135/stress-test.yaml:33-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
33 | apiVersion: v1
34 | kind: Pod
35 | metadata:
36 | name: ubuntu-pod-2
37 | namespace: default
38 | labels:
39 | app: ubuntu-pod
40 | spec:
41 | containers:
42 | - name: ubuntu
43 | image: ubuntu:22.04
44 | command: [ "/bin/bash", "-c", "--" ]
45 | args: [ "while true; do sleep 30; done;" ]
46 | resources:
47 | requests:
48 | cpu: 500m
49 | memory: 256Mi
50 | limits:
51 | cpu: 1500m
52 | memory: 512Mi
53 | affinity:
54 | podAntiAffinity:
55 | requiredDuringSchedulingIgnoredDuringExecution:
56 | - labelSelector:
57 | matchExpressions:
58 | - key: app
59 | operator: In
60 | values:
61 | - ubuntu-pod
62 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.default.ubuntu-pod-2
File: /lessons/135/stress-test.yaml:33-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
33 | apiVersion: v1
34 | kind: Pod
35 | metadata:
36 | name: ubuntu-pod-2
37 | namespace: default
38 | labels:
39 | app: ubuntu-pod
40 | spec:
41 | containers:
42 | - name: ubuntu
43 | image: ubuntu:22.04
44 | command: [ "/bin/bash", "-c", "--" ]
45 | args: [ "while true; do sleep 30; done;" ]
46 | resources:
47 | requests:
48 | cpu: 500m
49 | memory: 256Mi
50 | limits:
51 | cpu: 1500m
52 | memory: 512Mi
53 | affinity:
54 | podAntiAffinity:
55 | requiredDuringSchedulingIgnoredDuringExecution:
56 | - labelSelector:
57 | matchExpressions:
58 | - key: app
59 | operator: In
60 | values:
61 | - ubuntu-pod
62 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.default.ubuntu-pod-2
File: /lessons/135/stress-test.yaml:33-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
33 | apiVersion: v1
34 | kind: Pod
35 | metadata:
36 | name: ubuntu-pod-2
37 | namespace: default
38 | labels:
39 | app: ubuntu-pod
40 | spec:
41 | containers:
42 | - name: ubuntu
43 | image: ubuntu:22.04
44 | command: [ "/bin/bash", "-c", "--" ]
45 | args: [ "while true; do sleep 30; done;" ]
46 | resources:
47 | requests:
48 | cpu: 500m
49 | memory: 256Mi
50 | limits:
51 | cpu: 1500m
52 | memory: 512Mi
53 | affinity:
54 | podAntiAffinity:
55 | requiredDuringSchedulingIgnoredDuringExecution:
56 | - labelSelector:
57 | matchExpressions:
58 | - key: app
59 | operator: In
60 | values:
61 | - ubuntu-pod
62 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.default.ubuntu-pod-2
File: /lessons/135/stress-test.yaml:33-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
33 | apiVersion: v1
34 | kind: Pod
35 | metadata:
36 | name: ubuntu-pod-2
37 | namespace: default
38 | labels:
39 | app: ubuntu-pod
40 | spec:
41 | containers:
42 | - name: ubuntu
43 | image: ubuntu:22.04
44 | command: [ "/bin/bash", "-c", "--" ]
45 | args: [ "while true; do sleep 30; done;" ]
46 | resources:
47 | requests:
48 | cpu: 500m
49 | memory: 256Mi
50 | limits:
51 | cpu: 1500m
52 | memory: 512Mi
53 | affinity:
54 | podAntiAffinity:
55 | requiredDuringSchedulingIgnoredDuringExecution:
56 | - labelSelector:
57 | matchExpressions:
58 | - key: app
59 | operator: In
60 | values:
61 | - ubuntu-pod
62 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.default.ubuntu-pod-2
File: /lessons/135/stress-test.yaml:33-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
33 | apiVersion: v1
34 | kind: Pod
35 | metadata:
36 | name: ubuntu-pod-2
37 | namespace: default
38 | labels:
39 | app: ubuntu-pod
40 | spec:
41 | containers:
42 | - name: ubuntu
43 | image: ubuntu:22.04
44 | command: [ "/bin/bash", "-c", "--" ]
45 | args: [ "while true; do sleep 30; done;" ]
46 | resources:
47 | requests:
48 | cpu: 500m
49 | memory: 256Mi
50 | limits:
51 | cpu: 1500m
52 | memory: 512Mi
53 | affinity:
54 | podAntiAffinity:
55 | requiredDuringSchedulingIgnoredDuringExecution:
56 | - labelSelector:
57 | matchExpressions:
58 | - key: app
59 | operator: In
60 | values:
61 | - ubuntu-pod
62 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Pod.default.ubuntu-pod-2
File: /lessons/135/stress-test.yaml:33-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
33 | apiVersion: v1
34 | kind: Pod
35 | metadata:
36 | name: ubuntu-pod-2
37 | namespace: default
38 | labels:
39 | app: ubuntu-pod
40 | spec:
41 | containers:
42 | - name: ubuntu
43 | image: ubuntu:22.04
44 | command: [ "/bin/bash", "-c", "--" ]
45 | args: [ "while true; do sleep 30; done;" ]
46 | resources:
47 | requests:
48 | cpu: 500m
49 | memory: 256Mi
50 | limits:
51 | cpu: 1500m
52 | memory: 512Mi
53 | affinity:
54 | podAntiAffinity:
55 | requiredDuringSchedulingIgnoredDuringExecution:
56 | - labelSelector:
57 | matchExpressions:
58 | - key: app
59 | operator: In
60 | values:
61 | - ubuntu-pod
62 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.default.ubuntu-pod-2
File: /lessons/135/stress-test.yaml:33-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
33 | apiVersion: v1
34 | kind: Pod
35 | metadata:
36 | name: ubuntu-pod-2
37 | namespace: default
38 | labels:
39 | app: ubuntu-pod
40 | spec:
41 | containers:
42 | - name: ubuntu
43 | image: ubuntu:22.04
44 | command: [ "/bin/bash", "-c", "--" ]
45 | args: [ "while true; do sleep 30; done;" ]
46 | resources:
47 | requests:
48 | cpu: 500m
49 | memory: 256Mi
50 | limits:
51 | cpu: 1500m
52 | memory: 512Mi
53 | affinity:
54 | podAntiAffinity:
55 | requiredDuringSchedulingIgnoredDuringExecution:
56 | - labelSelector:
57 | matchExpressions:
58 | - key: app
59 | operator: In
60 | values:
61 | - ubuntu-pod
62 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/135/monitoring/cadvisor/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/135/monitoring/cadvisor/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/135/monitoring/cadvisor/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/135/monitoring/cadvisor/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/135/monitoring/cadvisor/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/135/monitoring/cadvisor/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/135/monitoring/cadvisor/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/135/monitoring/cadvisor/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/135/monitoring/cadvisor/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/135/monitoring/cadvisor/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/135/monitoring/cadvisor/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/135/monitoring/cadvisor/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/135/monitoring/cadvisor/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/135/monitoring/grafana/6-deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/135/monitoring/grafana/6-deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/135/monitoring/grafana/6-deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/135/monitoring/grafana/6-deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/135/monitoring/grafana/6-deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/135/monitoring/grafana/6-deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/135/monitoring/grafana/6-deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/135/monitoring/grafana/6-deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/135/monitoring/grafana/6-deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/135/monitoring/grafana/6-deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/135/monitoring/grafana/6-deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/135/monitoring/prometheus-operator/3-deployment.yaml:1-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/135/monitoring/prometheus-operator/3-deployment.yaml:1-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/135/monitoring/prometheus-operator/3-deployment.yaml:1-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/135/monitoring/prometheus-operator/3-deployment.yaml:1-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/135/monitoring/prometheus-operator/3-deployment.yaml:1-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/135/monitoring/prometheus-operator/3-deployment.yaml:1-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: ClusterRole.default.prometheus-operator
File: /lessons/135/monitoring/prometheus-operator/1-cluster-role.yaml:2-81
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/135/monitoring/kube-state-metrics/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/135/monitoring/kube-state-metrics/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/135/monitoring/kube-state-metrics/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/135/monitoring/kube-state-metrics/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/135/monitoring/kube-state-metrics/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.kube-system.external-dns
File: /lessons/112/external-dns.yaml:38-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
38 | apiVersion: apps/v1
39 | kind: Deployment
40 | metadata:
41 | name: external-dns
42 | namespace: kube-system
43 | spec:
44 | strategy:
45 | type: Recreate
46 | selector:
47 | matchLabels:
48 | app: external-dns
49 | template:
50 | metadata:
51 | labels:
52 | app: external-dns
53 | spec:
54 | serviceAccountName: external-dns
55 | containers:
56 | - name: external-dns
57 | image: k8s.gcr.io/external-dns/external-dns:v0.12.0
58 | args:
59 | - --source=service
60 | - --source=ingress
61 | - --provider=aws
62 | - --policy=upsert-only
63 | - --aws-zone-type=public
64 | - --registry=txt
65 | - --txt-owner-id=eks-identifier
66 | securityContext:
67 | fsGroup: 65534
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.kube-system.external-dns
File: /lessons/112/external-dns.yaml:38-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
38 | apiVersion: apps/v1
39 | kind: Deployment
40 | metadata:
41 | name: external-dns
42 | namespace: kube-system
43 | spec:
44 | strategy:
45 | type: Recreate
46 | selector:
47 | matchLabels:
48 | app: external-dns
49 | template:
50 | metadata:
51 | labels:
52 | app: external-dns
53 | spec:
54 | serviceAccountName: external-dns
55 | containers:
56 | - name: external-dns
57 | image: k8s.gcr.io/external-dns/external-dns:v0.12.0
58 | args:
59 | - --source=service
60 | - --source=ingress
61 | - --provider=aws
62 | - --policy=upsert-only
63 | - --aws-zone-type=public
64 | - --registry=txt
65 | - --txt-owner-id=eks-identifier
66 | securityContext:
67 | fsGroup: 65534
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.kube-system.external-dns
File: /lessons/112/external-dns.yaml:38-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
38 | apiVersion: apps/v1
39 | kind: Deployment
40 | metadata:
41 | name: external-dns
42 | namespace: kube-system
43 | spec:
44 | strategy:
45 | type: Recreate
46 | selector:
47 | matchLabels:
48 | app: external-dns
49 | template:
50 | metadata:
51 | labels:
52 | app: external-dns
53 | spec:
54 | serviceAccountName: external-dns
55 | containers:
56 | - name: external-dns
57 | image: k8s.gcr.io/external-dns/external-dns:v0.12.0
58 | args:
59 | - --source=service
60 | - --source=ingress
61 | - --provider=aws
62 | - --policy=upsert-only
63 | - --aws-zone-type=public
64 | - --registry=txt
65 | - --txt-owner-id=eks-identifier
66 | securityContext:
67 | fsGroup: 65534
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.kube-system.external-dns
File: /lessons/112/external-dns.yaml:38-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
38 | apiVersion: apps/v1
39 | kind: Deployment
40 | metadata:
41 | name: external-dns
42 | namespace: kube-system
43 | spec:
44 | strategy:
45 | type: Recreate
46 | selector:
47 | matchLabels:
48 | app: external-dns
49 | template:
50 | metadata:
51 | labels:
52 | app: external-dns
53 | spec:
54 | serviceAccountName: external-dns
55 | containers:
56 | - name: external-dns
57 | image: k8s.gcr.io/external-dns/external-dns:v0.12.0
58 | args:
59 | - --source=service
60 | - --source=ingress
61 | - --provider=aws
62 | - --policy=upsert-only
63 | - --aws-zone-type=public
64 | - --registry=txt
65 | - --txt-owner-id=eks-identifier
66 | securityContext:
67 | fsGroup: 65534
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.kube-system.external-dns
File: /lessons/112/external-dns.yaml:38-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
38 | apiVersion: apps/v1
39 | kind: Deployment
40 | metadata:
41 | name: external-dns
42 | namespace: kube-system
43 | spec:
44 | strategy:
45 | type: Recreate
46 | selector:
47 | matchLabels:
48 | app: external-dns
49 | template:
50 | metadata:
51 | labels:
52 | app: external-dns
53 | spec:
54 | serviceAccountName: external-dns
55 | containers:
56 | - name: external-dns
57 | image: k8s.gcr.io/external-dns/external-dns:v0.12.0
58 | args:
59 | - --source=service
60 | - --source=ingress
61 | - --provider=aws
62 | - --policy=upsert-only
63 | - --aws-zone-type=public
64 | - --registry=txt
65 | - --txt-owner-id=eks-identifier
66 | securityContext:
67 | fsGroup: 65534
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.kube-system.external-dns
File: /lessons/112/external-dns.yaml:38-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
38 | apiVersion: apps/v1
39 | kind: Deployment
40 | metadata:
41 | name: external-dns
42 | namespace: kube-system
43 | spec:
44 | strategy:
45 | type: Recreate
46 | selector:
47 | matchLabels:
48 | app: external-dns
49 | template:
50 | metadata:
51 | labels:
52 | app: external-dns
53 | spec:
54 | serviceAccountName: external-dns
55 | containers:
56 | - name: external-dns
57 | image: k8s.gcr.io/external-dns/external-dns:v0.12.0
58 | args:
59 | - --source=service
60 | - --source=ingress
61 | - --provider=aws
62 | - --policy=upsert-only
63 | - --aws-zone-type=public
64 | - --registry=txt
65 | - --txt-owner-id=eks-identifier
66 | securityContext:
67 | fsGroup: 65534
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.kube-system.external-dns
File: /lessons/112/external-dns.yaml:38-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
38 | apiVersion: apps/v1
39 | kind: Deployment
40 | metadata:
41 | name: external-dns
42 | namespace: kube-system
43 | spec:
44 | strategy:
45 | type: Recreate
46 | selector:
47 | matchLabels:
48 | app: external-dns
49 | template:
50 | metadata:
51 | labels:
52 | app: external-dns
53 | spec:
54 | serviceAccountName: external-dns
55 | containers:
56 | - name: external-dns
57 | image: k8s.gcr.io/external-dns/external-dns:v0.12.0
58 | args:
59 | - --source=service
60 | - --source=ingress
61 | - --provider=aws
62 | - --policy=upsert-only
63 | - --aws-zone-type=public
64 | - --registry=txt
65 | - --txt-owner-id=eks-identifier
66 | securityContext:
67 | fsGroup: 65534
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.kube-system.external-dns
File: /lessons/112/external-dns.yaml:38-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
38 | apiVersion: apps/v1
39 | kind: Deployment
40 | metadata:
41 | name: external-dns
42 | namespace: kube-system
43 | spec:
44 | strategy:
45 | type: Recreate
46 | selector:
47 | matchLabels:
48 | app: external-dns
49 | template:
50 | metadata:
51 | labels:
52 | app: external-dns
53 | spec:
54 | serviceAccountName: external-dns
55 | containers:
56 | - name: external-dns
57 | image: k8s.gcr.io/external-dns/external-dns:v0.12.0
58 | args:
59 | - --source=service
60 | - --source=ingress
61 | - --provider=aws
62 | - --policy=upsert-only
63 | - --aws-zone-type=public
64 | - --registry=txt
65 | - --txt-owner-id=eks-identifier
66 | securityContext:
67 | fsGroup: 65534
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.kube-system.external-dns
File: /lessons/112/external-dns.yaml:38-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
38 | apiVersion: apps/v1
39 | kind: Deployment
40 | metadata:
41 | name: external-dns
42 | namespace: kube-system
43 | spec:
44 | strategy:
45 | type: Recreate
46 | selector:
47 | matchLabels:
48 | app: external-dns
49 | template:
50 | metadata:
51 | labels:
52 | app: external-dns
53 | spec:
54 | serviceAccountName: external-dns
55 | containers:
56 | - name: external-dns
57 | image: k8s.gcr.io/external-dns/external-dns:v0.12.0
58 | args:
59 | - --source=service
60 | - --source=ingress
61 | - --provider=aws
62 | - --policy=upsert-only
63 | - --aws-zone-type=public
64 | - --registry=txt
65 | - --txt-owner-id=eks-identifier
66 | securityContext:
67 | fsGroup: 65534
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.kube-system.external-dns
File: /lessons/112/external-dns.yaml:38-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
38 | apiVersion: apps/v1
39 | kind: Deployment
40 | metadata:
41 | name: external-dns
42 | namespace: kube-system
43 | spec:
44 | strategy:
45 | type: Recreate
46 | selector:
47 | matchLabels:
48 | app: external-dns
49 | template:
50 | metadata:
51 | labels:
52 | app: external-dns
53 | spec:
54 | serviceAccountName: external-dns
55 | containers:
56 | - name: external-dns
57 | image: k8s.gcr.io/external-dns/external-dns:v0.12.0
58 | args:
59 | - --source=service
60 | - --source=ingress
61 | - --provider=aws
62 | - --policy=upsert-only
63 | - --aws-zone-type=public
64 | - --registry=txt
65 | - --txt-owner-id=eks-identifier
66 | securityContext:
67 | fsGroup: 65534
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.kube-system.external-dns
File: /lessons/112/external-dns.yaml:38-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
38 | apiVersion: apps/v1
39 | kind: Deployment
40 | metadata:
41 | name: external-dns
42 | namespace: kube-system
43 | spec:
44 | strategy:
45 | type: Recreate
46 | selector:
47 | matchLabels:
48 | app: external-dns
49 | template:
50 | metadata:
51 | labels:
52 | app: external-dns
53 | spec:
54 | serviceAccountName: external-dns
55 | containers:
56 | - name: external-dns
57 | image: k8s.gcr.io/external-dns/external-dns:v0.12.0
58 | args:
59 | - --source=service
60 | - --source=ingress
61 | - --provider=aws
62 | - --policy=upsert-only
63 | - --aws-zone-type=public
64 | - --registry=txt
65 | - --txt-owner-id=eks-identifier
66 | securityContext:
67 | fsGroup: 65534
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.kube-system.external-dns
File: /lessons/112/external-dns.yaml:38-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
38 | apiVersion: apps/v1
39 | kind: Deployment
40 | metadata:
41 | name: external-dns
42 | namespace: kube-system
43 | spec:
44 | strategy:
45 | type: Recreate
46 | selector:
47 | matchLabels:
48 | app: external-dns
49 | template:
50 | metadata:
51 | labels:
52 | app: external-dns
53 | spec:
54 | serviceAccountName: external-dns
55 | containers:
56 | - name: external-dns
57 | image: k8s.gcr.io/external-dns/external-dns:v0.12.0
58 | args:
59 | - --source=service
60 | - --source=ingress
61 | - --provider=aws
62 | - --policy=upsert-only
63 | - --aws-zone-type=public
64 | - --registry=txt
65 | - --txt-owner-id=eks-identifier
66 | securityContext:
67 | fsGroup: 65534
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.kube-system.external-dns
File: /lessons/112/external-dns.yaml:38-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
38 | apiVersion: apps/v1
39 | kind: Deployment
40 | metadata:
41 | name: external-dns
42 | namespace: kube-system
43 | spec:
44 | strategy:
45 | type: Recreate
46 | selector:
47 | matchLabels:
48 | app: external-dns
49 | template:
50 | metadata:
51 | labels:
52 | app: external-dns
53 | spec:
54 | serviceAccountName: external-dns
55 | containers:
56 | - name: external-dns
57 | image: k8s.gcr.io/external-dns/external-dns:v0.12.0
58 | args:
59 | - --source=service
60 | - --source=ingress
61 | - --provider=aws
62 | - --policy=upsert-only
63 | - --aws-zone-type=public
64 | - --registry=txt
65 | - --txt-owner-id=eks-identifier
66 | securityContext:
67 | fsGroup: 65534
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.kube-system.external-dns
File: /lessons/112/external-dns.yaml:38-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
38 | apiVersion: apps/v1
39 | kind: Deployment
40 | metadata:
41 | name: external-dns
42 | namespace: kube-system
43 | spec:
44 | strategy:
45 | type: Recreate
46 | selector:
47 | matchLabels:
48 | app: external-dns
49 | template:
50 | metadata:
51 | labels:
52 | app: external-dns
53 | spec:
54 | serviceAccountName: external-dns
55 | containers:
56 | - name: external-dns
57 | image: k8s.gcr.io/external-dns/external-dns:v0.12.0
58 | args:
59 | - --source=service
60 | - --source=ingress
61 | - --provider=aws
62 | - --policy=upsert-only
63 | - --aws-zone-type=public
64 | - --registry=txt
65 | - --txt-owner-id=eks-identifier
66 | securityContext:
67 | fsGroup: 65534
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.kube-system.external-dns
File: /lessons/112/external-dns.yaml:38-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
38 | apiVersion: apps/v1
39 | kind: Deployment
40 | metadata:
41 | name: external-dns
42 | namespace: kube-system
43 | spec:
44 | strategy:
45 | type: Recreate
46 | selector:
47 | matchLabels:
48 | app: external-dns
49 | template:
50 | metadata:
51 | labels:
52 | app: external-dns
53 | spec:
54 | serviceAccountName: external-dns
55 | containers:
56 | - name: external-dns
57 | image: k8s.gcr.io/external-dns/external-dns:v0.12.0
58 | args:
59 | - --source=service
60 | - --source=ingress
61 | - --provider=aws
62 | - --policy=upsert-only
63 | - --aws-zone-type=public
64 | - --registry=txt
65 | - --txt-owner-id=eks-identifier
66 | securityContext:
67 | fsGroup: 65534
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.kube-system.external-dns
File: /lessons/112/external-dns.yaml:38-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
38 | apiVersion: apps/v1
39 | kind: Deployment
40 | metadata:
41 | name: external-dns
42 | namespace: kube-system
43 | spec:
44 | strategy:
45 | type: Recreate
46 | selector:
47 | matchLabels:
48 | app: external-dns
49 | template:
50 | metadata:
51 | labels:
52 | app: external-dns
53 | spec:
54 | serviceAccountName: external-dns
55 | containers:
56 | - name: external-dns
57 | image: k8s.gcr.io/external-dns/external-dns:v0.12.0
58 | args:
59 | - --source=service
60 | - --source=ingress
61 | - --provider=aws
62 | - --policy=upsert-only
63 | - --aws-zone-type=public
64 | - --registry=txt
65 | - --txt-owner-id=eks-identifier
66 | securityContext:
67 | fsGroup: 65534
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.kube-system.external-dns
File: /lessons/112/external-dns.yaml:38-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
38 | apiVersion: apps/v1
39 | kind: Deployment
40 | metadata:
41 | name: external-dns
42 | namespace: kube-system
43 | spec:
44 | strategy:
45 | type: Recreate
46 | selector:
47 | matchLabels:
48 | app: external-dns
49 | template:
50 | metadata:
51 | labels:
52 | app: external-dns
53 | spec:
54 | serviceAccountName: external-dns
55 | containers:
56 | - name: external-dns
57 | image: k8s.gcr.io/external-dns/external-dns:v0.12.0
58 | args:
59 | - --source=service
60 | - --source=ingress
61 | - --provider=aws
62 | - --policy=upsert-only
63 | - --aws-zone-type=public
64 | - --registry=txt
65 | - --txt-owner-id=eks-identifier
66 | securityContext:
67 | fsGroup: 65534
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.kube-system.aws-load-balancer-controller
File: /lessons/112/v2_4_1_full.yaml:803-866
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.kube-system.aws-load-balancer-controller
File: /lessons/112/v2_4_1_full.yaml:803-866
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.kube-system.aws-load-balancer-controller
File: /lessons/112/v2_4_1_full.yaml:803-866
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.kube-system.aws-load-balancer-controller
File: /lessons/112/v2_4_1_full.yaml:803-866
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.kube-system.aws-load-balancer-controller
File: /lessons/112/v2_4_1_full.yaml:803-866
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.kube-system.aws-load-balancer-controller
File: /lessons/112/v2_4_1_full.yaml:803-866
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.kube-system.aws-load-balancer-controller
File: /lessons/112/v2_4_1_full.yaml:803-866
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.kube-system.aws-load-balancer-controller
File: /lessons/112/v2_4_1_full.yaml:803-866
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.1-example.echoserver
File: /lessons/112/k8s/1-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 1-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.1-example.echoserver
File: /lessons/112/k8s/1-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 1-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.1-example.echoserver
File: /lessons/112/k8s/1-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 1-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.1-example.echoserver
File: /lessons/112/k8s/1-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 1-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.1-example.echoserver
File: /lessons/112/k8s/1-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 1-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.1-example.echoserver
File: /lessons/112/k8s/1-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 1-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.1-example.echoserver
File: /lessons/112/k8s/1-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 1-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.1-example.echoserver
File: /lessons/112/k8s/1-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 1-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.1-example.echoserver
File: /lessons/112/k8s/1-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 1-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.1-example.echoserver
File: /lessons/112/k8s/1-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 1-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.1-example.echoserver
File: /lessons/112/k8s/1-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 1-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.1-example.echoserver
File: /lessons/112/k8s/1-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 1-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.1-example.echoserver
File: /lessons/112/k8s/1-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 1-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.1-example.echoserver
File: /lessons/112/k8s/1-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 1-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.1-example.echoserver
File: /lessons/112/k8s/1-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 1-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.1-example.echoserver
File: /lessons/112/k8s/1-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 1-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.1-example.echoserver
File: /lessons/112/k8s/1-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 1-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.1-example.echoserver
File: /lessons/112/k8s/1-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 1-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.3-example.echoserver
File: /lessons/112/k8s/3-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 3-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.3-example.echoserver
File: /lessons/112/k8s/3-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 3-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.3-example.echoserver
File: /lessons/112/k8s/3-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 3-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.3-example.echoserver
File: /lessons/112/k8s/3-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 3-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.3-example.echoserver
File: /lessons/112/k8s/3-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 3-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.3-example.echoserver
File: /lessons/112/k8s/3-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 3-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.3-example.echoserver
File: /lessons/112/k8s/3-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 3-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.3-example.echoserver
File: /lessons/112/k8s/3-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 3-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.3-example.echoserver
File: /lessons/112/k8s/3-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 3-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.3-example.echoserver
File: /lessons/112/k8s/3-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 3-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.3-example.echoserver
File: /lessons/112/k8s/3-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 3-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.3-example.echoserver
File: /lessons/112/k8s/3-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 3-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.3-example.echoserver
File: /lessons/112/k8s/3-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 3-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.3-example.echoserver
File: /lessons/112/k8s/3-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 3-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.3-example.echoserver
File: /lessons/112/k8s/3-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 3-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.3-example.echoserver
File: /lessons/112/k8s/3-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 3-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.3-example.echoserver
File: /lessons/112/k8s/3-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 3-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.3-example.echoserver
File: /lessons/112/k8s/3-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 3-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.2-example-service-a.echoserver
File: /lessons/112/k8s/2-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 2-example-service-a
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.2-example-service-a.echoserver
File: /lessons/112/k8s/2-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 2-example-service-a
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.2-example-service-a.echoserver
File: /lessons/112/k8s/2-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 2-example-service-a
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.2-example-service-a.echoserver
File: /lessons/112/k8s/2-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 2-example-service-a
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.2-example-service-a.echoserver
File: /lessons/112/k8s/2-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 2-example-service-a
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.2-example-service-a.echoserver
File: /lessons/112/k8s/2-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 2-example-service-a
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.2-example-service-a.echoserver
File: /lessons/112/k8s/2-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 2-example-service-a
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.2-example-service-a.echoserver
File: /lessons/112/k8s/2-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 2-example-service-a
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.2-example-service-a.echoserver
File: /lessons/112/k8s/2-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 2-example-service-a
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.2-example-service-a.echoserver
File: /lessons/112/k8s/2-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 2-example-service-a
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.2-example-service-a.echoserver
File: /lessons/112/k8s/2-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 2-example-service-a
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.2-example-service-a.echoserver
File: /lessons/112/k8s/2-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 2-example-service-a
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.2-example-service-a.echoserver
File: /lessons/112/k8s/2-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 2-example-service-a
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.2-example-service-a.echoserver
File: /lessons/112/k8s/2-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 2-example-service-a
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.2-example-service-a.echoserver
File: /lessons/112/k8s/2-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 2-example-service-a
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.2-example-service-a.echoserver
File: /lessons/112/k8s/2-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 2-example-service-a
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.2-example-service-a.echoserver
File: /lessons/112/k8s/2-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 2-example-service-a
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.2-example-service-a.echoserver
File: /lessons/112/k8s/2-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 2-example-service-a
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.2-example-service-b.echoserver
File: /lessons/112/k8s/2-example.yaml:70-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
70 | apiVersion: apps/v1
71 | kind: Deployment
72 | metadata:
73 | name: echoserver
74 | namespace: 2-example-service-b
75 | spec:
76 | selector:
77 | matchLabels:
78 | app: echoserver
79 | replicas: 1
80 | template:
81 | metadata:
82 | labels:
83 | app: echoserver
84 | spec:
85 | containers:
86 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
87 | name: echoserver
88 | ports:
89 | - containerPort: 8080
90 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.2-example-service-b.echoserver
File: /lessons/112/k8s/2-example.yaml:70-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
70 | apiVersion: apps/v1
71 | kind: Deployment
72 | metadata:
73 | name: echoserver
74 | namespace: 2-example-service-b
75 | spec:
76 | selector:
77 | matchLabels:
78 | app: echoserver
79 | replicas: 1
80 | template:
81 | metadata:
82 | labels:
83 | app: echoserver
84 | spec:
85 | containers:
86 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
87 | name: echoserver
88 | ports:
89 | - containerPort: 8080
90 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.2-example-service-b.echoserver
File: /lessons/112/k8s/2-example.yaml:70-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
70 | apiVersion: apps/v1
71 | kind: Deployment
72 | metadata:
73 | name: echoserver
74 | namespace: 2-example-service-b
75 | spec:
76 | selector:
77 | matchLabels:
78 | app: echoserver
79 | replicas: 1
80 | template:
81 | metadata:
82 | labels:
83 | app: echoserver
84 | spec:
85 | containers:
86 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
87 | name: echoserver
88 | ports:
89 | - containerPort: 8080
90 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.2-example-service-b.echoserver
File: /lessons/112/k8s/2-example.yaml:70-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
70 | apiVersion: apps/v1
71 | kind: Deployment
72 | metadata:
73 | name: echoserver
74 | namespace: 2-example-service-b
75 | spec:
76 | selector:
77 | matchLabels:
78 | app: echoserver
79 | replicas: 1
80 | template:
81 | metadata:
82 | labels:
83 | app: echoserver
84 | spec:
85 | containers:
86 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
87 | name: echoserver
88 | ports:
89 | - containerPort: 8080
90 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.2-example-service-b.echoserver
File: /lessons/112/k8s/2-example.yaml:70-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
70 | apiVersion: apps/v1
71 | kind: Deployment
72 | metadata:
73 | name: echoserver
74 | namespace: 2-example-service-b
75 | spec:
76 | selector:
77 | matchLabels:
78 | app: echoserver
79 | replicas: 1
80 | template:
81 | metadata:
82 | labels:
83 | app: echoserver
84 | spec:
85 | containers:
86 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
87 | name: echoserver
88 | ports:
89 | - containerPort: 8080
90 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.2-example-service-b.echoserver
File: /lessons/112/k8s/2-example.yaml:70-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
70 | apiVersion: apps/v1
71 | kind: Deployment
72 | metadata:
73 | name: echoserver
74 | namespace: 2-example-service-b
75 | spec:
76 | selector:
77 | matchLabels:
78 | app: echoserver
79 | replicas: 1
80 | template:
81 | metadata:
82 | labels:
83 | app: echoserver
84 | spec:
85 | containers:
86 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
87 | name: echoserver
88 | ports:
89 | - containerPort: 8080
90 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.2-example-service-b.echoserver
File: /lessons/112/k8s/2-example.yaml:70-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
70 | apiVersion: apps/v1
71 | kind: Deployment
72 | metadata:
73 | name: echoserver
74 | namespace: 2-example-service-b
75 | spec:
76 | selector:
77 | matchLabels:
78 | app: echoserver
79 | replicas: 1
80 | template:
81 | metadata:
82 | labels:
83 | app: echoserver
84 | spec:
85 | containers:
86 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
87 | name: echoserver
88 | ports:
89 | - containerPort: 8080
90 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.2-example-service-b.echoserver
File: /lessons/112/k8s/2-example.yaml:70-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
70 | apiVersion: apps/v1
71 | kind: Deployment
72 | metadata:
73 | name: echoserver
74 | namespace: 2-example-service-b
75 | spec:
76 | selector:
77 | matchLabels:
78 | app: echoserver
79 | replicas: 1
80 | template:
81 | metadata:
82 | labels:
83 | app: echoserver
84 | spec:
85 | containers:
86 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
87 | name: echoserver
88 | ports:
89 | - containerPort: 8080
90 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.2-example-service-b.echoserver
File: /lessons/112/k8s/2-example.yaml:70-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
70 | apiVersion: apps/v1
71 | kind: Deployment
72 | metadata:
73 | name: echoserver
74 | namespace: 2-example-service-b
75 | spec:
76 | selector:
77 | matchLabels:
78 | app: echoserver
79 | replicas: 1
80 | template:
81 | metadata:
82 | labels:
83 | app: echoserver
84 | spec:
85 | containers:
86 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
87 | name: echoserver
88 | ports:
89 | - containerPort: 8080
90 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.2-example-service-b.echoserver
File: /lessons/112/k8s/2-example.yaml:70-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
70 | apiVersion: apps/v1
71 | kind: Deployment
72 | metadata:
73 | name: echoserver
74 | namespace: 2-example-service-b
75 | spec:
76 | selector:
77 | matchLabels:
78 | app: echoserver
79 | replicas: 1
80 | template:
81 | metadata:
82 | labels:
83 | app: echoserver
84 | spec:
85 | containers:
86 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
87 | name: echoserver
88 | ports:
89 | - containerPort: 8080
90 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.2-example-service-b.echoserver
File: /lessons/112/k8s/2-example.yaml:70-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
70 | apiVersion: apps/v1
71 | kind: Deployment
72 | metadata:
73 | name: echoserver
74 | namespace: 2-example-service-b
75 | spec:
76 | selector:
77 | matchLabels:
78 | app: echoserver
79 | replicas: 1
80 | template:
81 | metadata:
82 | labels:
83 | app: echoserver
84 | spec:
85 | containers:
86 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
87 | name: echoserver
88 | ports:
89 | - containerPort: 8080
90 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.2-example-service-b.echoserver
File: /lessons/112/k8s/2-example.yaml:70-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
70 | apiVersion: apps/v1
71 | kind: Deployment
72 | metadata:
73 | name: echoserver
74 | namespace: 2-example-service-b
75 | spec:
76 | selector:
77 | matchLabels:
78 | app: echoserver
79 | replicas: 1
80 | template:
81 | metadata:
82 | labels:
83 | app: echoserver
84 | spec:
85 | containers:
86 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
87 | name: echoserver
88 | ports:
89 | - containerPort: 8080
90 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.2-example-service-b.echoserver
File: /lessons/112/k8s/2-example.yaml:70-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
70 | apiVersion: apps/v1
71 | kind: Deployment
72 | metadata:
73 | name: echoserver
74 | namespace: 2-example-service-b
75 | spec:
76 | selector:
77 | matchLabels:
78 | app: echoserver
79 | replicas: 1
80 | template:
81 | metadata:
82 | labels:
83 | app: echoserver
84 | spec:
85 | containers:
86 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
87 | name: echoserver
88 | ports:
89 | - containerPort: 8080
90 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.2-example-service-b.echoserver
File: /lessons/112/k8s/2-example.yaml:70-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
70 | apiVersion: apps/v1
71 | kind: Deployment
72 | metadata:
73 | name: echoserver
74 | namespace: 2-example-service-b
75 | spec:
76 | selector:
77 | matchLabels:
78 | app: echoserver
79 | replicas: 1
80 | template:
81 | metadata:
82 | labels:
83 | app: echoserver
84 | spec:
85 | containers:
86 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
87 | name: echoserver
88 | ports:
89 | - containerPort: 8080
90 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.2-example-service-b.echoserver
File: /lessons/112/k8s/2-example.yaml:70-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
70 | apiVersion: apps/v1
71 | kind: Deployment
72 | metadata:
73 | name: echoserver
74 | namespace: 2-example-service-b
75 | spec:
76 | selector:
77 | matchLabels:
78 | app: echoserver
79 | replicas: 1
80 | template:
81 | metadata:
82 | labels:
83 | app: echoserver
84 | spec:
85 | containers:
86 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
87 | name: echoserver
88 | ports:
89 | - containerPort: 8080
90 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.2-example-service-b.echoserver
File: /lessons/112/k8s/2-example.yaml:70-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
70 | apiVersion: apps/v1
71 | kind: Deployment
72 | metadata:
73 | name: echoserver
74 | namespace: 2-example-service-b
75 | spec:
76 | selector:
77 | matchLabels:
78 | app: echoserver
79 | replicas: 1
80 | template:
81 | metadata:
82 | labels:
83 | app: echoserver
84 | spec:
85 | containers:
86 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
87 | name: echoserver
88 | ports:
89 | - containerPort: 8080
90 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.2-example-service-b.echoserver
File: /lessons/112/k8s/2-example.yaml:70-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
70 | apiVersion: apps/v1
71 | kind: Deployment
72 | metadata:
73 | name: echoserver
74 | namespace: 2-example-service-b
75 | spec:
76 | selector:
77 | matchLabels:
78 | app: echoserver
79 | replicas: 1
80 | template:
81 | metadata:
82 | labels:
83 | app: echoserver
84 | spec:
85 | containers:
86 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
87 | name: echoserver
88 | ports:
89 | - containerPort: 8080
90 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.2-example-service-b.echoserver
File: /lessons/112/k8s/2-example.yaml:70-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
70 | apiVersion: apps/v1
71 | kind: Deployment
72 | metadata:
73 | name: echoserver
74 | namespace: 2-example-service-b
75 | spec:
76 | selector:
77 | matchLabels:
78 | app: echoserver
79 | replicas: 1
80 | template:
81 | metadata:
82 | labels:
83 | app: echoserver
84 | spec:
85 | containers:
86 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
87 | name: echoserver
88 | ports:
89 | - containerPort: 8080
90 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.5-example.echoserver
File: /lessons/112/k8s/5-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 5-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.5-example.echoserver
File: /lessons/112/k8s/5-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 5-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.5-example.echoserver
File: /lessons/112/k8s/5-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 5-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.5-example.echoserver
File: /lessons/112/k8s/5-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 5-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.5-example.echoserver
File: /lessons/112/k8s/5-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 5-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.5-example.echoserver
File: /lessons/112/k8s/5-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 5-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.5-example.echoserver
File: /lessons/112/k8s/5-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 5-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.5-example.echoserver
File: /lessons/112/k8s/5-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 5-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.5-example.echoserver
File: /lessons/112/k8s/5-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 5-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.5-example.echoserver
File: /lessons/112/k8s/5-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 5-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.5-example.echoserver
File: /lessons/112/k8s/5-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 5-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.5-example.echoserver
File: /lessons/112/k8s/5-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 5-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.5-example.echoserver
File: /lessons/112/k8s/5-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 5-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.5-example.echoserver
File: /lessons/112/k8s/5-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 5-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.5-example.echoserver
File: /lessons/112/k8s/5-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 5-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.5-example.echoserver
File: /lessons/112/k8s/5-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 5-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.5-example.echoserver
File: /lessons/112/k8s/5-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 5-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.5-example.echoserver
File: /lessons/112/k8s/5-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 5-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.4-example.echoserver
File: /lessons/112/k8s/4-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 4-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.4-example.echoserver
File: /lessons/112/k8s/4-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 4-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.4-example.echoserver
File: /lessons/112/k8s/4-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 4-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.4-example.echoserver
File: /lessons/112/k8s/4-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 4-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.4-example.echoserver
File: /lessons/112/k8s/4-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 4-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.4-example.echoserver
File: /lessons/112/k8s/4-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 4-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.4-example.echoserver
File: /lessons/112/k8s/4-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 4-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.4-example.echoserver
File: /lessons/112/k8s/4-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 4-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.4-example.echoserver
File: /lessons/112/k8s/4-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 4-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.4-example.echoserver
File: /lessons/112/k8s/4-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 4-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.4-example.echoserver
File: /lessons/112/k8s/4-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 4-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.4-example.echoserver
File: /lessons/112/k8s/4-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 4-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.4-example.echoserver
File: /lessons/112/k8s/4-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 4-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.4-example.echoserver
File: /lessons/112/k8s/4-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 4-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.4-example.echoserver
File: /lessons/112/k8s/4-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 4-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.4-example.echoserver
File: /lessons/112/k8s/4-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 4-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.4-example.echoserver
File: /lessons/112/k8s/4-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 4-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.4-example.echoserver
File: /lessons/112/k8s/4-example.yaml:7-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
7 | apiVersion: apps/v1
8 | kind: Deployment
9 | metadata:
10 | name: echoserver
11 | namespace: 4-example
12 | spec:
13 | selector:
14 | matchLabels:
15 | app: echoserver
16 | replicas: 1
17 | template:
18 | metadata:
19 | labels:
20 | app: echoserver
21 | spec:
22 | containers:
23 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
24 | name: echoserver
25 | ports:
26 | - containerPort: 8080
27 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.api
File: /lessons/091/k8s/2-load-balancer/service.yaml:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: Service
4 | metadata:
5 | name: api
6 | spec:
7 | type: LoadBalancer
8 | ports:
9 | - protocol: TCP
10 | port: 80
11 | targetPort: 9376
12 | selector:
13 | app: api
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.nginx
File: /lessons/091/k8s/1-node-port/service.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: Service
4 | metadata:
5 | name: nginx
6 | namespace: default
7 | spec:
8 | selector:
9 | app: nginx
10 | type: NodePort
11 | ports:
12 | - name: http
13 | port: 80
14 | targetPort: 80
15 | nodePort: 31060
16 | protocol: TCP
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/091/k8s/0-cluster-ip/3.nginx.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/091/k8s/0-cluster-ip/3.nginx.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/091/k8s/0-cluster-ip/3.nginx.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/091/k8s/0-cluster-ip/3.nginx.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/091/k8s/0-cluster-ip/3.nginx.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/091/k8s/0-cluster-ip/3.nginx.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/091/k8s/0-cluster-ip/3.nginx.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/091/k8s/0-cluster-ip/3.nginx.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/091/k8s/0-cluster-ip/3.nginx.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/091/k8s/0-cluster-ip/3.nginx.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/091/k8s/0-cluster-ip/3.nginx.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/091/k8s/0-cluster-ip/3.nginx.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/091/k8s/0-cluster-ip/3.nginx.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/091/k8s/0-cluster-ip/3.nginx.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/091/k8s/0-cluster-ip/3.nginx.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/091/k8s/0-cluster-ip/3.nginx.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/091/k8s/0-cluster-ip/3.nginx.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/091/k8s/0-cluster-ip/3.nginx.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/091/k8s/0-cluster-ip/3.nginx.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /lessons/091/k8s/0-cluster-ip/0-dashboard.yaml:135-198
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /lessons/091/k8s/0-cluster-ip/0-dashboard.yaml:135-198
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /lessons/091/k8s/0-cluster-ip/0-dashboard.yaml:135-198
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /lessons/091/k8s/0-cluster-ip/0-dashboard.yaml:135-198
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /lessons/091/k8s/0-cluster-ip/0-dashboard.yaml:135-198
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /lessons/091/k8s/0-cluster-ip/0-dashboard.yaml:135-198
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /lessons/091/k8s/0-cluster-ip/0-dashboard.yaml:135-198
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_33: "Ensure the Kubernetes dashboard is not deployed"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /lessons/091/k8s/0-cluster-ip/0-dashboard.yaml:135-198
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-31.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /lessons/091/k8s/0-cluster-ip/0-dashboard.yaml:135-198
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /lessons/091/k8s/0-cluster-ip/0-dashboard.yaml:135-198
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /lessons/091/k8s/0-cluster-ip/0-dashboard.yaml:135-198
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /lessons/091/k8s/0-cluster-ip/0-dashboard.yaml:135-198
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /lessons/091/k8s/0-cluster-ip/0-dashboard.yaml:135-198
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /lessons/091/k8s/0-cluster-ip/0-dashboard.yaml:213-263
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /lessons/091/k8s/0-cluster-ip/0-dashboard.yaml:213-263
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /lessons/091/k8s/0-cluster-ip/0-dashboard.yaml:213-263
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /lessons/091/k8s/0-cluster-ip/0-dashboard.yaml:213-263
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /lessons/091/k8s/0-cluster-ip/0-dashboard.yaml:213-263
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /lessons/091/k8s/0-cluster-ip/0-dashboard.yaml:213-263
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_33: "Ensure the Kubernetes dashboard is not deployed"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /lessons/091/k8s/0-cluster-ip/0-dashboard.yaml:213-263
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-31.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /lessons/091/k8s/0-cluster-ip/0-dashboard.yaml:213-263
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /lessons/091/k8s/0-cluster-ip/0-dashboard.yaml:213-263
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /lessons/091/k8s/0-cluster-ip/0-dashboard.yaml:213-263
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /lessons/091/k8s/0-cluster-ip/0-dashboard.yaml:213-263
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /lessons/091/k8s/0-cluster-ip/0-dashboard.yaml:213-263
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /lessons/091/k8s/0-cluster-ip/0-dashboard.yaml:213-263
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/049/grafana/5-deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/049/grafana/5-deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/049/grafana/5-deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/049/grafana/5-deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/049/grafana/5-deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/049/grafana/5-deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/049/grafana/5-deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/049/grafana/5-deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/049/grafana/5-deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/049/grafana/5-deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/049/grafana/5-deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/049/grafana/5-deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: ClusterRole.default.prometheus-operator
File: /lessons/049/prometheus-operator/2-cluster-role.yaml:2-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/049/prometheus-operator/4-deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | labels:
6 | app.kubernetes.io/name: prometheus-operator
7 | name: prometheus-operator
8 | namespace: monitoring
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app.kubernetes.io/name: prometheus-operator
14 | template:
15 | metadata:
16 | labels:
17 | app.kubernetes.io/name: prometheus-operator
18 | spec:
19 | containers:
20 | - args:
21 | - --kubelet-service=kube-system/kubelet
22 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.46.0
23 | image: quay.io/prometheus-operator/prometheus-operator:v0.46.0
24 | name: prometheus-operator
25 | ports:
26 | - containerPort: 8080
27 | name: http
28 | resources:
29 | requests:
30 | cpu: 100m
31 | memory: 100Mi
32 | limits:
33 | cpu: 200m
34 | memory: 200Mi
35 | securityContext:
36 | allowPrivilegeEscalation: false
37 | nodeSelector:
38 | kubernetes.io/os: linux
39 | securityContext:
40 | runAsNonRoot: true
41 | runAsUser: 65534
42 | serviceAccountName: prometheus-operator
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/049/prometheus-operator/4-deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | labels:
6 | app.kubernetes.io/name: prometheus-operator
7 | name: prometheus-operator
8 | namespace: monitoring
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app.kubernetes.io/name: prometheus-operator
14 | template:
15 | metadata:
16 | labels:
17 | app.kubernetes.io/name: prometheus-operator
18 | spec:
19 | containers:
20 | - args:
21 | - --kubelet-service=kube-system/kubelet
22 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.46.0
23 | image: quay.io/prometheus-operator/prometheus-operator:v0.46.0
24 | name: prometheus-operator
25 | ports:
26 | - containerPort: 8080
27 | name: http
28 | resources:
29 | requests:
30 | cpu: 100m
31 | memory: 100Mi
32 | limits:
33 | cpu: 200m
34 | memory: 200Mi
35 | securityContext:
36 | allowPrivilegeEscalation: false
37 | nodeSelector:
38 | kubernetes.io/os: linux
39 | securityContext:
40 | runAsNonRoot: true
41 | runAsUser: 65534
42 | serviceAccountName: prometheus-operator
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/049/prometheus-operator/4-deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | labels:
6 | app.kubernetes.io/name: prometheus-operator
7 | name: prometheus-operator
8 | namespace: monitoring
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app.kubernetes.io/name: prometheus-operator
14 | template:
15 | metadata:
16 | labels:
17 | app.kubernetes.io/name: prometheus-operator
18 | spec:
19 | containers:
20 | - args:
21 | - --kubelet-service=kube-system/kubelet
22 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.46.0
23 | image: quay.io/prometheus-operator/prometheus-operator:v0.46.0
24 | name: prometheus-operator
25 | ports:
26 | - containerPort: 8080
27 | name: http
28 | resources:
29 | requests:
30 | cpu: 100m
31 | memory: 100Mi
32 | limits:
33 | cpu: 200m
34 | memory: 200Mi
35 | securityContext:
36 | allowPrivilegeEscalation: false
37 | nodeSelector:
38 | kubernetes.io/os: linux
39 | securityContext:
40 | runAsNonRoot: true
41 | runAsUser: 65534
42 | serviceAccountName: prometheus-operator
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/049/prometheus-operator/4-deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | labels:
6 | app.kubernetes.io/name: prometheus-operator
7 | name: prometheus-operator
8 | namespace: monitoring
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app.kubernetes.io/name: prometheus-operator
14 | template:
15 | metadata:
16 | labels:
17 | app.kubernetes.io/name: prometheus-operator
18 | spec:
19 | containers:
20 | - args:
21 | - --kubelet-service=kube-system/kubelet
22 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.46.0
23 | image: quay.io/prometheus-operator/prometheus-operator:v0.46.0
24 | name: prometheus-operator
25 | ports:
26 | - containerPort: 8080
27 | name: http
28 | resources:
29 | requests:
30 | cpu: 100m
31 | memory: 100Mi
32 | limits:
33 | cpu: 200m
34 | memory: 200Mi
35 | securityContext:
36 | allowPrivilegeEscalation: false
37 | nodeSelector:
38 | kubernetes.io/os: linux
39 | securityContext:
40 | runAsNonRoot: true
41 | runAsUser: 65534
42 | serviceAccountName: prometheus-operator
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/049/prometheus-operator/4-deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | labels:
6 | app.kubernetes.io/name: prometheus-operator
7 | name: prometheus-operator
8 | namespace: monitoring
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app.kubernetes.io/name: prometheus-operator
14 | template:
15 | metadata:
16 | labels:
17 | app.kubernetes.io/name: prometheus-operator
18 | spec:
19 | containers:
20 | - args:
21 | - --kubelet-service=kube-system/kubelet
22 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.46.0
23 | image: quay.io/prometheus-operator/prometheus-operator:v0.46.0
24 | name: prometheus-operator
25 | ports:
26 | - containerPort: 8080
27 | name: http
28 | resources:
29 | requests:
30 | cpu: 100m
31 | memory: 100Mi
32 | limits:
33 | cpu: 200m
34 | memory: 200Mi
35 | securityContext:
36 | allowPrivilegeEscalation: false
37 | nodeSelector:
38 | kubernetes.io/os: linux
39 | securityContext:
40 | runAsNonRoot: true
41 | runAsUser: 65534
42 | serviceAccountName: prometheus-operator
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/049/prometheus-operator/4-deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | labels:
6 | app.kubernetes.io/name: prometheus-operator
7 | name: prometheus-operator
8 | namespace: monitoring
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app.kubernetes.io/name: prometheus-operator
14 | template:
15 | metadata:
16 | labels:
17 | app.kubernetes.io/name: prometheus-operator
18 | spec:
19 | containers:
20 | - args:
21 | - --kubelet-service=kube-system/kubelet
22 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.46.0
23 | image: quay.io/prometheus-operator/prometheus-operator:v0.46.0
24 | name: prometheus-operator
25 | ports:
26 | - containerPort: 8080
27 | name: http
28 | resources:
29 | requests:
30 | cpu: 100m
31 | memory: 100Mi
32 | limits:
33 | cpu: 200m
34 | memory: 200Mi
35 | securityContext:
36 | allowPrivilegeEscalation: false
37 | nodeSelector:
38 | kubernetes.io/os: linux
39 | securityContext:
40 | runAsNonRoot: true
41 | runAsUser: 65534
42 | serviceAccountName: prometheus-operator
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/049/prometheus-operator/4-deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | labels:
6 | app.kubernetes.io/name: prometheus-operator
7 | name: prometheus-operator
8 | namespace: monitoring
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app.kubernetes.io/name: prometheus-operator
14 | template:
15 | metadata:
16 | labels:
17 | app.kubernetes.io/name: prometheus-operator
18 | spec:
19 | containers:
20 | - args:
21 | - --kubelet-service=kube-system/kubelet
22 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.46.0
23 | image: quay.io/prometheus-operator/prometheus-operator:v0.46.0
24 | name: prometheus-operator
25 | ports:
26 | - containerPort: 8080
27 | name: http
28 | resources:
29 | requests:
30 | cpu: 100m
31 | memory: 100Mi
32 | limits:
33 | cpu: 200m
34 | memory: 200Mi
35 | securityContext:
36 | allowPrivilegeEscalation: false
37 | nodeSelector:
38 | kubernetes.io/os: linux
39 | securityContext:
40 | runAsNonRoot: true
41 | runAsUser: 65534
42 | serviceAccountName: prometheus-operator
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/049/prometheus-operator/4-deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | labels:
6 | app.kubernetes.io/name: prometheus-operator
7 | name: prometheus-operator
8 | namespace: monitoring
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app.kubernetes.io/name: prometheus-operator
14 | template:
15 | metadata:
16 | labels:
17 | app.kubernetes.io/name: prometheus-operator
18 | spec:
19 | containers:
20 | - args:
21 | - --kubelet-service=kube-system/kubelet
22 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.46.0
23 | image: quay.io/prometheus-operator/prometheus-operator:v0.46.0
24 | name: prometheus-operator
25 | ports:
26 | - containerPort: 8080
27 | name: http
28 | resources:
29 | requests:
30 | cpu: 100m
31 | memory: 100Mi
32 | limits:
33 | cpu: 200m
34 | memory: 200Mi
35 | securityContext:
36 | allowPrivilegeEscalation: false
37 | nodeSelector:
38 | kubernetes.io/os: linux
39 | securityContext:
40 | runAsNonRoot: true
41 | runAsUser: 65534
42 | serviceAccountName: prometheus-operator
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/049/prometheus-operator/4-deployment.yaml:2-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | labels:
6 | app.kubernetes.io/name: prometheus-operator
7 | name: prometheus-operator
8 | namespace: monitoring
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app.kubernetes.io/name: prometheus-operator
14 | template:
15 | metadata:
16 | labels:
17 | app.kubernetes.io/name: prometheus-operator
18 | spec:
19 | containers:
20 | - args:
21 | - --kubelet-service=kube-system/kubelet
22 | - --prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.46.0
23 | image: quay.io/prometheus-operator/prometheus-operator:v0.46.0
24 | name: prometheus-operator
25 | ports:
26 | - containerPort: 8080
27 | name: http
28 | resources:
29 | requests:
30 | cpu: 100m
31 | memory: 100Mi
32 | limits:
33 | cpu: 200m
34 | memory: 200Mi
35 | securityContext:
36 | allowPrivilegeEscalation: false
37 | nodeSelector:
38 | kubernetes.io/os: linux
39 | securityContext:
40 | runAsNonRoot: true
41 | runAsUser: 65534
42 | serviceAccountName: prometheus-operator
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/1-example/environments/production/deployment.yaml:2-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | spec:
7 | replicas: 20
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/1-example/environments/production/deployment.yaml:2-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | spec:
7 | replicas: 20
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/1-example/environments/production/deployment.yaml:2-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | spec:
7 | replicas: 20
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/1-example/environments/production/deployment.yaml:2-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | spec:
7 | replicas: 20
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/1-example/environments/production/deployment.yaml:2-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | spec:
7 | replicas: 20
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/1-example/environments/production/deployment.yaml:2-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | spec:
7 | replicas: 20
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/1-example/base/deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/1-example/base/deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/1-example/base/deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/1-example/base/deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/1-example/base/deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/1-example/base/deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/1-example/base/deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/1-example/base/deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/1-example/base/deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/1-example/base/deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/1-example/base/deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/1-example/base/deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/1-example/base/deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/1-example/base/deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/1-example/base/deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/1-example/base/deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/1-example/base/deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/1-example/base/deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/1-example/base/deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/2-example/base/deployment.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | env:
25 | - name: ENV
26 | valueFrom:
27 | configMapKeyRef:
28 | name: config
29 | key: env
30 | volumeMounts:
31 | - name: credentials
32 | mountPath: /etc/config
33 | volumes:
34 | - name: credentials
35 | configMap:
36 | name: credentials
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/2-example/base/deployment.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | env:
25 | - name: ENV
26 | valueFrom:
27 | configMapKeyRef:
28 | name: config
29 | key: env
30 | volumeMounts:
31 | - name: credentials
32 | mountPath: /etc/config
33 | volumes:
34 | - name: credentials
35 | configMap:
36 | name: credentials
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/2-example/base/deployment.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | env:
25 | - name: ENV
26 | valueFrom:
27 | configMapKeyRef:
28 | name: config
29 | key: env
30 | volumeMounts:
31 | - name: credentials
32 | mountPath: /etc/config
33 | volumes:
34 | - name: credentials
35 | configMap:
36 | name: credentials
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/2-example/base/deployment.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | env:
25 | - name: ENV
26 | valueFrom:
27 | configMapKeyRef:
28 | name: config
29 | key: env
30 | volumeMounts:
31 | - name: credentials
32 | mountPath: /etc/config
33 | volumes:
34 | - name: credentials
35 | configMap:
36 | name: credentials
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/2-example/base/deployment.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | env:
25 | - name: ENV
26 | valueFrom:
27 | configMapKeyRef:
28 | name: config
29 | key: env
30 | volumeMounts:
31 | - name: credentials
32 | mountPath: /etc/config
33 | volumes:
34 | - name: credentials
35 | configMap:
36 | name: credentials
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/2-example/base/deployment.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | env:
25 | - name: ENV
26 | valueFrom:
27 | configMapKeyRef:
28 | name: config
29 | key: env
30 | volumeMounts:
31 | - name: credentials
32 | mountPath: /etc/config
33 | volumes:
34 | - name: credentials
35 | configMap:
36 | name: credentials
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/2-example/base/deployment.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | env:
25 | - name: ENV
26 | valueFrom:
27 | configMapKeyRef:
28 | name: config
29 | key: env
30 | volumeMounts:
31 | - name: credentials
32 | mountPath: /etc/config
33 | volumes:
34 | - name: credentials
35 | configMap:
36 | name: credentials
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/2-example/base/deployment.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | env:
25 | - name: ENV
26 | valueFrom:
27 | configMapKeyRef:
28 | name: config
29 | key: env
30 | volumeMounts:
31 | - name: credentials
32 | mountPath: /etc/config
33 | volumes:
34 | - name: credentials
35 | configMap:
36 | name: credentials
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/2-example/base/deployment.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | env:
25 | - name: ENV
26 | valueFrom:
27 | configMapKeyRef:
28 | name: config
29 | key: env
30 | volumeMounts:
31 | - name: credentials
32 | mountPath: /etc/config
33 | volumes:
34 | - name: credentials
35 | configMap:
36 | name: credentials
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/2-example/base/deployment.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | env:
25 | - name: ENV
26 | valueFrom:
27 | configMapKeyRef:
28 | name: config
29 | key: env
30 | volumeMounts:
31 | - name: credentials
32 | mountPath: /etc/config
33 | volumes:
34 | - name: credentials
35 | configMap:
36 | name: credentials
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/2-example/base/deployment.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | env:
25 | - name: ENV
26 | valueFrom:
27 | configMapKeyRef:
28 | name: config
29 | key: env
30 | volumeMounts:
31 | - name: credentials
32 | mountPath: /etc/config
33 | volumes:
34 | - name: credentials
35 | configMap:
36 | name: credentials
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/2-example/base/deployment.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | env:
25 | - name: ENV
26 | valueFrom:
27 | configMapKeyRef:
28 | name: config
29 | key: env
30 | volumeMounts:
31 | - name: credentials
32 | mountPath: /etc/config
33 | volumes:
34 | - name: credentials
35 | configMap:
36 | name: credentials
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/2-example/base/deployment.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | env:
25 | - name: ENV
26 | valueFrom:
27 | configMapKeyRef:
28 | name: config
29 | key: env
30 | volumeMounts:
31 | - name: credentials
32 | mountPath: /etc/config
33 | volumes:
34 | - name: credentials
35 | configMap:
36 | name: credentials
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/2-example/base/deployment.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | env:
25 | - name: ENV
26 | valueFrom:
27 | configMapKeyRef:
28 | name: config
29 | key: env
30 | volumeMounts:
31 | - name: credentials
32 | mountPath: /etc/config
33 | volumes:
34 | - name: credentials
35 | configMap:
36 | name: credentials
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/2-example/base/deployment.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | env:
25 | - name: ENV
26 | valueFrom:
27 | configMapKeyRef:
28 | name: config
29 | key: env
30 | volumeMounts:
31 | - name: credentials
32 | mountPath: /etc/config
33 | volumes:
34 | - name: credentials
35 | configMap:
36 | name: credentials
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/2-example/base/deployment.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | env:
25 | - name: ENV
26 | valueFrom:
27 | configMapKeyRef:
28 | name: config
29 | key: env
30 | volumeMounts:
31 | - name: credentials
32 | mountPath: /etc/config
33 | volumes:
34 | - name: credentials
35 | configMap:
36 | name: credentials
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/2-example/base/deployment.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | env:
25 | - name: ENV
26 | valueFrom:
27 | configMapKeyRef:
28 | name: config
29 | key: env
30 | volumeMounts:
31 | - name: credentials
32 | mountPath: /etc/config
33 | volumes:
34 | - name: credentials
35 | configMap:
36 | name: credentials
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/2-example/base/deployment.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | env:
25 | - name: ENV
26 | valueFrom:
27 | configMapKeyRef:
28 | name: config
29 | key: env
30 | volumeMounts:
31 | - name: credentials
32 | mountPath: /etc/config
33 | volumes:
34 | - name: credentials
35 | configMap:
36 | name: credentials
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/2-example/base/deployment.yaml:2-36
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | env:
25 | - name: ENV
26 | valueFrom:
27 | configMapKeyRef:
28 | name: config
29 | key: env
30 | volumeMounts:
31 | - name: credentials
32 | mountPath: /etc/config
33 | volumes:
34 | - name: credentials
35 | configMap:
36 | name: credentials
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/4-example/base/deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/4-example/base/deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/4-example/base/deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/4-example/base/deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/4-example/base/deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/4-example/base/deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/4-example/base/deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/4-example/base/deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/4-example/base/deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/4-example/base/deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/4-example/base/deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/4-example/base/deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/4-example/base/deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/4-example/base/deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/4-example/base/deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/4-example/base/deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/4-example/base/deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/4-example/base/deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/4-example/base/deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/3-example/base/deployment.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | env:
25 | - name: USERNAME
26 | valueFrom:
27 | secretKeyRef:
28 | name: username
29 | key: username
30 | - name: REGION
31 | valueFrom:
32 | secretKeyRef:
33 | name: region
34 | key: region
35 | - name: PASWD
36 | valueFrom:
37 | secretKeyRef:
38 | name: password
39 | key: PASSWORD
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/3-example/base/deployment.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | env:
25 | - name: USERNAME
26 | valueFrom:
27 | secretKeyRef:
28 | name: username
29 | key: username
30 | - name: REGION
31 | valueFrom:
32 | secretKeyRef:
33 | name: region
34 | key: region
35 | - name: PASWD
36 | valueFrom:
37 | secretKeyRef:
38 | name: password
39 | key: PASSWORD
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/3-example/base/deployment.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | env:
25 | - name: USERNAME
26 | valueFrom:
27 | secretKeyRef:
28 | name: username
29 | key: username
30 | - name: REGION
31 | valueFrom:
32 | secretKeyRef:
33 | name: region
34 | key: region
35 | - name: PASWD
36 | valueFrom:
37 | secretKeyRef:
38 | name: password
39 | key: PASSWORD
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/3-example/base/deployment.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | env:
25 | - name: USERNAME
26 | valueFrom:
27 | secretKeyRef:
28 | name: username
29 | key: username
30 | - name: REGION
31 | valueFrom:
32 | secretKeyRef:
33 | name: region
34 | key: region
35 | - name: PASWD
36 | valueFrom:
37 | secretKeyRef:
38 | name: password
39 | key: PASSWORD
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/3-example/base/deployment.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | env:
25 | - name: USERNAME
26 | valueFrom:
27 | secretKeyRef:
28 | name: username
29 | key: username
30 | - name: REGION
31 | valueFrom:
32 | secretKeyRef:
33 | name: region
34 | key: region
35 | - name: PASWD
36 | valueFrom:
37 | secretKeyRef:
38 | name: password
39 | key: PASSWORD
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/3-example/base/deployment.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | env:
25 | - name: USERNAME
26 | valueFrom:
27 | secretKeyRef:
28 | name: username
29 | key: username
30 | - name: REGION
31 | valueFrom:
32 | secretKeyRef:
33 | name: region
34 | key: region
35 | - name: PASWD
36 | valueFrom:
37 | secretKeyRef:
38 | name: password
39 | key: PASSWORD
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/3-example/base/deployment.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | env:
25 | - name: USERNAME
26 | valueFrom:
27 | secretKeyRef:
28 | name: username
29 | key: username
30 | - name: REGION
31 | valueFrom:
32 | secretKeyRef:
33 | name: region
34 | key: region
35 | - name: PASWD
36 | valueFrom:
37 | secretKeyRef:
38 | name: password
39 | key: PASSWORD
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/3-example/base/deployment.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | env:
25 | - name: USERNAME
26 | valueFrom:
27 | secretKeyRef:
28 | name: username
29 | key: username
30 | - name: REGION
31 | valueFrom:
32 | secretKeyRef:
33 | name: region
34 | key: region
35 | - name: PASWD
36 | valueFrom:
37 | secretKeyRef:
38 | name: password
39 | key: PASSWORD
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/3-example/base/deployment.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | env:
25 | - name: USERNAME
26 | valueFrom:
27 | secretKeyRef:
28 | name: username
29 | key: username
30 | - name: REGION
31 | valueFrom:
32 | secretKeyRef:
33 | name: region
34 | key: region
35 | - name: PASWD
36 | valueFrom:
37 | secretKeyRef:
38 | name: password
39 | key: PASSWORD
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/3-example/base/deployment.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | env:
25 | - name: USERNAME
26 | valueFrom:
27 | secretKeyRef:
28 | name: username
29 | key: username
30 | - name: REGION
31 | valueFrom:
32 | secretKeyRef:
33 | name: region
34 | key: region
35 | - name: PASWD
36 | valueFrom:
37 | secretKeyRef:
38 | name: password
39 | key: PASSWORD
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/3-example/base/deployment.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | env:
25 | - name: USERNAME
26 | valueFrom:
27 | secretKeyRef:
28 | name: username
29 | key: username
30 | - name: REGION
31 | valueFrom:
32 | secretKeyRef:
33 | name: region
34 | key: region
35 | - name: PASWD
36 | valueFrom:
37 | secretKeyRef:
38 | name: password
39 | key: PASSWORD
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/3-example/base/deployment.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | env:
25 | - name: USERNAME
26 | valueFrom:
27 | secretKeyRef:
28 | name: username
29 | key: username
30 | - name: REGION
31 | valueFrom:
32 | secretKeyRef:
33 | name: region
34 | key: region
35 | - name: PASWD
36 | valueFrom:
37 | secretKeyRef:
38 | name: password
39 | key: PASSWORD
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/3-example/base/deployment.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | env:
25 | - name: USERNAME
26 | valueFrom:
27 | secretKeyRef:
28 | name: username
29 | key: username
30 | - name: REGION
31 | valueFrom:
32 | secretKeyRef:
33 | name: region
34 | key: region
35 | - name: PASWD
36 | valueFrom:
37 | secretKeyRef:
38 | name: password
39 | key: PASSWORD
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/3-example/base/deployment.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | env:
25 | - name: USERNAME
26 | valueFrom:
27 | secretKeyRef:
28 | name: username
29 | key: username
30 | - name: REGION
31 | valueFrom:
32 | secretKeyRef:
33 | name: region
34 | key: region
35 | - name: PASWD
36 | valueFrom:
37 | secretKeyRef:
38 | name: password
39 | key: PASSWORD
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/3-example/base/deployment.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | env:
25 | - name: USERNAME
26 | valueFrom:
27 | secretKeyRef:
28 | name: username
29 | key: username
30 | - name: REGION
31 | valueFrom:
32 | secretKeyRef:
33 | name: region
34 | key: region
35 | - name: PASWD
36 | valueFrom:
37 | secretKeyRef:
38 | name: password
39 | key: PASSWORD
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/3-example/base/deployment.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | env:
25 | - name: USERNAME
26 | valueFrom:
27 | secretKeyRef:
28 | name: username
29 | key: username
30 | - name: REGION
31 | valueFrom:
32 | secretKeyRef:
33 | name: region
34 | key: region
35 | - name: PASWD
36 | valueFrom:
37 | secretKeyRef:
38 | name: password
39 | key: PASSWORD
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/3-example/base/deployment.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | env:
25 | - name: USERNAME
26 | valueFrom:
27 | secretKeyRef:
28 | name: username
29 | key: username
30 | - name: REGION
31 | valueFrom:
32 | secretKeyRef:
33 | name: region
34 | key: region
35 | - name: PASWD
36 | valueFrom:
37 | secretKeyRef:
38 | name: password
39 | key: PASSWORD
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/3-example/base/deployment.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | env:
25 | - name: USERNAME
26 | valueFrom:
27 | secretKeyRef:
28 | name: username
29 | key: username
30 | - name: REGION
31 | valueFrom:
32 | secretKeyRef:
33 | name: region
34 | key: region
35 | - name: PASWD
36 | valueFrom:
37 | secretKeyRef:
38 | name: password
39 | key: PASSWORD
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/3-example/base/deployment.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | env:
25 | - name: USERNAME
26 | valueFrom:
27 | secretKeyRef:
28 | name: username
29 | key: username
30 | - name: REGION
31 | valueFrom:
32 | secretKeyRef:
33 | name: region
34 | key: region
35 | - name: PASWD
36 | valueFrom:
37 | secretKeyRef:
38 | name: password
39 | key: PASSWORD
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/111/3-example/base/deployment.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | namespace: default
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | env:
25 | - name: USERNAME
26 | valueFrom:
27 | secretKeyRef:
28 | name: username
29 | key: username
30 | - name: REGION
31 | valueFrom:
32 | secretKeyRef:
33 | name: region
34 | key: region
35 | - name: PASWD
36 | valueFrom:
37 | secretKeyRef:
38 | name: password
39 | key: PASSWORD
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: ClusterRole.default.reader
File: /lessons/103/k8s/read-group.yaml:2-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
2 | apiVersion: rbac.authorization.k8s.io/v1
3 | kind: ClusterRole
4 | metadata:
5 | name: reader
6 | rules:
7 | - apiGroups: ["*"]
8 | resources: ["deployments", "configmaps", "pods", "secrets", "services"]
9 | verbs: ["get", "list", "watch"]
10 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Secret.default.credentials
File: /lessons/043/k8s/01-secret.yaml:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: Secret
4 | metadata:
5 | name: credentials
6 | type: Opaque
7 | data:
8 | username: YWRtaW4=
9 | password: c2VjcmV0MTIz
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.test-env
File: /lessons/043/k8s/04-deployment-env.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: test-env
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: test
11 | template:
12 | metadata:
13 | labels:
14 | app: test
15 | spec:
16 | containers:
17 | - name: test
18 | image: antonputra/043:v0.1.5
19 | ports:
20 | - containerPort: 9090
21 | env:
22 | - name: MY_PASSWORD
23 | valueFrom:
24 | secretKeyRef:
25 | name: credentials
26 | key: password
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.test-env
File: /lessons/043/k8s/04-deployment-env.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: test-env
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: test
11 | template:
12 | metadata:
13 | labels:
14 | app: test
15 | spec:
16 | containers:
17 | - name: test
18 | image: antonputra/043:v0.1.5
19 | ports:
20 | - containerPort: 9090
21 | env:
22 | - name: MY_PASSWORD
23 | valueFrom:
24 | secretKeyRef:
25 | name: credentials
26 | key: password
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.test-env
File: /lessons/043/k8s/04-deployment-env.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: test-env
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: test
11 | template:
12 | metadata:
13 | labels:
14 | app: test
15 | spec:
16 | containers:
17 | - name: test
18 | image: antonputra/043:v0.1.5
19 | ports:
20 | - containerPort: 9090
21 | env:
22 | - name: MY_PASSWORD
23 | valueFrom:
24 | secretKeyRef:
25 | name: credentials
26 | key: password
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.test-env
File: /lessons/043/k8s/04-deployment-env.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: test-env
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: test
11 | template:
12 | metadata:
13 | labels:
14 | app: test
15 | spec:
16 | containers:
17 | - name: test
18 | image: antonputra/043:v0.1.5
19 | ports:
20 | - containerPort: 9090
21 | env:
22 | - name: MY_PASSWORD
23 | valueFrom:
24 | secretKeyRef:
25 | name: credentials
26 | key: password
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.test-env
File: /lessons/043/k8s/04-deployment-env.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: test-env
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: test
11 | template:
12 | metadata:
13 | labels:
14 | app: test
15 | spec:
16 | containers:
17 | - name: test
18 | image: antonputra/043:v0.1.5
19 | ports:
20 | - containerPort: 9090
21 | env:
22 | - name: MY_PASSWORD
23 | valueFrom:
24 | secretKeyRef:
25 | name: credentials
26 | key: password
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.test-env
File: /lessons/043/k8s/04-deployment-env.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: test-env
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: test
11 | template:
12 | metadata:
13 | labels:
14 | app: test
15 | spec:
16 | containers:
17 | - name: test
18 | image: antonputra/043:v0.1.5
19 | ports:
20 | - containerPort: 9090
21 | env:
22 | - name: MY_PASSWORD
23 | valueFrom:
24 | secretKeyRef:
25 | name: credentials
26 | key: password
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.test-env
File: /lessons/043/k8s/04-deployment-env.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: test-env
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: test
11 | template:
12 | metadata:
13 | labels:
14 | app: test
15 | spec:
16 | containers:
17 | - name: test
18 | image: antonputra/043:v0.1.5
19 | ports:
20 | - containerPort: 9090
21 | env:
22 | - name: MY_PASSWORD
23 | valueFrom:
24 | secretKeyRef:
25 | name: credentials
26 | key: password
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.test-env
File: /lessons/043/k8s/04-deployment-env.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: test-env
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: test
11 | template:
12 | metadata:
13 | labels:
14 | app: test
15 | spec:
16 | containers:
17 | - name: test
18 | image: antonputra/043:v0.1.5
19 | ports:
20 | - containerPort: 9090
21 | env:
22 | - name: MY_PASSWORD
23 | valueFrom:
24 | secretKeyRef:
25 | name: credentials
26 | key: password
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.test-env
File: /lessons/043/k8s/04-deployment-env.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: test-env
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: test
11 | template:
12 | metadata:
13 | labels:
14 | app: test
15 | spec:
16 | containers:
17 | - name: test
18 | image: antonputra/043:v0.1.5
19 | ports:
20 | - containerPort: 9090
21 | env:
22 | - name: MY_PASSWORD
23 | valueFrom:
24 | secretKeyRef:
25 | name: credentials
26 | key: password
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.test-env
File: /lessons/043/k8s/04-deployment-env.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: test-env
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: test
11 | template:
12 | metadata:
13 | labels:
14 | app: test
15 | spec:
16 | containers:
17 | - name: test
18 | image: antonputra/043:v0.1.5
19 | ports:
20 | - containerPort: 9090
21 | env:
22 | - name: MY_PASSWORD
23 | valueFrom:
24 | secretKeyRef:
25 | name: credentials
26 | key: password
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.test-env
File: /lessons/043/k8s/04-deployment-env.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: test-env
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: test
11 | template:
12 | metadata:
13 | labels:
14 | app: test
15 | spec:
16 | containers:
17 | - name: test
18 | image: antonputra/043:v0.1.5
19 | ports:
20 | - containerPort: 9090
21 | env:
22 | - name: MY_PASSWORD
23 | valueFrom:
24 | secretKeyRef:
25 | name: credentials
26 | key: password
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.test-env
File: /lessons/043/k8s/04-deployment-env.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: test-env
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: test
11 | template:
12 | metadata:
13 | labels:
14 | app: test
15 | spec:
16 | containers:
17 | - name: test
18 | image: antonputra/043:v0.1.5
19 | ports:
20 | - containerPort: 9090
21 | env:
22 | - name: MY_PASSWORD
23 | valueFrom:
24 | secretKeyRef:
25 | name: credentials
26 | key: password
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: Deployment.default.test-env
File: /lessons/043/k8s/04-deployment-env.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: test-env
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: test
11 | template:
12 | metadata:
13 | labels:
14 | app: test
15 | spec:
16 | containers:
17 | - name: test
18 | image: antonputra/043:v0.1.5
19 | ports:
20 | - containerPort: 9090
21 | env:
22 | - name: MY_PASSWORD
23 | valueFrom:
24 | secretKeyRef:
25 | name: credentials
26 | key: password
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.test-env
File: /lessons/043/k8s/04-deployment-env.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: test-env
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: test
11 | template:
12 | metadata:
13 | labels:
14 | app: test
15 | spec:
16 | containers:
17 | - name: test
18 | image: antonputra/043:v0.1.5
19 | ports:
20 | - containerPort: 9090
21 | env:
22 | - name: MY_PASSWORD
23 | valueFrom:
24 | secretKeyRef:
25 | name: credentials
26 | key: password
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.test-env
File: /lessons/043/k8s/04-deployment-env.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: test-env
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: test
11 | template:
12 | metadata:
13 | labels:
14 | app: test
15 | spec:
16 | containers:
17 | - name: test
18 | image: antonputra/043:v0.1.5
19 | ports:
20 | - containerPort: 9090
21 | env:
22 | - name: MY_PASSWORD
23 | valueFrom:
24 | secretKeyRef:
25 | name: credentials
26 | key: password
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.test-env
File: /lessons/043/k8s/04-deployment-env.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: test-env
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: test
11 | template:
12 | metadata:
13 | labels:
14 | app: test
15 | spec:
16 | containers:
17 | - name: test
18 | image: antonputra/043:v0.1.5
19 | ports:
20 | - containerPort: 9090
21 | env:
22 | - name: MY_PASSWORD
23 | valueFrom:
24 | secretKeyRef:
25 | name: credentials
26 | key: password
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.test-env
File: /lessons/043/k8s/04-deployment-env.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: test-env
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: test
11 | template:
12 | metadata:
13 | labels:
14 | app: test
15 | spec:
16 | containers:
17 | - name: test
18 | image: antonputra/043:v0.1.5
19 | ports:
20 | - containerPort: 9090
21 | env:
22 | - name: MY_PASSWORD
23 | valueFrom:
24 | secretKeyRef:
25 | name: credentials
26 | key: password
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.test-env
File: /lessons/043/k8s/04-deployment-env.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: test-env
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: test
11 | template:
12 | metadata:
13 | labels:
14 | app: test
15 | spec:
16 | containers:
17 | - name: test
18 | image: antonputra/043:v0.1.5
19 | ports:
20 | - containerPort: 9090
21 | env:
22 | - name: MY_PASSWORD
23 | valueFrom:
24 | secretKeyRef:
25 | name: credentials
26 | key: password
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.test-env
File: /lessons/043/k8s/04-deployment-env.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: test-env
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: test
11 | template:
12 | metadata:
13 | labels:
14 | app: test
15 | spec:
16 | containers:
17 | - name: test
18 | image: antonputra/043:v0.1.5
19 | ports:
20 | - containerPort: 9090
21 | env:
22 | - name: MY_PASSWORD
23 | valueFrom:
24 | secretKeyRef:
25 | name: credentials
26 | key: password
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.test-env
File: /lessons/043/k8s/04-deployment-env.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: test-env
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: test
11 | template:
12 | metadata:
13 | labels:
14 | app: test
15 | spec:
16 | containers:
17 | - name: test
18 | image: antonputra/043:v0.1.5
19 | ports:
20 | - containerPort: 9090
21 | env:
22 | - name: MY_PASSWORD
23 | valueFrom:
24 | secretKeyRef:
25 | name: credentials
26 | key: password
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.test-file
File: /lessons/043/k8s/02-deployment-file.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: test-file
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: test
11 | template:
12 | metadata:
13 | labels:
14 | app: test
15 | spec:
16 | containers:
17 | - name: test
18 | image: antonputra/043:v0.1.5
19 | ports:
20 | - containerPort: 9090
21 | volumeMounts:
22 | - name: credentials-volume
23 | mountPath: "/etc/credentials"
24 | readOnly: true
25 | volumes:
26 | - name: credentials-volume
27 | secret:
28 | secretName: credentials
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.test-file
File: /lessons/043/k8s/02-deployment-file.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: test-file
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: test
11 | template:
12 | metadata:
13 | labels:
14 | app: test
15 | spec:
16 | containers:
17 | - name: test
18 | image: antonputra/043:v0.1.5
19 | ports:
20 | - containerPort: 9090
21 | volumeMounts:
22 | - name: credentials-volume
23 | mountPath: "/etc/credentials"
24 | readOnly: true
25 | volumes:
26 | - name: credentials-volume
27 | secret:
28 | secretName: credentials
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.test-file
File: /lessons/043/k8s/02-deployment-file.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: test-file
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: test
11 | template:
12 | metadata:
13 | labels:
14 | app: test
15 | spec:
16 | containers:
17 | - name: test
18 | image: antonputra/043:v0.1.5
19 | ports:
20 | - containerPort: 9090
21 | volumeMounts:
22 | - name: credentials-volume
23 | mountPath: "/etc/credentials"
24 | readOnly: true
25 | volumes:
26 | - name: credentials-volume
27 | secret:
28 | secretName: credentials
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.test-file
File: /lessons/043/k8s/02-deployment-file.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: test-file
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: test
11 | template:
12 | metadata:
13 | labels:
14 | app: test
15 | spec:
16 | containers:
17 | - name: test
18 | image: antonputra/043:v0.1.5
19 | ports:
20 | - containerPort: 9090
21 | volumeMounts:
22 | - name: credentials-volume
23 | mountPath: "/etc/credentials"
24 | readOnly: true
25 | volumes:
26 | - name: credentials-volume
27 | secret:
28 | secretName: credentials
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.test-file
File: /lessons/043/k8s/02-deployment-file.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: test-file
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: test
11 | template:
12 | metadata:
13 | labels:
14 | app: test
15 | spec:
16 | containers:
17 | - name: test
18 | image: antonputra/043:v0.1.5
19 | ports:
20 | - containerPort: 9090
21 | volumeMounts:
22 | - name: credentials-volume
23 | mountPath: "/etc/credentials"
24 | readOnly: true
25 | volumes:
26 | - name: credentials-volume
27 | secret:
28 | secretName: credentials
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.test-file
File: /lessons/043/k8s/02-deployment-file.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: test-file
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: test
11 | template:
12 | metadata:
13 | labels:
14 | app: test
15 | spec:
16 | containers:
17 | - name: test
18 | image: antonputra/043:v0.1.5
19 | ports:
20 | - containerPort: 9090
21 | volumeMounts:
22 | - name: credentials-volume
23 | mountPath: "/etc/credentials"
24 | readOnly: true
25 | volumes:
26 | - name: credentials-volume
27 | secret:
28 | secretName: credentials
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.test-file
File: /lessons/043/k8s/02-deployment-file.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: test-file
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: test
11 | template:
12 | metadata:
13 | labels:
14 | app: test
15 | spec:
16 | containers:
17 | - name: test
18 | image: antonputra/043:v0.1.5
19 | ports:
20 | - containerPort: 9090
21 | volumeMounts:
22 | - name: credentials-volume
23 | mountPath: "/etc/credentials"
24 | readOnly: true
25 | volumes:
26 | - name: credentials-volume
27 | secret:
28 | secretName: credentials
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.test-file
File: /lessons/043/k8s/02-deployment-file.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: test-file
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: test
11 | template:
12 | metadata:
13 | labels:
14 | app: test
15 | spec:
16 | containers:
17 | - name: test
18 | image: antonputra/043:v0.1.5
19 | ports:
20 | - containerPort: 9090
21 | volumeMounts:
22 | - name: credentials-volume
23 | mountPath: "/etc/credentials"
24 | readOnly: true
25 | volumes:
26 | - name: credentials-volume
27 | secret:
28 | secretName: credentials
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.test-file
File: /lessons/043/k8s/02-deployment-file.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: test-file
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: test
11 | template:
12 | metadata:
13 | labels:
14 | app: test
15 | spec:
16 | containers:
17 | - name: test
18 | image: antonputra/043:v0.1.5
19 | ports:
20 | - containerPort: 9090
21 | volumeMounts:
22 | - name: credentials-volume
23 | mountPath: "/etc/credentials"
24 | readOnly: true
25 | volumes:
26 | - name: credentials-volume
27 | secret:
28 | secretName: credentials
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.test-file
File: /lessons/043/k8s/02-deployment-file.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: test-file
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: test
11 | template:
12 | metadata:
13 | labels:
14 | app: test
15 | spec:
16 | containers:
17 | - name: test
18 | image: antonputra/043:v0.1.5
19 | ports:
20 | - containerPort: 9090
21 | volumeMounts:
22 | - name: credentials-volume
23 | mountPath: "/etc/credentials"
24 | readOnly: true
25 | volumes:
26 | - name: credentials-volume
27 | secret:
28 | secretName: credentials
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.test-file
File: /lessons/043/k8s/02-deployment-file.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: test-file
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: test
11 | template:
12 | metadata:
13 | labels:
14 | app: test
15 | spec:
16 | containers:
17 | - name: test
18 | image: antonputra/043:v0.1.5
19 | ports:
20 | - containerPort: 9090
21 | volumeMounts:
22 | - name: credentials-volume
23 | mountPath: "/etc/credentials"
24 | readOnly: true
25 | volumes:
26 | - name: credentials-volume
27 | secret:
28 | secretName: credentials
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.test-file
File: /lessons/043/k8s/02-deployment-file.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: test-file
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: test
11 | template:
12 | metadata:
13 | labels:
14 | app: test
15 | spec:
16 | containers:
17 | - name: test
18 | image: antonputra/043:v0.1.5
19 | ports:
20 | - containerPort: 9090
21 | volumeMounts:
22 | - name: credentials-volume
23 | mountPath: "/etc/credentials"
24 | readOnly: true
25 | volumes:
26 | - name: credentials-volume
27 | secret:
28 | secretName: credentials
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.test-file
File: /lessons/043/k8s/02-deployment-file.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: test-file
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: test
11 | template:
12 | metadata:
13 | labels:
14 | app: test
15 | spec:
16 | containers:
17 | - name: test
18 | image: antonputra/043:v0.1.5
19 | ports:
20 | - containerPort: 9090
21 | volumeMounts:
22 | - name: credentials-volume
23 | mountPath: "/etc/credentials"
24 | readOnly: true
25 | volumes:
26 | - name: credentials-volume
27 | secret:
28 | secretName: credentials
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.test-file
File: /lessons/043/k8s/02-deployment-file.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: test-file
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: test
11 | template:
12 | metadata:
13 | labels:
14 | app: test
15 | spec:
16 | containers:
17 | - name: test
18 | image: antonputra/043:v0.1.5
19 | ports:
20 | - containerPort: 9090
21 | volumeMounts:
22 | - name: credentials-volume
23 | mountPath: "/etc/credentials"
24 | readOnly: true
25 | volumes:
26 | - name: credentials-volume
27 | secret:
28 | secretName: credentials
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.test-file
File: /lessons/043/k8s/02-deployment-file.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: test-file
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: test
11 | template:
12 | metadata:
13 | labels:
14 | app: test
15 | spec:
16 | containers:
17 | - name: test
18 | image: antonputra/043:v0.1.5
19 | ports:
20 | - containerPort: 9090
21 | volumeMounts:
22 | - name: credentials-volume
23 | mountPath: "/etc/credentials"
24 | readOnly: true
25 | volumes:
26 | - name: credentials-volume
27 | secret:
28 | secretName: credentials
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.test-file
File: /lessons/043/k8s/02-deployment-file.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: test-file
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: test
11 | template:
12 | metadata:
13 | labels:
14 | app: test
15 | spec:
16 | containers:
17 | - name: test
18 | image: antonputra/043:v0.1.5
19 | ports:
20 | - containerPort: 9090
21 | volumeMounts:
22 | - name: credentials-volume
23 | mountPath: "/etc/credentials"
24 | readOnly: true
25 | volumes:
26 | - name: credentials-volume
27 | secret:
28 | secretName: credentials
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.test-file
File: /lessons/043/k8s/02-deployment-file.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: test-file
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: test
11 | template:
12 | metadata:
13 | labels:
14 | app: test
15 | spec:
16 | containers:
17 | - name: test
18 | image: antonputra/043:v0.1.5
19 | ports:
20 | - containerPort: 9090
21 | volumeMounts:
22 | - name: credentials-volume
23 | mountPath: "/etc/credentials"
24 | readOnly: true
25 | volumes:
26 | - name: credentials-volume
27 | secret:
28 | secretName: credentials
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.test-file
File: /lessons/043/k8s/02-deployment-file.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: test-file
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: test
11 | template:
12 | metadata:
13 | labels:
14 | app: test
15 | spec:
16 | containers:
17 | - name: test
18 | image: antonputra/043:v0.1.5
19 | ports:
20 | - containerPort: 9090
21 | volumeMounts:
22 | - name: credentials-volume
23 | mountPath: "/etc/credentials"
24 | readOnly: true
25 | volumes:
26 | - name: credentials-volume
27 | secret:
28 | secretName: credentials
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.test-file
File: /lessons/043/k8s/02-deployment-file.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: test-file
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: test
11 | template:
12 | metadata:
13 | labels:
14 | app: test
15 | spec:
16 | containers:
17 | - name: test
18 | image: antonputra/043:v0.1.5
19 | ports:
20 | - containerPort: 9090
21 | volumeMounts:
22 | - name: credentials-volume
23 | mountPath: "/etc/credentials"
24 | readOnly: true
25 | volumes:
26 | - name: credentials-volume
27 | secret:
28 | secretName: credentials
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.production.bar
File: /lessons/045/k8s/03-production-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: bar
6 | namespace: production
7 | labels:
8 | app: bar
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: bar
14 | template:
15 | metadata:
16 | labels:
17 | app: bar
18 | spec:
19 | containers:
20 | - name: bar
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | affinity:
25 | nodeAffinity:
26 | requiredDuringSchedulingIgnoredDuringExecution:
27 | nodeSelectorTerms:
28 | - matchExpressions:
29 | - key: role
30 | operator: In
31 | values:
32 | - on-demand
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.production.bar
File: /lessons/045/k8s/03-production-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: bar
6 | namespace: production
7 | labels:
8 | app: bar
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: bar
14 | template:
15 | metadata:
16 | labels:
17 | app: bar
18 | spec:
19 | containers:
20 | - name: bar
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | affinity:
25 | nodeAffinity:
26 | requiredDuringSchedulingIgnoredDuringExecution:
27 | nodeSelectorTerms:
28 | - matchExpressions:
29 | - key: role
30 | operator: In
31 | values:
32 | - on-demand
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.production.bar
File: /lessons/045/k8s/03-production-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: bar
6 | namespace: production
7 | labels:
8 | app: bar
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: bar
14 | template:
15 | metadata:
16 | labels:
17 | app: bar
18 | spec:
19 | containers:
20 | - name: bar
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | affinity:
25 | nodeAffinity:
26 | requiredDuringSchedulingIgnoredDuringExecution:
27 | nodeSelectorTerms:
28 | - matchExpressions:
29 | - key: role
30 | operator: In
31 | values:
32 | - on-demand
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.production.bar
File: /lessons/045/k8s/03-production-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: bar
6 | namespace: production
7 | labels:
8 | app: bar
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: bar
14 | template:
15 | metadata:
16 | labels:
17 | app: bar
18 | spec:
19 | containers:
20 | - name: bar
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | affinity:
25 | nodeAffinity:
26 | requiredDuringSchedulingIgnoredDuringExecution:
27 | nodeSelectorTerms:
28 | - matchExpressions:
29 | - key: role
30 | operator: In
31 | values:
32 | - on-demand
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.production.bar
File: /lessons/045/k8s/03-production-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: bar
6 | namespace: production
7 | labels:
8 | app: bar
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: bar
14 | template:
15 | metadata:
16 | labels:
17 | app: bar
18 | spec:
19 | containers:
20 | - name: bar
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | affinity:
25 | nodeAffinity:
26 | requiredDuringSchedulingIgnoredDuringExecution:
27 | nodeSelectorTerms:
28 | - matchExpressions:
29 | - key: role
30 | operator: In
31 | values:
32 | - on-demand
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.production.bar
File: /lessons/045/k8s/03-production-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: bar
6 | namespace: production
7 | labels:
8 | app: bar
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: bar
14 | template:
15 | metadata:
16 | labels:
17 | app: bar
18 | spec:
19 | containers:
20 | - name: bar
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | affinity:
25 | nodeAffinity:
26 | requiredDuringSchedulingIgnoredDuringExecution:
27 | nodeSelectorTerms:
28 | - matchExpressions:
29 | - key: role
30 | operator: In
31 | values:
32 | - on-demand
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.production.bar
File: /lessons/045/k8s/03-production-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: bar
6 | namespace: production
7 | labels:
8 | app: bar
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: bar
14 | template:
15 | metadata:
16 | labels:
17 | app: bar
18 | spec:
19 | containers:
20 | - name: bar
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | affinity:
25 | nodeAffinity:
26 | requiredDuringSchedulingIgnoredDuringExecution:
27 | nodeSelectorTerms:
28 | - matchExpressions:
29 | - key: role
30 | operator: In
31 | values:
32 | - on-demand
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.production.bar
File: /lessons/045/k8s/03-production-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: bar
6 | namespace: production
7 | labels:
8 | app: bar
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: bar
14 | template:
15 | metadata:
16 | labels:
17 | app: bar
18 | spec:
19 | containers:
20 | - name: bar
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | affinity:
25 | nodeAffinity:
26 | requiredDuringSchedulingIgnoredDuringExecution:
27 | nodeSelectorTerms:
28 | - matchExpressions:
29 | - key: role
30 | operator: In
31 | values:
32 | - on-demand
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.production.bar
File: /lessons/045/k8s/03-production-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: bar
6 | namespace: production
7 | labels:
8 | app: bar
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: bar
14 | template:
15 | metadata:
16 | labels:
17 | app: bar
18 | spec:
19 | containers:
20 | - name: bar
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | affinity:
25 | nodeAffinity:
26 | requiredDuringSchedulingIgnoredDuringExecution:
27 | nodeSelectorTerms:
28 | - matchExpressions:
29 | - key: role
30 | operator: In
31 | values:
32 | - on-demand
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.production.bar
File: /lessons/045/k8s/03-production-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: bar
6 | namespace: production
7 | labels:
8 | app: bar
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: bar
14 | template:
15 | metadata:
16 | labels:
17 | app: bar
18 | spec:
19 | containers:
20 | - name: bar
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | affinity:
25 | nodeAffinity:
26 | requiredDuringSchedulingIgnoredDuringExecution:
27 | nodeSelectorTerms:
28 | - matchExpressions:
29 | - key: role
30 | operator: In
31 | values:
32 | - on-demand
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.production.bar
File: /lessons/045/k8s/03-production-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: bar
6 | namespace: production
7 | labels:
8 | app: bar
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: bar
14 | template:
15 | metadata:
16 | labels:
17 | app: bar
18 | spec:
19 | containers:
20 | - name: bar
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | affinity:
25 | nodeAffinity:
26 | requiredDuringSchedulingIgnoredDuringExecution:
27 | nodeSelectorTerms:
28 | - matchExpressions:
29 | - key: role
30 | operator: In
31 | values:
32 | - on-demand
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.production.bar
File: /lessons/045/k8s/03-production-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: bar
6 | namespace: production
7 | labels:
8 | app: bar
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: bar
14 | template:
15 | metadata:
16 | labels:
17 | app: bar
18 | spec:
19 | containers:
20 | - name: bar
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | affinity:
25 | nodeAffinity:
26 | requiredDuringSchedulingIgnoredDuringExecution:
27 | nodeSelectorTerms:
28 | - matchExpressions:
29 | - key: role
30 | operator: In
31 | values:
32 | - on-demand
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.production.bar
File: /lessons/045/k8s/03-production-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: bar
6 | namespace: production
7 | labels:
8 | app: bar
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: bar
14 | template:
15 | metadata:
16 | labels:
17 | app: bar
18 | spec:
19 | containers:
20 | - name: bar
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | affinity:
25 | nodeAffinity:
26 | requiredDuringSchedulingIgnoredDuringExecution:
27 | nodeSelectorTerms:
28 | - matchExpressions:
29 | - key: role
30 | operator: In
31 | values:
32 | - on-demand
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.production.bar
File: /lessons/045/k8s/03-production-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: bar
6 | namespace: production
7 | labels:
8 | app: bar
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: bar
14 | template:
15 | metadata:
16 | labels:
17 | app: bar
18 | spec:
19 | containers:
20 | - name: bar
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | affinity:
25 | nodeAffinity:
26 | requiredDuringSchedulingIgnoredDuringExecution:
27 | nodeSelectorTerms:
28 | - matchExpressions:
29 | - key: role
30 | operator: In
31 | values:
32 | - on-demand
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.production.bar
File: /lessons/045/k8s/03-production-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: bar
6 | namespace: production
7 | labels:
8 | app: bar
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: bar
14 | template:
15 | metadata:
16 | labels:
17 | app: bar
18 | spec:
19 | containers:
20 | - name: bar
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | affinity:
25 | nodeAffinity:
26 | requiredDuringSchedulingIgnoredDuringExecution:
27 | nodeSelectorTerms:
28 | - matchExpressions:
29 | - key: role
30 | operator: In
31 | values:
32 | - on-demand
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.production.bar
File: /lessons/045/k8s/03-production-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: bar
6 | namespace: production
7 | labels:
8 | app: bar
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: bar
14 | template:
15 | metadata:
16 | labels:
17 | app: bar
18 | spec:
19 | containers:
20 | - name: bar
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | affinity:
25 | nodeAffinity:
26 | requiredDuringSchedulingIgnoredDuringExecution:
27 | nodeSelectorTerms:
28 | - matchExpressions:
29 | - key: role
30 | operator: In
31 | values:
32 | - on-demand
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.production.bar
File: /lessons/045/k8s/03-production-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: bar
6 | namespace: production
7 | labels:
8 | app: bar
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: bar
14 | template:
15 | metadata:
16 | labels:
17 | app: bar
18 | spec:
19 | containers:
20 | - name: bar
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | affinity:
25 | nodeAffinity:
26 | requiredDuringSchedulingIgnoredDuringExecution:
27 | nodeSelectorTerms:
28 | - matchExpressions:
29 | - key: role
30 | operator: In
31 | values:
32 | - on-demand
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.production.bar
File: /lessons/045/k8s/03-production-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: bar
6 | namespace: production
7 | labels:
8 | app: bar
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: bar
14 | template:
15 | metadata:
16 | labels:
17 | app: bar
18 | spec:
19 | containers:
20 | - name: bar
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | affinity:
25 | nodeAffinity:
26 | requiredDuringSchedulingIgnoredDuringExecution:
27 | nodeSelectorTerms:
28 | - matchExpressions:
29 | - key: role
30 | operator: In
31 | values:
32 | - on-demand
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.staging.foo
File: /lessons/045/k8s/04-staging-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: foo
6 | namespace: staging
7 | labels:
8 | app: foo
9 | spec:
10 | replicas: 2
11 | selector:
12 | matchLabels:
13 | app: foo
14 | template:
15 | metadata:
16 | labels:
17 | app: foo
18 | spec:
19 | containers:
20 | - name: foo
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | affinity:
25 | nodeAffinity:
26 | requiredDuringSchedulingIgnoredDuringExecution:
27 | nodeSelectorTerms:
28 | - matchExpressions:
29 | - key: role
30 | operator: In
31 | values:
32 | - spot
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.foo
File: /lessons/045/k8s/04-staging-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: foo
6 | namespace: staging
7 | labels:
8 | app: foo
9 | spec:
10 | replicas: 2
11 | selector:
12 | matchLabels:
13 | app: foo
14 | template:
15 | metadata:
16 | labels:
17 | app: foo
18 | spec:
19 | containers:
20 | - name: foo
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | affinity:
25 | nodeAffinity:
26 | requiredDuringSchedulingIgnoredDuringExecution:
27 | nodeSelectorTerms:
28 | - matchExpressions:
29 | - key: role
30 | operator: In
31 | values:
32 | - spot
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.staging.foo
File: /lessons/045/k8s/04-staging-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: foo
6 | namespace: staging
7 | labels:
8 | app: foo
9 | spec:
10 | replicas: 2
11 | selector:
12 | matchLabels:
13 | app: foo
14 | template:
15 | metadata:
16 | labels:
17 | app: foo
18 | spec:
19 | containers:
20 | - name: foo
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | affinity:
25 | nodeAffinity:
26 | requiredDuringSchedulingIgnoredDuringExecution:
27 | nodeSelectorTerms:
28 | - matchExpressions:
29 | - key: role
30 | operator: In
31 | values:
32 | - spot
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.foo
File: /lessons/045/k8s/04-staging-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: foo
6 | namespace: staging
7 | labels:
8 | app: foo
9 | spec:
10 | replicas: 2
11 | selector:
12 | matchLabels:
13 | app: foo
14 | template:
15 | metadata:
16 | labels:
17 | app: foo
18 | spec:
19 | containers:
20 | - name: foo
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | affinity:
25 | nodeAffinity:
26 | requiredDuringSchedulingIgnoredDuringExecution:
27 | nodeSelectorTerms:
28 | - matchExpressions:
29 | - key: role
30 | operator: In
31 | values:
32 | - spot
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.foo
File: /lessons/045/k8s/04-staging-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: foo
6 | namespace: staging
7 | labels:
8 | app: foo
9 | spec:
10 | replicas: 2
11 | selector:
12 | matchLabels:
13 | app: foo
14 | template:
15 | metadata:
16 | labels:
17 | app: foo
18 | spec:
19 | containers:
20 | - name: foo
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | affinity:
25 | nodeAffinity:
26 | requiredDuringSchedulingIgnoredDuringExecution:
27 | nodeSelectorTerms:
28 | - matchExpressions:
29 | - key: role
30 | operator: In
31 | values:
32 | - spot
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.staging.foo
File: /lessons/045/k8s/04-staging-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: foo
6 | namespace: staging
7 | labels:
8 | app: foo
9 | spec:
10 | replicas: 2
11 | selector:
12 | matchLabels:
13 | app: foo
14 | template:
15 | metadata:
16 | labels:
17 | app: foo
18 | spec:
19 | containers:
20 | - name: foo
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | affinity:
25 | nodeAffinity:
26 | requiredDuringSchedulingIgnoredDuringExecution:
27 | nodeSelectorTerms:
28 | - matchExpressions:
29 | - key: role
30 | operator: In
31 | values:
32 | - spot
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.foo
File: /lessons/045/k8s/04-staging-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: foo
6 | namespace: staging
7 | labels:
8 | app: foo
9 | spec:
10 | replicas: 2
11 | selector:
12 | matchLabels:
13 | app: foo
14 | template:
15 | metadata:
16 | labels:
17 | app: foo
18 | spec:
19 | containers:
20 | - name: foo
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | affinity:
25 | nodeAffinity:
26 | requiredDuringSchedulingIgnoredDuringExecution:
27 | nodeSelectorTerms:
28 | - matchExpressions:
29 | - key: role
30 | operator: In
31 | values:
32 | - spot
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.foo
File: /lessons/045/k8s/04-staging-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: foo
6 | namespace: staging
7 | labels:
8 | app: foo
9 | spec:
10 | replicas: 2
11 | selector:
12 | matchLabels:
13 | app: foo
14 | template:
15 | metadata:
16 | labels:
17 | app: foo
18 | spec:
19 | containers:
20 | - name: foo
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | affinity:
25 | nodeAffinity:
26 | requiredDuringSchedulingIgnoredDuringExecution:
27 | nodeSelectorTerms:
28 | - matchExpressions:
29 | - key: role
30 | operator: In
31 | values:
32 | - spot
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.foo
File: /lessons/045/k8s/04-staging-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: foo
6 | namespace: staging
7 | labels:
8 | app: foo
9 | spec:
10 | replicas: 2
11 | selector:
12 | matchLabels:
13 | app: foo
14 | template:
15 | metadata:
16 | labels:
17 | app: foo
18 | spec:
19 | containers:
20 | - name: foo
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | affinity:
25 | nodeAffinity:
26 | requiredDuringSchedulingIgnoredDuringExecution:
27 | nodeSelectorTerms:
28 | - matchExpressions:
29 | - key: role
30 | operator: In
31 | values:
32 | - spot
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.staging.foo
File: /lessons/045/k8s/04-staging-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: foo
6 | namespace: staging
7 | labels:
8 | app: foo
9 | spec:
10 | replicas: 2
11 | selector:
12 | matchLabels:
13 | app: foo
14 | template:
15 | metadata:
16 | labels:
17 | app: foo
18 | spec:
19 | containers:
20 | - name: foo
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | affinity:
25 | nodeAffinity:
26 | requiredDuringSchedulingIgnoredDuringExecution:
27 | nodeSelectorTerms:
28 | - matchExpressions:
29 | - key: role
30 | operator: In
31 | values:
32 | - spot
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.foo
File: /lessons/045/k8s/04-staging-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: foo
6 | namespace: staging
7 | labels:
8 | app: foo
9 | spec:
10 | replicas: 2
11 | selector:
12 | matchLabels:
13 | app: foo
14 | template:
15 | metadata:
16 | labels:
17 | app: foo
18 | spec:
19 | containers:
20 | - name: foo
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | affinity:
25 | nodeAffinity:
26 | requiredDuringSchedulingIgnoredDuringExecution:
27 | nodeSelectorTerms:
28 | - matchExpressions:
29 | - key: role
30 | operator: In
31 | values:
32 | - spot
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.staging.foo
File: /lessons/045/k8s/04-staging-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: foo
6 | namespace: staging
7 | labels:
8 | app: foo
9 | spec:
10 | replicas: 2
11 | selector:
12 | matchLabels:
13 | app: foo
14 | template:
15 | metadata:
16 | labels:
17 | app: foo
18 | spec:
19 | containers:
20 | - name: foo
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | affinity:
25 | nodeAffinity:
26 | requiredDuringSchedulingIgnoredDuringExecution:
27 | nodeSelectorTerms:
28 | - matchExpressions:
29 | - key: role
30 | operator: In
31 | values:
32 | - spot
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.foo
File: /lessons/045/k8s/04-staging-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: foo
6 | namespace: staging
7 | labels:
8 | app: foo
9 | spec:
10 | replicas: 2
11 | selector:
12 | matchLabels:
13 | app: foo
14 | template:
15 | metadata:
16 | labels:
17 | app: foo
18 | spec:
19 | containers:
20 | - name: foo
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | affinity:
25 | nodeAffinity:
26 | requiredDuringSchedulingIgnoredDuringExecution:
27 | nodeSelectorTerms:
28 | - matchExpressions:
29 | - key: role
30 | operator: In
31 | values:
32 | - spot
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.foo
File: /lessons/045/k8s/04-staging-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: foo
6 | namespace: staging
7 | labels:
8 | app: foo
9 | spec:
10 | replicas: 2
11 | selector:
12 | matchLabels:
13 | app: foo
14 | template:
15 | metadata:
16 | labels:
17 | app: foo
18 | spec:
19 | containers:
20 | - name: foo
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | affinity:
25 | nodeAffinity:
26 | requiredDuringSchedulingIgnoredDuringExecution:
27 | nodeSelectorTerms:
28 | - matchExpressions:
29 | - key: role
30 | operator: In
31 | values:
32 | - spot
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.foo
File: /lessons/045/k8s/04-staging-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: foo
6 | namespace: staging
7 | labels:
8 | app: foo
9 | spec:
10 | replicas: 2
11 | selector:
12 | matchLabels:
13 | app: foo
14 | template:
15 | metadata:
16 | labels:
17 | app: foo
18 | spec:
19 | containers:
20 | - name: foo
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | affinity:
25 | nodeAffinity:
26 | requiredDuringSchedulingIgnoredDuringExecution:
27 | nodeSelectorTerms:
28 | - matchExpressions:
29 | - key: role
30 | operator: In
31 | values:
32 | - spot
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.staging.foo
File: /lessons/045/k8s/04-staging-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: foo
6 | namespace: staging
7 | labels:
8 | app: foo
9 | spec:
10 | replicas: 2
11 | selector:
12 | matchLabels:
13 | app: foo
14 | template:
15 | metadata:
16 | labels:
17 | app: foo
18 | spec:
19 | containers:
20 | - name: foo
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | affinity:
25 | nodeAffinity:
26 | requiredDuringSchedulingIgnoredDuringExecution:
27 | nodeSelectorTerms:
28 | - matchExpressions:
29 | - key: role
30 | operator: In
31 | values:
32 | - spot
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.staging.foo
File: /lessons/045/k8s/04-staging-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: foo
6 | namespace: staging
7 | labels:
8 | app: foo
9 | spec:
10 | replicas: 2
11 | selector:
12 | matchLabels:
13 | app: foo
14 | template:
15 | metadata:
16 | labels:
17 | app: foo
18 | spec:
19 | containers:
20 | - name: foo
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | affinity:
25 | nodeAffinity:
26 | requiredDuringSchedulingIgnoredDuringExecution:
27 | nodeSelectorTerms:
28 | - matchExpressions:
29 | - key: role
30 | operator: In
31 | values:
32 | - spot
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.foo
File: /lessons/045/k8s/04-staging-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: foo
6 | namespace: staging
7 | labels:
8 | app: foo
9 | spec:
10 | replicas: 2
11 | selector:
12 | matchLabels:
13 | app: foo
14 | template:
15 | metadata:
16 | labels:
17 | app: foo
18 | spec:
19 | containers:
20 | - name: foo
21 | image: nginx:1.14.2
22 | ports:
23 | - containerPort: 80
24 | affinity:
25 | nodeAffinity:
26 | requiredDuringSchedulingIgnoredDuringExecution:
27 | nodeSelectorTerms:
28 | - matchExpressions:
29 | - key: role
30 | operator: In
31 | values:
32 | - spot
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/138/monitoring/cadvisor/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/138/monitoring/cadvisor/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/138/monitoring/cadvisor/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/138/monitoring/cadvisor/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/138/monitoring/cadvisor/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/138/monitoring/cadvisor/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/138/monitoring/cadvisor/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/138/monitoring/cadvisor/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/138/monitoring/cadvisor/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/138/monitoring/cadvisor/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/138/monitoring/cadvisor/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/138/monitoring/cadvisor/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: DaemonSet.cadvisor.cadvisor
File: /lessons/138/monitoring/cadvisor/2-daemonset.yaml:2-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/138/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/138/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/138/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/138/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/138/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/138/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/138/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/138/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/138/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/138/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/138/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/138/monitoring/prometheus-operator/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/138/monitoring/prometheus-operator/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/138/monitoring/prometheus-operator/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/138/monitoring/prometheus-operator/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/138/monitoring/prometheus-operator/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/138/monitoring/prometheus-operator/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: ClusterRole.default.prometheus-operator
File: /lessons/138/monitoring/prometheus-operator/1-cluster-role.yaml:2-81
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/138/monitoring/kube-state-metrics/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/138/monitoring/kube-state-metrics/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/138/monitoring/kube-state-metrics/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/138/monitoring/kube-state-metrics/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/138/monitoring/kube-state-metrics/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.go-app
File: /lessons/138/go-app/deploy/deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: go-app
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: go-app
12 | template:
13 | metadata:
14 | labels:
15 | app: go-app
16 | spec:
17 | containers:
18 | - name: go-app
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:0.1.2
20 | ports:
21 | - name: http
22 | containerPort: 8001
23 | resources:
24 | requests:
25 | memory: 512Mi
26 | cpu: 500m
27 | limits:
28 | memory: 1024Mi
29 | cpu: 1000m
30 | env:
31 | - name: GIN_MODE
32 | value: release
33 | affinity:
34 | podAntiAffinity:
35 | preferredDuringSchedulingIgnoredDuringExecution:
36 | - weight: 100
37 | podAffinityTerm:
38 | labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - go-app
44 | - rust-app
45 | topologyKey: topology.kubernetes.io/zone
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.go-app
File: /lessons/138/go-app/deploy/deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: go-app
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: go-app
12 | template:
13 | metadata:
14 | labels:
15 | app: go-app
16 | spec:
17 | containers:
18 | - name: go-app
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:0.1.2
20 | ports:
21 | - name: http
22 | containerPort: 8001
23 | resources:
24 | requests:
25 | memory: 512Mi
26 | cpu: 500m
27 | limits:
28 | memory: 1024Mi
29 | cpu: 1000m
30 | env:
31 | - name: GIN_MODE
32 | value: release
33 | affinity:
34 | podAntiAffinity:
35 | preferredDuringSchedulingIgnoredDuringExecution:
36 | - weight: 100
37 | podAffinityTerm:
38 | labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - go-app
44 | - rust-app
45 | topologyKey: topology.kubernetes.io/zone
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.go-app
File: /lessons/138/go-app/deploy/deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: go-app
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: go-app
12 | template:
13 | metadata:
14 | labels:
15 | app: go-app
16 | spec:
17 | containers:
18 | - name: go-app
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:0.1.2
20 | ports:
21 | - name: http
22 | containerPort: 8001
23 | resources:
24 | requests:
25 | memory: 512Mi
26 | cpu: 500m
27 | limits:
28 | memory: 1024Mi
29 | cpu: 1000m
30 | env:
31 | - name: GIN_MODE
32 | value: release
33 | affinity:
34 | podAntiAffinity:
35 | preferredDuringSchedulingIgnoredDuringExecution:
36 | - weight: 100
37 | podAffinityTerm:
38 | labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - go-app
44 | - rust-app
45 | topologyKey: topology.kubernetes.io/zone
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.staging.go-app
File: /lessons/138/go-app/deploy/deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: go-app
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: go-app
12 | template:
13 | metadata:
14 | labels:
15 | app: go-app
16 | spec:
17 | containers:
18 | - name: go-app
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:0.1.2
20 | ports:
21 | - name: http
22 | containerPort: 8001
23 | resources:
24 | requests:
25 | memory: 512Mi
26 | cpu: 500m
27 | limits:
28 | memory: 1024Mi
29 | cpu: 1000m
30 | env:
31 | - name: GIN_MODE
32 | value: release
33 | affinity:
34 | podAntiAffinity:
35 | preferredDuringSchedulingIgnoredDuringExecution:
36 | - weight: 100
37 | podAffinityTerm:
38 | labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - go-app
44 | - rust-app
45 | topologyKey: topology.kubernetes.io/zone
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.go-app
File: /lessons/138/go-app/deploy/deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: go-app
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: go-app
12 | template:
13 | metadata:
14 | labels:
15 | app: go-app
16 | spec:
17 | containers:
18 | - name: go-app
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:0.1.2
20 | ports:
21 | - name: http
22 | containerPort: 8001
23 | resources:
24 | requests:
25 | memory: 512Mi
26 | cpu: 500m
27 | limits:
28 | memory: 1024Mi
29 | cpu: 1000m
30 | env:
31 | - name: GIN_MODE
32 | value: release
33 | affinity:
34 | podAntiAffinity:
35 | preferredDuringSchedulingIgnoredDuringExecution:
36 | - weight: 100
37 | podAffinityTerm:
38 | labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - go-app
44 | - rust-app
45 | topologyKey: topology.kubernetes.io/zone
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.go-app
File: /lessons/138/go-app/deploy/deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: go-app
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: go-app
12 | template:
13 | metadata:
14 | labels:
15 | app: go-app
16 | spec:
17 | containers:
18 | - name: go-app
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:0.1.2
20 | ports:
21 | - name: http
22 | containerPort: 8001
23 | resources:
24 | requests:
25 | memory: 512Mi
26 | cpu: 500m
27 | limits:
28 | memory: 1024Mi
29 | cpu: 1000m
30 | env:
31 | - name: GIN_MODE
32 | value: release
33 | affinity:
34 | podAntiAffinity:
35 | preferredDuringSchedulingIgnoredDuringExecution:
36 | - weight: 100
37 | podAffinityTerm:
38 | labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - go-app
44 | - rust-app
45 | topologyKey: topology.kubernetes.io/zone
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.go-app
File: /lessons/138/go-app/deploy/deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: go-app
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: go-app
12 | template:
13 | metadata:
14 | labels:
15 | app: go-app
16 | spec:
17 | containers:
18 | - name: go-app
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:0.1.2
20 | ports:
21 | - name: http
22 | containerPort: 8001
23 | resources:
24 | requests:
25 | memory: 512Mi
26 | cpu: 500m
27 | limits:
28 | memory: 1024Mi
29 | cpu: 1000m
30 | env:
31 | - name: GIN_MODE
32 | value: release
33 | affinity:
34 | podAntiAffinity:
35 | preferredDuringSchedulingIgnoredDuringExecution:
36 | - weight: 100
37 | podAffinityTerm:
38 | labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - go-app
44 | - rust-app
45 | topologyKey: topology.kubernetes.io/zone
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.staging.go-app
File: /lessons/138/go-app/deploy/deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: go-app
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: go-app
12 | template:
13 | metadata:
14 | labels:
15 | app: go-app
16 | spec:
17 | containers:
18 | - name: go-app
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:0.1.2
20 | ports:
21 | - name: http
22 | containerPort: 8001
23 | resources:
24 | requests:
25 | memory: 512Mi
26 | cpu: 500m
27 | limits:
28 | memory: 1024Mi
29 | cpu: 1000m
30 | env:
31 | - name: GIN_MODE
32 | value: release
33 | affinity:
34 | podAntiAffinity:
35 | preferredDuringSchedulingIgnoredDuringExecution:
36 | - weight: 100
37 | podAffinityTerm:
38 | labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - go-app
44 | - rust-app
45 | topologyKey: topology.kubernetes.io/zone
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.go-app
File: /lessons/138/go-app/deploy/deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: go-app
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: go-app
12 | template:
13 | metadata:
14 | labels:
15 | app: go-app
16 | spec:
17 | containers:
18 | - name: go-app
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:0.1.2
20 | ports:
21 | - name: http
22 | containerPort: 8001
23 | resources:
24 | requests:
25 | memory: 512Mi
26 | cpu: 500m
27 | limits:
28 | memory: 1024Mi
29 | cpu: 1000m
30 | env:
31 | - name: GIN_MODE
32 | value: release
33 | affinity:
34 | podAntiAffinity:
35 | preferredDuringSchedulingIgnoredDuringExecution:
36 | - weight: 100
37 | podAffinityTerm:
38 | labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - go-app
44 | - rust-app
45 | topologyKey: topology.kubernetes.io/zone
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.go-app
File: /lessons/138/go-app/deploy/deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: go-app
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: go-app
12 | template:
13 | metadata:
14 | labels:
15 | app: go-app
16 | spec:
17 | containers:
18 | - name: go-app
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:0.1.2
20 | ports:
21 | - name: http
22 | containerPort: 8001
23 | resources:
24 | requests:
25 | memory: 512Mi
26 | cpu: 500m
27 | limits:
28 | memory: 1024Mi
29 | cpu: 1000m
30 | env:
31 | - name: GIN_MODE
32 | value: release
33 | affinity:
34 | podAntiAffinity:
35 | preferredDuringSchedulingIgnoredDuringExecution:
36 | - weight: 100
37 | podAffinityTerm:
38 | labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - go-app
44 | - rust-app
45 | topologyKey: topology.kubernetes.io/zone
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.go-app
File: /lessons/138/go-app/deploy/deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: go-app
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: go-app
12 | template:
13 | metadata:
14 | labels:
15 | app: go-app
16 | spec:
17 | containers:
18 | - name: go-app
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:0.1.2
20 | ports:
21 | - name: http
22 | containerPort: 8001
23 | resources:
24 | requests:
25 | memory: 512Mi
26 | cpu: 500m
27 | limits:
28 | memory: 1024Mi
29 | cpu: 1000m
30 | env:
31 | - name: GIN_MODE
32 | value: release
33 | affinity:
34 | podAntiAffinity:
35 | preferredDuringSchedulingIgnoredDuringExecution:
36 | - weight: 100
37 | podAffinityTerm:
38 | labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - go-app
44 | - rust-app
45 | topologyKey: topology.kubernetes.io/zone
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.go-app
File: /lessons/138/go-app/deploy/deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: go-app
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: go-app
12 | template:
13 | metadata:
14 | labels:
15 | app: go-app
16 | spec:
17 | containers:
18 | - name: go-app
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:0.1.2
20 | ports:
21 | - name: http
22 | containerPort: 8001
23 | resources:
24 | requests:
25 | memory: 512Mi
26 | cpu: 500m
27 | limits:
28 | memory: 1024Mi
29 | cpu: 1000m
30 | env:
31 | - name: GIN_MODE
32 | value: release
33 | affinity:
34 | podAntiAffinity:
35 | preferredDuringSchedulingIgnoredDuringExecution:
36 | - weight: 100
37 | podAffinityTerm:
38 | labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - go-app
44 | - rust-app
45 | topologyKey: topology.kubernetes.io/zone
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.staging.go-app
File: /lessons/138/go-app/deploy/deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: go-app
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: go-app
12 | template:
13 | metadata:
14 | labels:
15 | app: go-app
16 | spec:
17 | containers:
18 | - name: go-app
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:0.1.2
20 | ports:
21 | - name: http
22 | containerPort: 8001
23 | resources:
24 | requests:
25 | memory: 512Mi
26 | cpu: 500m
27 | limits:
28 | memory: 1024Mi
29 | cpu: 1000m
30 | env:
31 | - name: GIN_MODE
32 | value: release
33 | affinity:
34 | podAntiAffinity:
35 | preferredDuringSchedulingIgnoredDuringExecution:
36 | - weight: 100
37 | podAffinityTerm:
38 | labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - go-app
44 | - rust-app
45 | topologyKey: topology.kubernetes.io/zone
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.go-app
File: /lessons/138/go-app/deploy/deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: go-app
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: go-app
12 | template:
13 | metadata:
14 | labels:
15 | app: go-app
16 | spec:
17 | containers:
18 | - name: go-app
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:0.1.2
20 | ports:
21 | - name: http
22 | containerPort: 8001
23 | resources:
24 | requests:
25 | memory: 512Mi
26 | cpu: 500m
27 | limits:
28 | memory: 1024Mi
29 | cpu: 1000m
30 | env:
31 | - name: GIN_MODE
32 | value: release
33 | affinity:
34 | podAntiAffinity:
35 | preferredDuringSchedulingIgnoredDuringExecution:
36 | - weight: 100
37 | podAffinityTerm:
38 | labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - go-app
44 | - rust-app
45 | topologyKey: topology.kubernetes.io/zone
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.rust-app
File: /lessons/138/rust-app/deploy/deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: rust-app
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: rust-app
12 | template:
13 | metadata:
14 | labels:
15 | app: rust-app
16 | spec:
17 | containers:
18 | - name: rust-app
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/rust-app:0.1.3
20 | env:
21 | - name: ROCKET_ADDRESS
22 | value: 0.0.0.0
23 | ports:
24 | - name: http
25 | containerPort: 8000
26 | resources:
27 | requests:
28 | memory: 512Mi
29 | cpu: 500m
30 | limits:
31 | memory: 1024Mi
32 | cpu: 1000m
33 | affinity:
34 | podAntiAffinity:
35 | preferredDuringSchedulingIgnoredDuringExecution:
36 | - weight: 100
37 | podAffinityTerm:
38 | labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - rust-app
44 | - go-app
45 | topologyKey: topology.kubernetes.io/zone
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.rust-app
File: /lessons/138/rust-app/deploy/deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: rust-app
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: rust-app
12 | template:
13 | metadata:
14 | labels:
15 | app: rust-app
16 | spec:
17 | containers:
18 | - name: rust-app
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/rust-app:0.1.3
20 | env:
21 | - name: ROCKET_ADDRESS
22 | value: 0.0.0.0
23 | ports:
24 | - name: http
25 | containerPort: 8000
26 | resources:
27 | requests:
28 | memory: 512Mi
29 | cpu: 500m
30 | limits:
31 | memory: 1024Mi
32 | cpu: 1000m
33 | affinity:
34 | podAntiAffinity:
35 | preferredDuringSchedulingIgnoredDuringExecution:
36 | - weight: 100
37 | podAffinityTerm:
38 | labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - rust-app
44 | - go-app
45 | topologyKey: topology.kubernetes.io/zone
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.rust-app
File: /lessons/138/rust-app/deploy/deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: rust-app
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: rust-app
12 | template:
13 | metadata:
14 | labels:
15 | app: rust-app
16 | spec:
17 | containers:
18 | - name: rust-app
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/rust-app:0.1.3
20 | env:
21 | - name: ROCKET_ADDRESS
22 | value: 0.0.0.0
23 | ports:
24 | - name: http
25 | containerPort: 8000
26 | resources:
27 | requests:
28 | memory: 512Mi
29 | cpu: 500m
30 | limits:
31 | memory: 1024Mi
32 | cpu: 1000m
33 | affinity:
34 | podAntiAffinity:
35 | preferredDuringSchedulingIgnoredDuringExecution:
36 | - weight: 100
37 | podAffinityTerm:
38 | labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - rust-app
44 | - go-app
45 | topologyKey: topology.kubernetes.io/zone
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.staging.rust-app
File: /lessons/138/rust-app/deploy/deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: rust-app
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: rust-app
12 | template:
13 | metadata:
14 | labels:
15 | app: rust-app
16 | spec:
17 | containers:
18 | - name: rust-app
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/rust-app:0.1.3
20 | env:
21 | - name: ROCKET_ADDRESS
22 | value: 0.0.0.0
23 | ports:
24 | - name: http
25 | containerPort: 8000
26 | resources:
27 | requests:
28 | memory: 512Mi
29 | cpu: 500m
30 | limits:
31 | memory: 1024Mi
32 | cpu: 1000m
33 | affinity:
34 | podAntiAffinity:
35 | preferredDuringSchedulingIgnoredDuringExecution:
36 | - weight: 100
37 | podAffinityTerm:
38 | labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - rust-app
44 | - go-app
45 | topologyKey: topology.kubernetes.io/zone
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.rust-app
File: /lessons/138/rust-app/deploy/deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: rust-app
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: rust-app
12 | template:
13 | metadata:
14 | labels:
15 | app: rust-app
16 | spec:
17 | containers:
18 | - name: rust-app
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/rust-app:0.1.3
20 | env:
21 | - name: ROCKET_ADDRESS
22 | value: 0.0.0.0
23 | ports:
24 | - name: http
25 | containerPort: 8000
26 | resources:
27 | requests:
28 | memory: 512Mi
29 | cpu: 500m
30 | limits:
31 | memory: 1024Mi
32 | cpu: 1000m
33 | affinity:
34 | podAntiAffinity:
35 | preferredDuringSchedulingIgnoredDuringExecution:
36 | - weight: 100
37 | podAffinityTerm:
38 | labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - rust-app
44 | - go-app
45 | topologyKey: topology.kubernetes.io/zone
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.rust-app
File: /lessons/138/rust-app/deploy/deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: rust-app
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: rust-app
12 | template:
13 | metadata:
14 | labels:
15 | app: rust-app
16 | spec:
17 | containers:
18 | - name: rust-app
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/rust-app:0.1.3
20 | env:
21 | - name: ROCKET_ADDRESS
22 | value: 0.0.0.0
23 | ports:
24 | - name: http
25 | containerPort: 8000
26 | resources:
27 | requests:
28 | memory: 512Mi
29 | cpu: 500m
30 | limits:
31 | memory: 1024Mi
32 | cpu: 1000m
33 | affinity:
34 | podAntiAffinity:
35 | preferredDuringSchedulingIgnoredDuringExecution:
36 | - weight: 100
37 | podAffinityTerm:
38 | labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - rust-app
44 | - go-app
45 | topologyKey: topology.kubernetes.io/zone
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.rust-app
File: /lessons/138/rust-app/deploy/deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: rust-app
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: rust-app
12 | template:
13 | metadata:
14 | labels:
15 | app: rust-app
16 | spec:
17 | containers:
18 | - name: rust-app
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/rust-app:0.1.3
20 | env:
21 | - name: ROCKET_ADDRESS
22 | value: 0.0.0.0
23 | ports:
24 | - name: http
25 | containerPort: 8000
26 | resources:
27 | requests:
28 | memory: 512Mi
29 | cpu: 500m
30 | limits:
31 | memory: 1024Mi
32 | cpu: 1000m
33 | affinity:
34 | podAntiAffinity:
35 | preferredDuringSchedulingIgnoredDuringExecution:
36 | - weight: 100
37 | podAffinityTerm:
38 | labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - rust-app
44 | - go-app
45 | topologyKey: topology.kubernetes.io/zone
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.staging.rust-app
File: /lessons/138/rust-app/deploy/deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: rust-app
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: rust-app
12 | template:
13 | metadata:
14 | labels:
15 | app: rust-app
16 | spec:
17 | containers:
18 | - name: rust-app
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/rust-app:0.1.3
20 | env:
21 | - name: ROCKET_ADDRESS
22 | value: 0.0.0.0
23 | ports:
24 | - name: http
25 | containerPort: 8000
26 | resources:
27 | requests:
28 | memory: 512Mi
29 | cpu: 500m
30 | limits:
31 | memory: 1024Mi
32 | cpu: 1000m
33 | affinity:
34 | podAntiAffinity:
35 | preferredDuringSchedulingIgnoredDuringExecution:
36 | - weight: 100
37 | podAffinityTerm:
38 | labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - rust-app
44 | - go-app
45 | topologyKey: topology.kubernetes.io/zone
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.rust-app
File: /lessons/138/rust-app/deploy/deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: rust-app
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: rust-app
12 | template:
13 | metadata:
14 | labels:
15 | app: rust-app
16 | spec:
17 | containers:
18 | - name: rust-app
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/rust-app:0.1.3
20 | env:
21 | - name: ROCKET_ADDRESS
22 | value: 0.0.0.0
23 | ports:
24 | - name: http
25 | containerPort: 8000
26 | resources:
27 | requests:
28 | memory: 512Mi
29 | cpu: 500m
30 | limits:
31 | memory: 1024Mi
32 | cpu: 1000m
33 | affinity:
34 | podAntiAffinity:
35 | preferredDuringSchedulingIgnoredDuringExecution:
36 | - weight: 100
37 | podAffinityTerm:
38 | labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - rust-app
44 | - go-app
45 | topologyKey: topology.kubernetes.io/zone
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.rust-app
File: /lessons/138/rust-app/deploy/deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: rust-app
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: rust-app
12 | template:
13 | metadata:
14 | labels:
15 | app: rust-app
16 | spec:
17 | containers:
18 | - name: rust-app
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/rust-app:0.1.3
20 | env:
21 | - name: ROCKET_ADDRESS
22 | value: 0.0.0.0
23 | ports:
24 | - name: http
25 | containerPort: 8000
26 | resources:
27 | requests:
28 | memory: 512Mi
29 | cpu: 500m
30 | limits:
31 | memory: 1024Mi
32 | cpu: 1000m
33 | affinity:
34 | podAntiAffinity:
35 | preferredDuringSchedulingIgnoredDuringExecution:
36 | - weight: 100
37 | podAffinityTerm:
38 | labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - rust-app
44 | - go-app
45 | topologyKey: topology.kubernetes.io/zone
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.rust-app
File: /lessons/138/rust-app/deploy/deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: rust-app
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: rust-app
12 | template:
13 | metadata:
14 | labels:
15 | app: rust-app
16 | spec:
17 | containers:
18 | - name: rust-app
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/rust-app:0.1.3
20 | env:
21 | - name: ROCKET_ADDRESS
22 | value: 0.0.0.0
23 | ports:
24 | - name: http
25 | containerPort: 8000
26 | resources:
27 | requests:
28 | memory: 512Mi
29 | cpu: 500m
30 | limits:
31 | memory: 1024Mi
32 | cpu: 1000m
33 | affinity:
34 | podAntiAffinity:
35 | preferredDuringSchedulingIgnoredDuringExecution:
36 | - weight: 100
37 | podAffinityTerm:
38 | labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - rust-app
44 | - go-app
45 | topologyKey: topology.kubernetes.io/zone
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.rust-app
File: /lessons/138/rust-app/deploy/deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: rust-app
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: rust-app
12 | template:
13 | metadata:
14 | labels:
15 | app: rust-app
16 | spec:
17 | containers:
18 | - name: rust-app
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/rust-app:0.1.3
20 | env:
21 | - name: ROCKET_ADDRESS
22 | value: 0.0.0.0
23 | ports:
24 | - name: http
25 | containerPort: 8000
26 | resources:
27 | requests:
28 | memory: 512Mi
29 | cpu: 500m
30 | limits:
31 | memory: 1024Mi
32 | cpu: 1000m
33 | affinity:
34 | podAntiAffinity:
35 | preferredDuringSchedulingIgnoredDuringExecution:
36 | - weight: 100
37 | podAffinityTerm:
38 | labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - rust-app
44 | - go-app
45 | topologyKey: topology.kubernetes.io/zone
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.staging.rust-app
File: /lessons/138/rust-app/deploy/deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: rust-app
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: rust-app
12 | template:
13 | metadata:
14 | labels:
15 | app: rust-app
16 | spec:
17 | containers:
18 | - name: rust-app
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/rust-app:0.1.3
20 | env:
21 | - name: ROCKET_ADDRESS
22 | value: 0.0.0.0
23 | ports:
24 | - name: http
25 | containerPort: 8000
26 | resources:
27 | requests:
28 | memory: 512Mi
29 | cpu: 500m
30 | limits:
31 | memory: 1024Mi
32 | cpu: 1000m
33 | affinity:
34 | podAntiAffinity:
35 | preferredDuringSchedulingIgnoredDuringExecution:
36 | - weight: 100
37 | podAffinityTerm:
38 | labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - rust-app
44 | - go-app
45 | topologyKey: topology.kubernetes.io/zone
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.rust-app
File: /lessons/138/rust-app/deploy/deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: rust-app
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: rust-app
12 | template:
13 | metadata:
14 | labels:
15 | app: rust-app
16 | spec:
17 | containers:
18 | - name: rust-app
19 | image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/rust-app:0.1.3
20 | env:
21 | - name: ROCKET_ADDRESS
22 | value: 0.0.0.0
23 | ports:
24 | - name: http
25 | containerPort: 8000
26 | resources:
27 | requests:
28 | memory: 512Mi
29 | cpu: 500m
30 | limits:
31 | memory: 1024Mi
32 | cpu: 1000m
33 | affinity:
34 | podAntiAffinity:
35 | preferredDuringSchedulingIgnoredDuringExecution:
36 | - weight: 100
37 | podAffinityTerm:
38 | labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - rust-app
44 | - go-app
45 | topologyKey: topology.kubernetes.io/zone
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.staging.bar
File: /lessons/041/test/4-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: bar
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | volumeMounts:
23 | - name: efs-pvc
24 | mountPath: "/data"
25 | volumes:
26 | - name: efs-pvc
27 | persistentVolumeClaim:
28 | claimName: test-claim
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.bar
File: /lessons/041/test/4-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: bar
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | volumeMounts:
23 | - name: efs-pvc
24 | mountPath: "/data"
25 | volumes:
26 | - name: efs-pvc
27 | persistentVolumeClaim:
28 | claimName: test-claim
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.staging.bar
File: /lessons/041/test/4-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: bar
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | volumeMounts:
23 | - name: efs-pvc
24 | mountPath: "/data"
25 | volumes:
26 | - name: efs-pvc
27 | persistentVolumeClaim:
28 | claimName: test-claim
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.bar
File: /lessons/041/test/4-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: bar
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | volumeMounts:
23 | - name: efs-pvc
24 | mountPath: "/data"
25 | volumes:
26 | - name: efs-pvc
27 | persistentVolumeClaim:
28 | claimName: test-claim
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.bar
File: /lessons/041/test/4-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: bar
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | volumeMounts:
23 | - name: efs-pvc
24 | mountPath: "/data"
25 | volumes:
26 | - name: efs-pvc
27 | persistentVolumeClaim:
28 | claimName: test-claim
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.staging.bar
File: /lessons/041/test/4-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: bar
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | volumeMounts:
23 | - name: efs-pvc
24 | mountPath: "/data"
25 | volumes:
26 | - name: efs-pvc
27 | persistentVolumeClaim:
28 | claimName: test-claim
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.bar
File: /lessons/041/test/4-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: bar
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | volumeMounts:
23 | - name: efs-pvc
24 | mountPath: "/data"
25 | volumes:
26 | - name: efs-pvc
27 | persistentVolumeClaim:
28 | claimName: test-claim
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.bar
File: /lessons/041/test/4-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: bar
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | volumeMounts:
23 | - name: efs-pvc
24 | mountPath: "/data"
25 | volumes:
26 | - name: efs-pvc
27 | persistentVolumeClaim:
28 | claimName: test-claim
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.bar
File: /lessons/041/test/4-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: bar
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | volumeMounts:
23 | - name: efs-pvc
24 | mountPath: "/data"
25 | volumes:
26 | - name: efs-pvc
27 | persistentVolumeClaim:
28 | claimName: test-claim
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.staging.bar
File: /lessons/041/test/4-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: bar
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | volumeMounts:
23 | - name: efs-pvc
24 | mountPath: "/data"
25 | volumes:
26 | - name: efs-pvc
27 | persistentVolumeClaim:
28 | claimName: test-claim
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.bar
File: /lessons/041/test/4-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: bar
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | volumeMounts:
23 | - name: efs-pvc
24 | mountPath: "/data"
25 | volumes:
26 | - name: efs-pvc
27 | persistentVolumeClaim:
28 | claimName: test-claim
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.staging.bar
File: /lessons/041/test/4-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: bar
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | volumeMounts:
23 | - name: efs-pvc
24 | mountPath: "/data"
25 | volumes:
26 | - name: efs-pvc
27 | persistentVolumeClaim:
28 | claimName: test-claim
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.bar
File: /lessons/041/test/4-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: bar
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | volumeMounts:
23 | - name: efs-pvc
24 | mountPath: "/data"
25 | volumes:
26 | - name: efs-pvc
27 | persistentVolumeClaim:
28 | claimName: test-claim
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.bar
File: /lessons/041/test/4-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: bar
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | volumeMounts:
23 | - name: efs-pvc
24 | mountPath: "/data"
25 | volumes:
26 | - name: efs-pvc
27 | persistentVolumeClaim:
28 | claimName: test-claim
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.bar
File: /lessons/041/test/4-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: bar
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | volumeMounts:
23 | - name: efs-pvc
24 | mountPath: "/data"
25 | volumes:
26 | - name: efs-pvc
27 | persistentVolumeClaim:
28 | claimName: test-claim
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.staging.bar
File: /lessons/041/test/4-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: bar
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | volumeMounts:
23 | - name: efs-pvc
24 | mountPath: "/data"
25 | volumes:
26 | - name: efs-pvc
27 | persistentVolumeClaim:
28 | claimName: test-claim
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.staging.bar
File: /lessons/041/test/4-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: bar
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | volumeMounts:
23 | - name: efs-pvc
24 | mountPath: "/data"
25 | volumes:
26 | - name: efs-pvc
27 | persistentVolumeClaim:
28 | claimName: test-claim
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.bar
File: /lessons/041/test/4-bar-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: bar
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: bar
12 | template:
13 | metadata:
14 | labels:
15 | app: bar
16 | spec:
17 | containers:
18 | - name: bar
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | volumeMounts:
23 | - name: efs-pvc
24 | mountPath: "/data"
25 | volumes:
26 | - name: efs-pvc
27 | persistentVolumeClaim:
28 | claimName: test-claim
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.staging.foo
File: /lessons/041/test/3-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: foo
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | volumeMounts:
23 | - name: efs-pvc
24 | mountPath: "/data"
25 | volumes:
26 | - name: efs-pvc
27 | persistentVolumeClaim:
28 | claimName: test-claim
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.foo
File: /lessons/041/test/3-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: foo
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | volumeMounts:
23 | - name: efs-pvc
24 | mountPath: "/data"
25 | volumes:
26 | - name: efs-pvc
27 | persistentVolumeClaim:
28 | claimName: test-claim
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.staging.foo
File: /lessons/041/test/3-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: foo
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | volumeMounts:
23 | - name: efs-pvc
24 | mountPath: "/data"
25 | volumes:
26 | - name: efs-pvc
27 | persistentVolumeClaim:
28 | claimName: test-claim
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.foo
File: /lessons/041/test/3-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: foo
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | volumeMounts:
23 | - name: efs-pvc
24 | mountPath: "/data"
25 | volumes:
26 | - name: efs-pvc
27 | persistentVolumeClaim:
28 | claimName: test-claim
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.foo
File: /lessons/041/test/3-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: foo
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | volumeMounts:
23 | - name: efs-pvc
24 | mountPath: "/data"
25 | volumes:
26 | - name: efs-pvc
27 | persistentVolumeClaim:
28 | claimName: test-claim
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.staging.foo
File: /lessons/041/test/3-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: foo
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | volumeMounts:
23 | - name: efs-pvc
24 | mountPath: "/data"
25 | volumes:
26 | - name: efs-pvc
27 | persistentVolumeClaim:
28 | claimName: test-claim
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.foo
File: /lessons/041/test/3-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: foo
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | volumeMounts:
23 | - name: efs-pvc
24 | mountPath: "/data"
25 | volumes:
26 | - name: efs-pvc
27 | persistentVolumeClaim:
28 | claimName: test-claim
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.foo
File: /lessons/041/test/3-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: foo
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | volumeMounts:
23 | - name: efs-pvc
24 | mountPath: "/data"
25 | volumes:
26 | - name: efs-pvc
27 | persistentVolumeClaim:
28 | claimName: test-claim
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.foo
File: /lessons/041/test/3-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: foo
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | volumeMounts:
23 | - name: efs-pvc
24 | mountPath: "/data"
25 | volumes:
26 | - name: efs-pvc
27 | persistentVolumeClaim:
28 | claimName: test-claim
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.staging.foo
File: /lessons/041/test/3-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: foo
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | volumeMounts:
23 | - name: efs-pvc
24 | mountPath: "/data"
25 | volumes:
26 | - name: efs-pvc
27 | persistentVolumeClaim:
28 | claimName: test-claim
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.foo
File: /lessons/041/test/3-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: foo
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | volumeMounts:
23 | - name: efs-pvc
24 | mountPath: "/data"
25 | volumes:
26 | - name: efs-pvc
27 | persistentVolumeClaim:
28 | claimName: test-claim
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.staging.foo
File: /lessons/041/test/3-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: foo
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | volumeMounts:
23 | - name: efs-pvc
24 | mountPath: "/data"
25 | volumes:
26 | - name: efs-pvc
27 | persistentVolumeClaim:
28 | claimName: test-claim
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.foo
File: /lessons/041/test/3-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: foo
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | volumeMounts:
23 | - name: efs-pvc
24 | mountPath: "/data"
25 | volumes:
26 | - name: efs-pvc
27 | persistentVolumeClaim:
28 | claimName: test-claim
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.foo
File: /lessons/041/test/3-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: foo
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | volumeMounts:
23 | - name: efs-pvc
24 | mountPath: "/data"
25 | volumes:
26 | - name: efs-pvc
27 | persistentVolumeClaim:
28 | claimName: test-claim
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.foo
File: /lessons/041/test/3-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: foo
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | volumeMounts:
23 | - name: efs-pvc
24 | mountPath: "/data"
25 | volumes:
26 | - name: efs-pvc
27 | persistentVolumeClaim:
28 | claimName: test-claim
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.staging.foo
File: /lessons/041/test/3-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: foo
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | volumeMounts:
23 | - name: efs-pvc
24 | mountPath: "/data"
25 | volumes:
26 | - name: efs-pvc
27 | persistentVolumeClaim:
28 | claimName: test-claim
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.staging.foo
File: /lessons/041/test/3-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: foo
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | volumeMounts:
23 | - name: efs-pvc
24 | mountPath: "/data"
25 | volumes:
26 | - name: efs-pvc
27 | persistentVolumeClaim:
28 | claimName: test-claim
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.foo
File: /lessons/041/test/3-foo-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: foo
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: foo
12 | template:
13 | metadata:
14 | labels:
15 | app: foo
16 | spec:
17 | containers:
18 | - name: foo
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | volumeMounts:
23 | - name: efs-pvc
24 | mountPath: "/data"
25 | volumes:
26 | - name: efs-pvc
27 | persistentVolumeClaim:
28 | claimName: test-claim
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.storage.nfs-client-provisioner
File: /lessons/041/efs/7-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nfs-client-provisioner
6 | namespace: storage
7 | spec:
8 | replicas: 1
9 | strategy:
10 | type: Recreate
11 | selector:
12 | matchLabels:
13 | app: nfs-client-provisioner
14 | template:
15 | metadata:
16 | labels:
17 | app: nfs-client-provisioner
18 | spec:
19 | serviceAccountName: nfs-client-provisioner
20 | containers:
21 | - name: nfs-client-provisioner
22 | image: quay.io/external_storage/nfs-client-provisioner:latest
23 | volumeMounts:
24 | - name: nfs-client-root
25 | mountPath: /persistentvolumes
26 | env:
27 | - name: PROVISIONER_NAME
28 | value: efs-storage
29 | - name: NFS_SERVER
30 | value: 192.168.33.21
31 | - name: NFS_PATH
32 | value: /
33 | volumes:
34 | - name: nfs-client-root
35 | nfs:
36 | server: 192.168.33.21
37 | path: /
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.storage.nfs-client-provisioner
File: /lessons/041/efs/7-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nfs-client-provisioner
6 | namespace: storage
7 | spec:
8 | replicas: 1
9 | strategy:
10 | type: Recreate
11 | selector:
12 | matchLabels:
13 | app: nfs-client-provisioner
14 | template:
15 | metadata:
16 | labels:
17 | app: nfs-client-provisioner
18 | spec:
19 | serviceAccountName: nfs-client-provisioner
20 | containers:
21 | - name: nfs-client-provisioner
22 | image: quay.io/external_storage/nfs-client-provisioner:latest
23 | volumeMounts:
24 | - name: nfs-client-root
25 | mountPath: /persistentvolumes
26 | env:
27 | - name: PROVISIONER_NAME
28 | value: efs-storage
29 | - name: NFS_SERVER
30 | value: 192.168.33.21
31 | - name: NFS_PATH
32 | value: /
33 | volumes:
34 | - name: nfs-client-root
35 | nfs:
36 | server: 192.168.33.21
37 | path: /
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.storage.nfs-client-provisioner
File: /lessons/041/efs/7-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nfs-client-provisioner
6 | namespace: storage
7 | spec:
8 | replicas: 1
9 | strategy:
10 | type: Recreate
11 | selector:
12 | matchLabels:
13 | app: nfs-client-provisioner
14 | template:
15 | metadata:
16 | labels:
17 | app: nfs-client-provisioner
18 | spec:
19 | serviceAccountName: nfs-client-provisioner
20 | containers:
21 | - name: nfs-client-provisioner
22 | image: quay.io/external_storage/nfs-client-provisioner:latest
23 | volumeMounts:
24 | - name: nfs-client-root
25 | mountPath: /persistentvolumes
26 | env:
27 | - name: PROVISIONER_NAME
28 | value: efs-storage
29 | - name: NFS_SERVER
30 | value: 192.168.33.21
31 | - name: NFS_PATH
32 | value: /
33 | volumes:
34 | - name: nfs-client-root
35 | nfs:
36 | server: 192.168.33.21
37 | path: /
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.storage.nfs-client-provisioner
File: /lessons/041/efs/7-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nfs-client-provisioner
6 | namespace: storage
7 | spec:
8 | replicas: 1
9 | strategy:
10 | type: Recreate
11 | selector:
12 | matchLabels:
13 | app: nfs-client-provisioner
14 | template:
15 | metadata:
16 | labels:
17 | app: nfs-client-provisioner
18 | spec:
19 | serviceAccountName: nfs-client-provisioner
20 | containers:
21 | - name: nfs-client-provisioner
22 | image: quay.io/external_storage/nfs-client-provisioner:latest
23 | volumeMounts:
24 | - name: nfs-client-root
25 | mountPath: /persistentvolumes
26 | env:
27 | - name: PROVISIONER_NAME
28 | value: efs-storage
29 | - name: NFS_SERVER
30 | value: 192.168.33.21
31 | - name: NFS_PATH
32 | value: /
33 | volumes:
34 | - name: nfs-client-root
35 | nfs:
36 | server: 192.168.33.21
37 | path: /
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.storage.nfs-client-provisioner
File: /lessons/041/efs/7-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nfs-client-provisioner
6 | namespace: storage
7 | spec:
8 | replicas: 1
9 | strategy:
10 | type: Recreate
11 | selector:
12 | matchLabels:
13 | app: nfs-client-provisioner
14 | template:
15 | metadata:
16 | labels:
17 | app: nfs-client-provisioner
18 | spec:
19 | serviceAccountName: nfs-client-provisioner
20 | containers:
21 | - name: nfs-client-provisioner
22 | image: quay.io/external_storage/nfs-client-provisioner:latest
23 | volumeMounts:
24 | - name: nfs-client-root
25 | mountPath: /persistentvolumes
26 | env:
27 | - name: PROVISIONER_NAME
28 | value: efs-storage
29 | - name: NFS_SERVER
30 | value: 192.168.33.21
31 | - name: NFS_PATH
32 | value: /
33 | volumes:
34 | - name: nfs-client-root
35 | nfs:
36 | server: 192.168.33.21
37 | path: /
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.storage.nfs-client-provisioner
File: /lessons/041/efs/7-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nfs-client-provisioner
6 | namespace: storage
7 | spec:
8 | replicas: 1
9 | strategy:
10 | type: Recreate
11 | selector:
12 | matchLabels:
13 | app: nfs-client-provisioner
14 | template:
15 | metadata:
16 | labels:
17 | app: nfs-client-provisioner
18 | spec:
19 | serviceAccountName: nfs-client-provisioner
20 | containers:
21 | - name: nfs-client-provisioner
22 | image: quay.io/external_storage/nfs-client-provisioner:latest
23 | volumeMounts:
24 | - name: nfs-client-root
25 | mountPath: /persistentvolumes
26 | env:
27 | - name: PROVISIONER_NAME
28 | value: efs-storage
29 | - name: NFS_SERVER
30 | value: 192.168.33.21
31 | - name: NFS_PATH
32 | value: /
33 | volumes:
34 | - name: nfs-client-root
35 | nfs:
36 | server: 192.168.33.21
37 | path: /
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.storage.nfs-client-provisioner
File: /lessons/041/efs/7-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nfs-client-provisioner
6 | namespace: storage
7 | spec:
8 | replicas: 1
9 | strategy:
10 | type: Recreate
11 | selector:
12 | matchLabels:
13 | app: nfs-client-provisioner
14 | template:
15 | metadata:
16 | labels:
17 | app: nfs-client-provisioner
18 | spec:
19 | serviceAccountName: nfs-client-provisioner
20 | containers:
21 | - name: nfs-client-provisioner
22 | image: quay.io/external_storage/nfs-client-provisioner:latest
23 | volumeMounts:
24 | - name: nfs-client-root
25 | mountPath: /persistentvolumes
26 | env:
27 | - name: PROVISIONER_NAME
28 | value: efs-storage
29 | - name: NFS_SERVER
30 | value: 192.168.33.21
31 | - name: NFS_PATH
32 | value: /
33 | volumes:
34 | - name: nfs-client-root
35 | nfs:
36 | server: 192.168.33.21
37 | path: /
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.storage.nfs-client-provisioner
File: /lessons/041/efs/7-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nfs-client-provisioner
6 | namespace: storage
7 | spec:
8 | replicas: 1
9 | strategy:
10 | type: Recreate
11 | selector:
12 | matchLabels:
13 | app: nfs-client-provisioner
14 | template:
15 | metadata:
16 | labels:
17 | app: nfs-client-provisioner
18 | spec:
19 | serviceAccountName: nfs-client-provisioner
20 | containers:
21 | - name: nfs-client-provisioner
22 | image: quay.io/external_storage/nfs-client-provisioner:latest
23 | volumeMounts:
24 | - name: nfs-client-root
25 | mountPath: /persistentvolumes
26 | env:
27 | - name: PROVISIONER_NAME
28 | value: efs-storage
29 | - name: NFS_SERVER
30 | value: 192.168.33.21
31 | - name: NFS_PATH
32 | value: /
33 | volumes:
34 | - name: nfs-client-root
35 | nfs:
36 | server: 192.168.33.21
37 | path: /
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.storage.nfs-client-provisioner
File: /lessons/041/efs/7-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nfs-client-provisioner
6 | namespace: storage
7 | spec:
8 | replicas: 1
9 | strategy:
10 | type: Recreate
11 | selector:
12 | matchLabels:
13 | app: nfs-client-provisioner
14 | template:
15 | metadata:
16 | labels:
17 | app: nfs-client-provisioner
18 | spec:
19 | serviceAccountName: nfs-client-provisioner
20 | containers:
21 | - name: nfs-client-provisioner
22 | image: quay.io/external_storage/nfs-client-provisioner:latest
23 | volumeMounts:
24 | - name: nfs-client-root
25 | mountPath: /persistentvolumes
26 | env:
27 | - name: PROVISIONER_NAME
28 | value: efs-storage
29 | - name: NFS_SERVER
30 | value: 192.168.33.21
31 | - name: NFS_PATH
32 | value: /
33 | volumes:
34 | - name: nfs-client-root
35 | nfs:
36 | server: 192.168.33.21
37 | path: /
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.storage.nfs-client-provisioner
File: /lessons/041/efs/7-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nfs-client-provisioner
6 | namespace: storage
7 | spec:
8 | replicas: 1
9 | strategy:
10 | type: Recreate
11 | selector:
12 | matchLabels:
13 | app: nfs-client-provisioner
14 | template:
15 | metadata:
16 | labels:
17 | app: nfs-client-provisioner
18 | spec:
19 | serviceAccountName: nfs-client-provisioner
20 | containers:
21 | - name: nfs-client-provisioner
22 | image: quay.io/external_storage/nfs-client-provisioner:latest
23 | volumeMounts:
24 | - name: nfs-client-root
25 | mountPath: /persistentvolumes
26 | env:
27 | - name: PROVISIONER_NAME
28 | value: efs-storage
29 | - name: NFS_SERVER
30 | value: 192.168.33.21
31 | - name: NFS_PATH
32 | value: /
33 | volumes:
34 | - name: nfs-client-root
35 | nfs:
36 | server: 192.168.33.21
37 | path: /
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.storage.nfs-client-provisioner
File: /lessons/041/efs/7-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nfs-client-provisioner
6 | namespace: storage
7 | spec:
8 | replicas: 1
9 | strategy:
10 | type: Recreate
11 | selector:
12 | matchLabels:
13 | app: nfs-client-provisioner
14 | template:
15 | metadata:
16 | labels:
17 | app: nfs-client-provisioner
18 | spec:
19 | serviceAccountName: nfs-client-provisioner
20 | containers:
21 | - name: nfs-client-provisioner
22 | image: quay.io/external_storage/nfs-client-provisioner:latest
23 | volumeMounts:
24 | - name: nfs-client-root
25 | mountPath: /persistentvolumes
26 | env:
27 | - name: PROVISIONER_NAME
28 | value: efs-storage
29 | - name: NFS_SERVER
30 | value: 192.168.33.21
31 | - name: NFS_PATH
32 | value: /
33 | volumes:
34 | - name: nfs-client-root
35 | nfs:
36 | server: 192.168.33.21
37 | path: /
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.storage.nfs-client-provisioner
File: /lessons/041/efs/7-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nfs-client-provisioner
6 | namespace: storage
7 | spec:
8 | replicas: 1
9 | strategy:
10 | type: Recreate
11 | selector:
12 | matchLabels:
13 | app: nfs-client-provisioner
14 | template:
15 | metadata:
16 | labels:
17 | app: nfs-client-provisioner
18 | spec:
19 | serviceAccountName: nfs-client-provisioner
20 | containers:
21 | - name: nfs-client-provisioner
22 | image: quay.io/external_storage/nfs-client-provisioner:latest
23 | volumeMounts:
24 | - name: nfs-client-root
25 | mountPath: /persistentvolumes
26 | env:
27 | - name: PROVISIONER_NAME
28 | value: efs-storage
29 | - name: NFS_SERVER
30 | value: 192.168.33.21
31 | - name: NFS_PATH
32 | value: /
33 | volumes:
34 | - name: nfs-client-root
35 | nfs:
36 | server: 192.168.33.21
37 | path: /
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.storage.nfs-client-provisioner
File: /lessons/041/efs/7-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nfs-client-provisioner
6 | namespace: storage
7 | spec:
8 | replicas: 1
9 | strategy:
10 | type: Recreate
11 | selector:
12 | matchLabels:
13 | app: nfs-client-provisioner
14 | template:
15 | metadata:
16 | labels:
17 | app: nfs-client-provisioner
18 | spec:
19 | serviceAccountName: nfs-client-provisioner
20 | containers:
21 | - name: nfs-client-provisioner
22 | image: quay.io/external_storage/nfs-client-provisioner:latest
23 | volumeMounts:
24 | - name: nfs-client-root
25 | mountPath: /persistentvolumes
26 | env:
27 | - name: PROVISIONER_NAME
28 | value: efs-storage
29 | - name: NFS_SERVER
30 | value: 192.168.33.21
31 | - name: NFS_PATH
32 | value: /
33 | volumes:
34 | - name: nfs-client-root
35 | nfs:
36 | server: 192.168.33.21
37 | path: /
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.storage.nfs-client-provisioner
File: /lessons/041/efs/7-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nfs-client-provisioner
6 | namespace: storage
7 | spec:
8 | replicas: 1
9 | strategy:
10 | type: Recreate
11 | selector:
12 | matchLabels:
13 | app: nfs-client-provisioner
14 | template:
15 | metadata:
16 | labels:
17 | app: nfs-client-provisioner
18 | spec:
19 | serviceAccountName: nfs-client-provisioner
20 | containers:
21 | - name: nfs-client-provisioner
22 | image: quay.io/external_storage/nfs-client-provisioner:latest
23 | volumeMounts:
24 | - name: nfs-client-root
25 | mountPath: /persistentvolumes
26 | env:
27 | - name: PROVISIONER_NAME
28 | value: efs-storage
29 | - name: NFS_SERVER
30 | value: 192.168.33.21
31 | - name: NFS_PATH
32 | value: /
33 | volumes:
34 | - name: nfs-client-root
35 | nfs:
36 | server: 192.168.33.21
37 | path: /
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.storage.nfs-client-provisioner
File: /lessons/041/efs/7-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nfs-client-provisioner
6 | namespace: storage
7 | spec:
8 | replicas: 1
9 | strategy:
10 | type: Recreate
11 | selector:
12 | matchLabels:
13 | app: nfs-client-provisioner
14 | template:
15 | metadata:
16 | labels:
17 | app: nfs-client-provisioner
18 | spec:
19 | serviceAccountName: nfs-client-provisioner
20 | containers:
21 | - name: nfs-client-provisioner
22 | image: quay.io/external_storage/nfs-client-provisioner:latest
23 | volumeMounts:
24 | - name: nfs-client-root
25 | mountPath: /persistentvolumes
26 | env:
27 | - name: PROVISIONER_NAME
28 | value: efs-storage
29 | - name: NFS_SERVER
30 | value: 192.168.33.21
31 | - name: NFS_PATH
32 | value: /
33 | volumes:
34 | - name: nfs-client-root
35 | nfs:
36 | server: 192.168.33.21
37 | path: /
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.storage.nfs-client-provisioner
File: /lessons/041/efs/7-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nfs-client-provisioner
6 | namespace: storage
7 | spec:
8 | replicas: 1
9 | strategy:
10 | type: Recreate
11 | selector:
12 | matchLabels:
13 | app: nfs-client-provisioner
14 | template:
15 | metadata:
16 | labels:
17 | app: nfs-client-provisioner
18 | spec:
19 | serviceAccountName: nfs-client-provisioner
20 | containers:
21 | - name: nfs-client-provisioner
22 | image: quay.io/external_storage/nfs-client-provisioner:latest
23 | volumeMounts:
24 | - name: nfs-client-root
25 | mountPath: /persistentvolumes
26 | env:
27 | - name: PROVISIONER_NAME
28 | value: efs-storage
29 | - name: NFS_SERVER
30 | value: 192.168.33.21
31 | - name: NFS_PATH
32 | value: /
33 | volumes:
34 | - name: nfs-client-root
35 | nfs:
36 | server: 192.168.33.21
37 | path: /
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.storage.nfs-client-provisioner
File: /lessons/041/efs/7-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nfs-client-provisioner
6 | namespace: storage
7 | spec:
8 | replicas: 1
9 | strategy:
10 | type: Recreate
11 | selector:
12 | matchLabels:
13 | app: nfs-client-provisioner
14 | template:
15 | metadata:
16 | labels:
17 | app: nfs-client-provisioner
18 | spec:
19 | serviceAccountName: nfs-client-provisioner
20 | containers:
21 | - name: nfs-client-provisioner
22 | image: quay.io/external_storage/nfs-client-provisioner:latest
23 | volumeMounts:
24 | - name: nfs-client-root
25 | mountPath: /persistentvolumes
26 | env:
27 | - name: PROVISIONER_NAME
28 | value: efs-storage
29 | - name: NFS_SERVER
30 | value: 192.168.33.21
31 | - name: NFS_PATH
32 | value: /
33 | volumes:
34 | - name: nfs-client-root
35 | nfs:
36 | server: 192.168.33.21
37 | path: /
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.storage.nfs-client-provisioner
File: /lessons/041/efs/7-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nfs-client-provisioner
6 | namespace: storage
7 | spec:
8 | replicas: 1
9 | strategy:
10 | type: Recreate
11 | selector:
12 | matchLabels:
13 | app: nfs-client-provisioner
14 | template:
15 | metadata:
16 | labels:
17 | app: nfs-client-provisioner
18 | spec:
19 | serviceAccountName: nfs-client-provisioner
20 | containers:
21 | - name: nfs-client-provisioner
22 | image: quay.io/external_storage/nfs-client-provisioner:latest
23 | volumeMounts:
24 | - name: nfs-client-root
25 | mountPath: /persistentvolumes
26 | env:
27 | - name: PROVISIONER_NAME
28 | value: efs-storage
29 | - name: NFS_SERVER
30 | value: 192.168.33.21
31 | - name: NFS_PATH
32 | value: /
33 | volumes:
34 | - name: nfs-client-root
35 | nfs:
36 | server: 192.168.33.21
37 | path: /
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.staging.flask
File: /lessons/044/k8s/05-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: flask
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: flask
12 | template:
13 | metadata:
14 | labels:
15 | app: flask
16 | spec:
17 | containers:
18 | - name: flask
19 | image: antonputra/044:v0.1.2
20 | ports:
21 | - containerPort: 8080
22 | env:
23 | - name: TOKEN
24 | valueFrom:
25 | secretKeyRef:
26 | name: credentials
27 | key: token
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.flask
File: /lessons/044/k8s/05-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: flask
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: flask
12 | template:
13 | metadata:
14 | labels:
15 | app: flask
16 | spec:
17 | containers:
18 | - name: flask
19 | image: antonputra/044:v0.1.2
20 | ports:
21 | - containerPort: 8080
22 | env:
23 | - name: TOKEN
24 | valueFrom:
25 | secretKeyRef:
26 | name: credentials
27 | key: token
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.staging.flask
File: /lessons/044/k8s/05-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: flask
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: flask
12 | template:
13 | metadata:
14 | labels:
15 | app: flask
16 | spec:
17 | containers:
18 | - name: flask
19 | image: antonputra/044:v0.1.2
20 | ports:
21 | - containerPort: 8080
22 | env:
23 | - name: TOKEN
24 | valueFrom:
25 | secretKeyRef:
26 | name: credentials
27 | key: token
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.flask
File: /lessons/044/k8s/05-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: flask
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: flask
12 | template:
13 | metadata:
14 | labels:
15 | app: flask
16 | spec:
17 | containers:
18 | - name: flask
19 | image: antonputra/044:v0.1.2
20 | ports:
21 | - containerPort: 8080
22 | env:
23 | - name: TOKEN
24 | valueFrom:
25 | secretKeyRef:
26 | name: credentials
27 | key: token
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.flask
File: /lessons/044/k8s/05-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: flask
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: flask
12 | template:
13 | metadata:
14 | labels:
15 | app: flask
16 | spec:
17 | containers:
18 | - name: flask
19 | image: antonputra/044:v0.1.2
20 | ports:
21 | - containerPort: 8080
22 | env:
23 | - name: TOKEN
24 | valueFrom:
25 | secretKeyRef:
26 | name: credentials
27 | key: token
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.staging.flask
File: /lessons/044/k8s/05-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: flask
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: flask
12 | template:
13 | metadata:
14 | labels:
15 | app: flask
16 | spec:
17 | containers:
18 | - name: flask
19 | image: antonputra/044:v0.1.2
20 | ports:
21 | - containerPort: 8080
22 | env:
23 | - name: TOKEN
24 | valueFrom:
25 | secretKeyRef:
26 | name: credentials
27 | key: token
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.flask
File: /lessons/044/k8s/05-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: flask
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: flask
12 | template:
13 | metadata:
14 | labels:
15 | app: flask
16 | spec:
17 | containers:
18 | - name: flask
19 | image: antonputra/044:v0.1.2
20 | ports:
21 | - containerPort: 8080
22 | env:
23 | - name: TOKEN
24 | valueFrom:
25 | secretKeyRef:
26 | name: credentials
27 | key: token
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.flask
File: /lessons/044/k8s/05-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: flask
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: flask
12 | template:
13 | metadata:
14 | labels:
15 | app: flask
16 | spec:
17 | containers:
18 | - name: flask
19 | image: antonputra/044:v0.1.2
20 | ports:
21 | - containerPort: 8080
22 | env:
23 | - name: TOKEN
24 | valueFrom:
25 | secretKeyRef:
26 | name: credentials
27 | key: token
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.flask
File: /lessons/044/k8s/05-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: flask
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: flask
12 | template:
13 | metadata:
14 | labels:
15 | app: flask
16 | spec:
17 | containers:
18 | - name: flask
19 | image: antonputra/044:v0.1.2
20 | ports:
21 | - containerPort: 8080
22 | env:
23 | - name: TOKEN
24 | valueFrom:
25 | secretKeyRef:
26 | name: credentials
27 | key: token
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.staging.flask
File: /lessons/044/k8s/05-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: flask
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: flask
12 | template:
13 | metadata:
14 | labels:
15 | app: flask
16 | spec:
17 | containers:
18 | - name: flask
19 | image: antonputra/044:v0.1.2
20 | ports:
21 | - containerPort: 8080
22 | env:
23 | - name: TOKEN
24 | valueFrom:
25 | secretKeyRef:
26 | name: credentials
27 | key: token
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.flask
File: /lessons/044/k8s/05-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: flask
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: flask
12 | template:
13 | metadata:
14 | labels:
15 | app: flask
16 | spec:
17 | containers:
18 | - name: flask
19 | image: antonputra/044:v0.1.2
20 | ports:
21 | - containerPort: 8080
22 | env:
23 | - name: TOKEN
24 | valueFrom:
25 | secretKeyRef:
26 | name: credentials
27 | key: token
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: Deployment.staging.flask
File: /lessons/044/k8s/05-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: flask
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: flask
12 | template:
13 | metadata:
14 | labels:
15 | app: flask
16 | spec:
17 | containers:
18 | - name: flask
19 | image: antonputra/044:v0.1.2
20 | ports:
21 | - containerPort: 8080
22 | env:
23 | - name: TOKEN
24 | valueFrom:
25 | secretKeyRef:
26 | name: credentials
27 | key: token
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.staging.flask
File: /lessons/044/k8s/05-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: flask
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: flask
12 | template:
13 | metadata:
14 | labels:
15 | app: flask
16 | spec:
17 | containers:
18 | - name: flask
19 | image: antonputra/044:v0.1.2
20 | ports:
21 | - containerPort: 8080
22 | env:
23 | - name: TOKEN
24 | valueFrom:
25 | secretKeyRef:
26 | name: credentials
27 | key: token
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.flask
File: /lessons/044/k8s/05-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: flask
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: flask
12 | template:
13 | metadata:
14 | labels:
15 | app: flask
16 | spec:
17 | containers:
18 | - name: flask
19 | image: antonputra/044:v0.1.2
20 | ports:
21 | - containerPort: 8080
22 | env:
23 | - name: TOKEN
24 | valueFrom:
25 | secretKeyRef:
26 | name: credentials
27 | key: token
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.flask
File: /lessons/044/k8s/05-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: flask
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: flask
12 | template:
13 | metadata:
14 | labels:
15 | app: flask
16 | spec:
17 | containers:
18 | - name: flask
19 | image: antonputra/044:v0.1.2
20 | ports:
21 | - containerPort: 8080
22 | env:
23 | - name: TOKEN
24 | valueFrom:
25 | secretKeyRef:
26 | name: credentials
27 | key: token
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.flask
File: /lessons/044/k8s/05-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: flask
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: flask
12 | template:
13 | metadata:
14 | labels:
15 | app: flask
16 | spec:
17 | containers:
18 | - name: flask
19 | image: antonputra/044:v0.1.2
20 | ports:
21 | - containerPort: 8080
22 | env:
23 | - name: TOKEN
24 | valueFrom:
25 | secretKeyRef:
26 | name: credentials
27 | key: token
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.staging.flask
File: /lessons/044/k8s/05-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: flask
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: flask
12 | template:
13 | metadata:
14 | labels:
15 | app: flask
16 | spec:
17 | containers:
18 | - name: flask
19 | image: antonputra/044:v0.1.2
20 | ports:
21 | - containerPort: 8080
22 | env:
23 | - name: TOKEN
24 | valueFrom:
25 | secretKeyRef:
26 | name: credentials
27 | key: token
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.staging.flask
File: /lessons/044/k8s/05-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: flask
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: flask
12 | template:
13 | metadata:
14 | labels:
15 | app: flask
16 | spec:
17 | containers:
18 | - name: flask
19 | image: antonputra/044:v0.1.2
20 | ports:
21 | - containerPort: 8080
22 | env:
23 | - name: TOKEN
24 | valueFrom:
25 | secretKeyRef:
26 | name: credentials
27 | key: token
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.flask
File: /lessons/044/k8s/05-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: flask
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: flask
12 | template:
13 | metadata:
14 | labels:
15 | app: flask
16 | spec:
17 | containers:
18 | - name: flask
19 | image: antonputra/044:v0.1.2
20 | ports:
21 | - containerPort: 8080
22 | env:
23 | - name: TOKEN
24 | valueFrom:
25 | secretKeyRef:
26 | name: credentials
27 | key: token
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.kube-system.sealed-secrets-controller
File: /lessons/044/k8s/01-kubeseal.yaml:153-216
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.kube-system.sealed-secrets-controller
File: /lessons/044/k8s/01-kubeseal.yaml:153-216
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.kube-system.sealed-secrets-controller
File: /lessons/044/k8s/01-kubeseal.yaml:153-216
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.kube-system.sealed-secrets-controller
File: /lessons/044/k8s/01-kubeseal.yaml:153-216
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.kube-system.sealed-secrets-controller
File: /lessons/044/k8s/01-kubeseal.yaml:153-216
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.kube-system.sealed-secrets-controller
File: /lessons/044/k8s/01-kubeseal.yaml:153-216
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.kube-system.sealed-secrets-controller
File: /lessons/044/k8s/01-kubeseal.yaml:153-216
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.kube-system.sealed-secrets-controller
File: /lessons/044/k8s/01-kubeseal.yaml:153-216
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.kube-system.sealed-secrets-controller
File: /lessons/044/k8s/01-kubeseal.yaml:153-216
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.kube-system.sealed-secrets-controller
File: /lessons/044/k8s/01-kubeseal.yaml:153-216
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.kube-system.sealed-secrets-controller
File: /lessons/044/k8s/01-kubeseal.yaml:153-216
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: StatefulSet.default.www
File: /lessons/133/k8s/statefulset.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: www
6 | namespace: default
7 | spec:
8 | serviceName: nginx
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: registry.k8s.io/nginx-slim:0.8
21 | ports:
22 | - containerPort: 80
23 | name: web
24 | volumeMounts:
25 | - name: www
26 | mountPath: /usr/share/nginx/html
27 | volumeClaimTemplates:
28 | - metadata:
29 | name: www
30 | spec:
31 | accessModes: [ ReadWriteOnce ]
32 | resources:
33 | requests:
34 | storage: 1Gi
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: StatefulSet.default.www
File: /lessons/133/k8s/statefulset.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: www
6 | namespace: default
7 | spec:
8 | serviceName: nginx
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: registry.k8s.io/nginx-slim:0.8
21 | ports:
22 | - containerPort: 80
23 | name: web
24 | volumeMounts:
25 | - name: www
26 | mountPath: /usr/share/nginx/html
27 | volumeClaimTemplates:
28 | - metadata:
29 | name: www
30 | spec:
31 | accessModes: [ ReadWriteOnce ]
32 | resources:
33 | requests:
34 | storage: 1Gi
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: StatefulSet.default.www
File: /lessons/133/k8s/statefulset.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: www
6 | namespace: default
7 | spec:
8 | serviceName: nginx
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: registry.k8s.io/nginx-slim:0.8
21 | ports:
22 | - containerPort: 80
23 | name: web
24 | volumeMounts:
25 | - name: www
26 | mountPath: /usr/share/nginx/html
27 | volumeClaimTemplates:
28 | - metadata:
29 | name: www
30 | spec:
31 | accessModes: [ ReadWriteOnce ]
32 | resources:
33 | requests:
34 | storage: 1Gi
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: StatefulSet.default.www
File: /lessons/133/k8s/statefulset.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: www
6 | namespace: default
7 | spec:
8 | serviceName: nginx
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: registry.k8s.io/nginx-slim:0.8
21 | ports:
22 | - containerPort: 80
23 | name: web
24 | volumeMounts:
25 | - name: www
26 | mountPath: /usr/share/nginx/html
27 | volumeClaimTemplates:
28 | - metadata:
29 | name: www
30 | spec:
31 | accessModes: [ ReadWriteOnce ]
32 | resources:
33 | requests:
34 | storage: 1Gi
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: StatefulSet.default.www
File: /lessons/133/k8s/statefulset.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: www
6 | namespace: default
7 | spec:
8 | serviceName: nginx
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: registry.k8s.io/nginx-slim:0.8
21 | ports:
22 | - containerPort: 80
23 | name: web
24 | volumeMounts:
25 | - name: www
26 | mountPath: /usr/share/nginx/html
27 | volumeClaimTemplates:
28 | - metadata:
29 | name: www
30 | spec:
31 | accessModes: [ ReadWriteOnce ]
32 | resources:
33 | requests:
34 | storage: 1Gi
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: StatefulSet.default.www
File: /lessons/133/k8s/statefulset.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: www
6 | namespace: default
7 | spec:
8 | serviceName: nginx
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: registry.k8s.io/nginx-slim:0.8
21 | ports:
22 | - containerPort: 80
23 | name: web
24 | volumeMounts:
25 | - name: www
26 | mountPath: /usr/share/nginx/html
27 | volumeClaimTemplates:
28 | - metadata:
29 | name: www
30 | spec:
31 | accessModes: [ ReadWriteOnce ]
32 | resources:
33 | requests:
34 | storage: 1Gi
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: StatefulSet.default.www
File: /lessons/133/k8s/statefulset.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: www
6 | namespace: default
7 | spec:
8 | serviceName: nginx
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: registry.k8s.io/nginx-slim:0.8
21 | ports:
22 | - containerPort: 80
23 | name: web
24 | volumeMounts:
25 | - name: www
26 | mountPath: /usr/share/nginx/html
27 | volumeClaimTemplates:
28 | - metadata:
29 | name: www
30 | spec:
31 | accessModes: [ ReadWriteOnce ]
32 | resources:
33 | requests:
34 | storage: 1Gi
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: StatefulSet.default.www
File: /lessons/133/k8s/statefulset.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: www
6 | namespace: default
7 | spec:
8 | serviceName: nginx
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: registry.k8s.io/nginx-slim:0.8
21 | ports:
22 | - containerPort: 80
23 | name: web
24 | volumeMounts:
25 | - name: www
26 | mountPath: /usr/share/nginx/html
27 | volumeClaimTemplates:
28 | - metadata:
29 | name: www
30 | spec:
31 | accessModes: [ ReadWriteOnce ]
32 | resources:
33 | requests:
34 | storage: 1Gi
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: StatefulSet.default.www
File: /lessons/133/k8s/statefulset.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: www
6 | namespace: default
7 | spec:
8 | serviceName: nginx
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: registry.k8s.io/nginx-slim:0.8
21 | ports:
22 | - containerPort: 80
23 | name: web
24 | volumeMounts:
25 | - name: www
26 | mountPath: /usr/share/nginx/html
27 | volumeClaimTemplates:
28 | - metadata:
29 | name: www
30 | spec:
31 | accessModes: [ ReadWriteOnce ]
32 | resources:
33 | requests:
34 | storage: 1Gi
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: StatefulSet.default.www
File: /lessons/133/k8s/statefulset.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: www
6 | namespace: default
7 | spec:
8 | serviceName: nginx
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: registry.k8s.io/nginx-slim:0.8
21 | ports:
22 | - containerPort: 80
23 | name: web
24 | volumeMounts:
25 | - name: www
26 | mountPath: /usr/share/nginx/html
27 | volumeClaimTemplates:
28 | - metadata:
29 | name: www
30 | spec:
31 | accessModes: [ ReadWriteOnce ]
32 | resources:
33 | requests:
34 | storage: 1Gi
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: StatefulSet.default.www
File: /lessons/133/k8s/statefulset.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: www
6 | namespace: default
7 | spec:
8 | serviceName: nginx
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: registry.k8s.io/nginx-slim:0.8
21 | ports:
22 | - containerPort: 80
23 | name: web
24 | volumeMounts:
25 | - name: www
26 | mountPath: /usr/share/nginx/html
27 | volumeClaimTemplates:
28 | - metadata:
29 | name: www
30 | spec:
31 | accessModes: [ ReadWriteOnce ]
32 | resources:
33 | requests:
34 | storage: 1Gi
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: StatefulSet.default.www
File: /lessons/133/k8s/statefulset.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: www
6 | namespace: default
7 | spec:
8 | serviceName: nginx
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: registry.k8s.io/nginx-slim:0.8
21 | ports:
22 | - containerPort: 80
23 | name: web
24 | volumeMounts:
25 | - name: www
26 | mountPath: /usr/share/nginx/html
27 | volumeClaimTemplates:
28 | - metadata:
29 | name: www
30 | spec:
31 | accessModes: [ ReadWriteOnce ]
32 | resources:
33 | requests:
34 | storage: 1Gi
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: StatefulSet.default.www
File: /lessons/133/k8s/statefulset.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: www
6 | namespace: default
7 | spec:
8 | serviceName: nginx
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: registry.k8s.io/nginx-slim:0.8
21 | ports:
22 | - containerPort: 80
23 | name: web
24 | volumeMounts:
25 | - name: www
26 | mountPath: /usr/share/nginx/html
27 | volumeClaimTemplates:
28 | - metadata:
29 | name: www
30 | spec:
31 | accessModes: [ ReadWriteOnce ]
32 | resources:
33 | requests:
34 | storage: 1Gi
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: StatefulSet.default.www
File: /lessons/133/k8s/statefulset.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: www
6 | namespace: default
7 | spec:
8 | serviceName: nginx
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: registry.k8s.io/nginx-slim:0.8
21 | ports:
22 | - containerPort: 80
23 | name: web
24 | volumeMounts:
25 | - name: www
26 | mountPath: /usr/share/nginx/html
27 | volumeClaimTemplates:
28 | - metadata:
29 | name: www
30 | spec:
31 | accessModes: [ ReadWriteOnce ]
32 | resources:
33 | requests:
34 | storage: 1Gi
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: StatefulSet.default.www
File: /lessons/133/k8s/statefulset.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: www
6 | namespace: default
7 | spec:
8 | serviceName: nginx
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: registry.k8s.io/nginx-slim:0.8
21 | ports:
22 | - containerPort: 80
23 | name: web
24 | volumeMounts:
25 | - name: www
26 | mountPath: /usr/share/nginx/html
27 | volumeClaimTemplates:
28 | - metadata:
29 | name: www
30 | spec:
31 | accessModes: [ ReadWriteOnce ]
32 | resources:
33 | requests:
34 | storage: 1Gi
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: StatefulSet.default.www
File: /lessons/133/k8s/statefulset.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: www
6 | namespace: default
7 | spec:
8 | serviceName: nginx
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: registry.k8s.io/nginx-slim:0.8
21 | ports:
22 | - containerPort: 80
23 | name: web
24 | volumeMounts:
25 | - name: www
26 | mountPath: /usr/share/nginx/html
27 | volumeClaimTemplates:
28 | - metadata:
29 | name: www
30 | spec:
31 | accessModes: [ ReadWriteOnce ]
32 | resources:
33 | requests:
34 | storage: 1Gi
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: StatefulSet.default.www
File: /lessons/133/k8s/statefulset.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: www
6 | namespace: default
7 | spec:
8 | serviceName: nginx
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: registry.k8s.io/nginx-slim:0.8
21 | ports:
22 | - containerPort: 80
23 | name: web
24 | volumeMounts:
25 | - name: www
26 | mountPath: /usr/share/nginx/html
27 | volumeClaimTemplates:
28 | - metadata:
29 | name: www
30 | spec:
31 | accessModes: [ ReadWriteOnce ]
32 | resources:
33 | requests:
34 | storage: 1Gi
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: StatefulSet.default.www
File: /lessons/133/k8s/statefulset.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: www
6 | namespace: default
7 | spec:
8 | serviceName: nginx
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: registry.k8s.io/nginx-slim:0.8
21 | ports:
22 | - containerPort: 80
23 | name: web
24 | volumeMounts:
25 | - name: www
26 | mountPath: /usr/share/nginx/html
27 | volumeClaimTemplates:
28 | - metadata:
29 | name: www
30 | spec:
31 | accessModes: [ ReadWriteOnce ]
32 | resources:
33 | requests:
34 | storage: 1Gi
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: StatefulSet.default.www
File: /lessons/133/k8s/statefulset.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: StatefulSet
4 | metadata:
5 | name: www
6 | namespace: default
7 | spec:
8 | serviceName: nginx
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx
13 | template:
14 | metadata:
15 | labels:
16 | app: nginx
17 | spec:
18 | containers:
19 | - name: nginx
20 | image: registry.k8s.io/nginx-slim:0.8
21 | ports:
22 | - containerPort: 80
23 | name: web
24 | volumeMounts:
25 | - name: www
26 | mountPath: /usr/share/nginx/html
27 | volumeClaimTemplates:
28 | - metadata:
29 | name: www
30 | spec:
31 | accessModes: [ ReadWriteOnce ]
32 | resources:
33 | requests:
34 | storage: 1Gi
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/1-example/deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | nodeSelector:
22 | disktype: ssd
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/1-example/deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | nodeSelector:
22 | disktype: ssd
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/1-example/deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | nodeSelector:
22 | disktype: ssd
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/1-example/deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | nodeSelector:
22 | disktype: ssd
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/1-example/deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | nodeSelector:
22 | disktype: ssd
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/1-example/deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | nodeSelector:
22 | disktype: ssd
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/1-example/deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | nodeSelector:
22 | disktype: ssd
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/1-example/deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | nodeSelector:
22 | disktype: ssd
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/1-example/deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | nodeSelector:
22 | disktype: ssd
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/1-example/deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | nodeSelector:
22 | disktype: ssd
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/1-example/deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | nodeSelector:
22 | disktype: ssd
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/1-example/deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | nodeSelector:
22 | disktype: ssd
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/1-example/deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | nodeSelector:
22 | disktype: ssd
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/1-example/deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | nodeSelector:
22 | disktype: ssd
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/1-example/deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | nodeSelector:
22 | disktype: ssd
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/1-example/deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | nodeSelector:
22 | disktype: ssd
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/1-example/deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | nodeSelector:
22 | disktype: ssd
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/1-example/deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | nodeSelector:
22 | disktype: ssd
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/1-example/deployment.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | nodeSelector:
22 | disktype: ssd
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/2-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - slow-ssd
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/2-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - slow-ssd
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/2-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - slow-ssd
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/2-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - slow-ssd
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/2-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - slow-ssd
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/2-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - slow-ssd
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/2-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - slow-ssd
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/2-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - slow-ssd
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/2-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - slow-ssd
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/2-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - slow-ssd
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/2-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - slow-ssd
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/2-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - slow-ssd
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/2-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - slow-ssd
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/2-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - slow-ssd
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/2-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - slow-ssd
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/2-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - slow-ssd
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/2-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - slow-ssd
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/5-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | preferredDuringSchedulingIgnoredDuringExecution:
28 | - weight: 1
29 | preference:
30 | matchExpressions:
31 | - key: disktype
32 | operator: In
33 | values:
34 | - ssd
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/5-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | preferredDuringSchedulingIgnoredDuringExecution:
28 | - weight: 1
29 | preference:
30 | matchExpressions:
31 | - key: disktype
32 | operator: In
33 | values:
34 | - ssd
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/5-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | preferredDuringSchedulingIgnoredDuringExecution:
28 | - weight: 1
29 | preference:
30 | matchExpressions:
31 | - key: disktype
32 | operator: In
33 | values:
34 | - ssd
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/5-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | preferredDuringSchedulingIgnoredDuringExecution:
28 | - weight: 1
29 | preference:
30 | matchExpressions:
31 | - key: disktype
32 | operator: In
33 | values:
34 | - ssd
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/5-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | preferredDuringSchedulingIgnoredDuringExecution:
28 | - weight: 1
29 | preference:
30 | matchExpressions:
31 | - key: disktype
32 | operator: In
33 | values:
34 | - ssd
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/5-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | preferredDuringSchedulingIgnoredDuringExecution:
28 | - weight: 1
29 | preference:
30 | matchExpressions:
31 | - key: disktype
32 | operator: In
33 | values:
34 | - ssd
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/5-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | preferredDuringSchedulingIgnoredDuringExecution:
28 | - weight: 1
29 | preference:
30 | matchExpressions:
31 | - key: disktype
32 | operator: In
33 | values:
34 | - ssd
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/5-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | preferredDuringSchedulingIgnoredDuringExecution:
28 | - weight: 1
29 | preference:
30 | matchExpressions:
31 | - key: disktype
32 | operator: In
33 | values:
34 | - ssd
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/5-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | preferredDuringSchedulingIgnoredDuringExecution:
28 | - weight: 1
29 | preference:
30 | matchExpressions:
31 | - key: disktype
32 | operator: In
33 | values:
34 | - ssd
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/5-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | preferredDuringSchedulingIgnoredDuringExecution:
28 | - weight: 1
29 | preference:
30 | matchExpressions:
31 | - key: disktype
32 | operator: In
33 | values:
34 | - ssd
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/5-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | preferredDuringSchedulingIgnoredDuringExecution:
28 | - weight: 1
29 | preference:
30 | matchExpressions:
31 | - key: disktype
32 | operator: In
33 | values:
34 | - ssd
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/5-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | preferredDuringSchedulingIgnoredDuringExecution:
28 | - weight: 1
29 | preference:
30 | matchExpressions:
31 | - key: disktype
32 | operator: In
33 | values:
34 | - ssd
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/5-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | preferredDuringSchedulingIgnoredDuringExecution:
28 | - weight: 1
29 | preference:
30 | matchExpressions:
31 | - key: disktype
32 | operator: In
33 | values:
34 | - ssd
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/5-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | preferredDuringSchedulingIgnoredDuringExecution:
28 | - weight: 1
29 | preference:
30 | matchExpressions:
31 | - key: disktype
32 | operator: In
33 | values:
34 | - ssd
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/5-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | preferredDuringSchedulingIgnoredDuringExecution:
28 | - weight: 1
29 | preference:
30 | matchExpressions:
31 | - key: disktype
32 | operator: In
33 | values:
34 | - ssd
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/5-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | preferredDuringSchedulingIgnoredDuringExecution:
28 | - weight: 1
29 | preference:
30 | matchExpressions:
31 | - key: disktype
32 | operator: In
33 | values:
34 | - ssd
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/5-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | preferredDuringSchedulingIgnoredDuringExecution:
28 | - weight: 1
29 | preference:
30 | matchExpressions:
31 | - key: disktype
32 | operator: In
33 | values:
34 | - ssd
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/3-deployment.yaml:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - matchExpressions:
35 | - key: price
36 | operator: In
37 | values:
38 | - ondemand
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/3-deployment.yaml:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - matchExpressions:
35 | - key: price
36 | operator: In
37 | values:
38 | - ondemand
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/3-deployment.yaml:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - matchExpressions:
35 | - key: price
36 | operator: In
37 | values:
38 | - ondemand
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/3-deployment.yaml:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - matchExpressions:
35 | - key: price
36 | operator: In
37 | values:
38 | - ondemand
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/3-deployment.yaml:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - matchExpressions:
35 | - key: price
36 | operator: In
37 | values:
38 | - ondemand
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/3-deployment.yaml:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - matchExpressions:
35 | - key: price
36 | operator: In
37 | values:
38 | - ondemand
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/3-deployment.yaml:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - matchExpressions:
35 | - key: price
36 | operator: In
37 | values:
38 | - ondemand
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/3-deployment.yaml:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - matchExpressions:
35 | - key: price
36 | operator: In
37 | values:
38 | - ondemand
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/3-deployment.yaml:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - matchExpressions:
35 | - key: price
36 | operator: In
37 | values:
38 | - ondemand
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/3-deployment.yaml:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - matchExpressions:
35 | - key: price
36 | operator: In
37 | values:
38 | - ondemand
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/3-deployment.yaml:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - matchExpressions:
35 | - key: price
36 | operator: In
37 | values:
38 | - ondemand
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/3-deployment.yaml:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - matchExpressions:
35 | - key: price
36 | operator: In
37 | values:
38 | - ondemand
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/3-deployment.yaml:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - matchExpressions:
35 | - key: price
36 | operator: In
37 | values:
38 | - ondemand
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/3-deployment.yaml:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - matchExpressions:
35 | - key: price
36 | operator: In
37 | values:
38 | - ondemand
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/3-deployment.yaml:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - matchExpressions:
35 | - key: price
36 | operator: In
37 | values:
38 | - ondemand
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/3-deployment.yaml:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - matchExpressions:
35 | - key: price
36 | operator: In
37 | values:
38 | - ondemand
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/3-deployment.yaml:2-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - matchExpressions:
35 | - key: price
36 | operator: In
37 | values:
38 | - ondemand
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/4-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - key: price
35 | operator: In
36 | values:
37 | - ondemand
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/4-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - key: price
35 | operator: In
36 | values:
37 | - ondemand
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/4-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - key: price
35 | operator: In
36 | values:
37 | - ondemand
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/4-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - key: price
35 | operator: In
36 | values:
37 | - ondemand
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/4-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - key: price
35 | operator: In
36 | values:
37 | - ondemand
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/4-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - key: price
35 | operator: In
36 | values:
37 | - ondemand
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/4-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - key: price
35 | operator: In
36 | values:
37 | - ondemand
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/4-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - key: price
35 | operator: In
36 | values:
37 | - ondemand
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/4-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - key: price
35 | operator: In
36 | values:
37 | - ondemand
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/4-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - key: price
35 | operator: In
36 | values:
37 | - ondemand
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/4-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - key: price
35 | operator: In
36 | values:
37 | - ondemand
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/4-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - key: price
35 | operator: In
36 | values:
37 | - ondemand
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/4-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - key: price
35 | operator: In
36 | values:
37 | - ondemand
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/4-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - key: price
35 | operator: In
36 | values:
37 | - ondemand
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/4-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - key: price
35 | operator: In
36 | values:
37 | - ondemand
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/4-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - key: price
35 | operator: In
36 | values:
37 | - ondemand
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/4-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
34 | - key: price
35 | operator: In
36 | values:
37 | - ondemand
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/1-deployment.yaml:2-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/1-deployment.yaml:2-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/1-deployment.yaml:2-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/1-deployment.yaml:2-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/1-deployment.yaml:2-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/1-deployment.yaml:2-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/1-deployment.yaml:2-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/1-deployment.yaml:2-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/1-deployment.yaml:2-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/1-deployment.yaml:2-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/1-deployment.yaml:2-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/1-deployment.yaml:2-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/1-deployment.yaml:2-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/1-deployment.yaml:2-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/1-deployment.yaml:2-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/1-deployment.yaml:2-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/1-deployment.yaml:2-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | requiredDuringSchedulingIgnoredDuringExecution:
28 | nodeSelectorTerms:
29 | - matchExpressions:
30 | - key: disktype
31 | operator: In
32 | values:
33 | - ssd
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/6-deployment.yaml:2-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | preferredDuringSchedulingIgnoredDuringExecution:
28 | - weight: 1
29 | preference:
30 | matchExpressions:
31 | - key: disktype
32 | operator: In
33 | values:
34 | - ssd
35 | - weight: 50
36 | preference:
37 | matchExpressions:
38 | - key: price
39 | operator: In
40 | values:
41 | - spot
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/6-deployment.yaml:2-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | preferredDuringSchedulingIgnoredDuringExecution:
28 | - weight: 1
29 | preference:
30 | matchExpressions:
31 | - key: disktype
32 | operator: In
33 | values:
34 | - ssd
35 | - weight: 50
36 | preference:
37 | matchExpressions:
38 | - key: price
39 | operator: In
40 | values:
41 | - spot
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/6-deployment.yaml:2-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | preferredDuringSchedulingIgnoredDuringExecution:
28 | - weight: 1
29 | preference:
30 | matchExpressions:
31 | - key: disktype
32 | operator: In
33 | values:
34 | - ssd
35 | - weight: 50
36 | preference:
37 | matchExpressions:
38 | - key: price
39 | operator: In
40 | values:
41 | - spot
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/6-deployment.yaml:2-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | preferredDuringSchedulingIgnoredDuringExecution:
28 | - weight: 1
29 | preference:
30 | matchExpressions:
31 | - key: disktype
32 | operator: In
33 | values:
34 | - ssd
35 | - weight: 50
36 | preference:
37 | matchExpressions:
38 | - key: price
39 | operator: In
40 | values:
41 | - spot
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/6-deployment.yaml:2-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | preferredDuringSchedulingIgnoredDuringExecution:
28 | - weight: 1
29 | preference:
30 | matchExpressions:
31 | - key: disktype
32 | operator: In
33 | values:
34 | - ssd
35 | - weight: 50
36 | preference:
37 | matchExpressions:
38 | - key: price
39 | operator: In
40 | values:
41 | - spot
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/6-deployment.yaml:2-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | preferredDuringSchedulingIgnoredDuringExecution:
28 | - weight: 1
29 | preference:
30 | matchExpressions:
31 | - key: disktype
32 | operator: In
33 | values:
34 | - ssd
35 | - weight: 50
36 | preference:
37 | matchExpressions:
38 | - key: price
39 | operator: In
40 | values:
41 | - spot
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/6-deployment.yaml:2-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | preferredDuringSchedulingIgnoredDuringExecution:
28 | - weight: 1
29 | preference:
30 | matchExpressions:
31 | - key: disktype
32 | operator: In
33 | values:
34 | - ssd
35 | - weight: 50
36 | preference:
37 | matchExpressions:
38 | - key: price
39 | operator: In
40 | values:
41 | - spot
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/6-deployment.yaml:2-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | preferredDuringSchedulingIgnoredDuringExecution:
28 | - weight: 1
29 | preference:
30 | matchExpressions:
31 | - key: disktype
32 | operator: In
33 | values:
34 | - ssd
35 | - weight: 50
36 | preference:
37 | matchExpressions:
38 | - key: price
39 | operator: In
40 | values:
41 | - spot
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/6-deployment.yaml:2-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | preferredDuringSchedulingIgnoredDuringExecution:
28 | - weight: 1
29 | preference:
30 | matchExpressions:
31 | - key: disktype
32 | operator: In
33 | values:
34 | - ssd
35 | - weight: 50
36 | preference:
37 | matchExpressions:
38 | - key: price
39 | operator: In
40 | values:
41 | - spot
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/6-deployment.yaml:2-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | preferredDuringSchedulingIgnoredDuringExecution:
28 | - weight: 1
29 | preference:
30 | matchExpressions:
31 | - key: disktype
32 | operator: In
33 | values:
34 | - ssd
35 | - weight: 50
36 | preference:
37 | matchExpressions:
38 | - key: price
39 | operator: In
40 | values:
41 | - spot
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/6-deployment.yaml:2-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | preferredDuringSchedulingIgnoredDuringExecution:
28 | - weight: 1
29 | preference:
30 | matchExpressions:
31 | - key: disktype
32 | operator: In
33 | values:
34 | - ssd
35 | - weight: 50
36 | preference:
37 | matchExpressions:
38 | - key: price
39 | operator: In
40 | values:
41 | - spot
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/6-deployment.yaml:2-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | preferredDuringSchedulingIgnoredDuringExecution:
28 | - weight: 1
29 | preference:
30 | matchExpressions:
31 | - key: disktype
32 | operator: In
33 | values:
34 | - ssd
35 | - weight: 50
36 | preference:
37 | matchExpressions:
38 | - key: price
39 | operator: In
40 | values:
41 | - spot
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/6-deployment.yaml:2-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | preferredDuringSchedulingIgnoredDuringExecution:
28 | - weight: 1
29 | preference:
30 | matchExpressions:
31 | - key: disktype
32 | operator: In
33 | values:
34 | - ssd
35 | - weight: 50
36 | preference:
37 | matchExpressions:
38 | - key: price
39 | operator: In
40 | values:
41 | - spot
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/6-deployment.yaml:2-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | preferredDuringSchedulingIgnoredDuringExecution:
28 | - weight: 1
29 | preference:
30 | matchExpressions:
31 | - key: disktype
32 | operator: In
33 | values:
34 | - ssd
35 | - weight: 50
36 | preference:
37 | matchExpressions:
38 | - key: price
39 | operator: In
40 | values:
41 | - spot
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/6-deployment.yaml:2-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | preferredDuringSchedulingIgnoredDuringExecution:
28 | - weight: 1
29 | preference:
30 | matchExpressions:
31 | - key: disktype
32 | operator: In
33 | values:
34 | - ssd
35 | - weight: 50
36 | preference:
37 | matchExpressions:
38 | - key: price
39 | operator: In
40 | values:
41 | - spot
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/6-deployment.yaml:2-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | preferredDuringSchedulingIgnoredDuringExecution:
28 | - weight: 1
29 | preference:
30 | matchExpressions:
31 | - key: disktype
32 | operator: In
33 | values:
34 | - ssd
35 | - weight: 50
36 | preference:
37 | matchExpressions:
38 | - key: price
39 | operator: In
40 | values:
41 | - spot
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/2-example/6-deployment.yaml:2-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | resources:
22 | requests:
23 | memory: 2Gi
24 | cpu: "1"
25 | affinity:
26 | nodeAffinity:
27 | preferredDuringSchedulingIgnoredDuringExecution:
28 | - weight: 1
29 | preference:
30 | matchExpressions:
31 | - key: disktype
32 | operator: In
33 | values:
34 | - ssd
35 | - weight: 50
36 | preference:
37 | matchExpressions:
38 | - key: price
39 | operator: In
40 | values:
41 | - spot
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/4-example/1-deployment.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | tolerations:
22 | - key: price
23 | value: spot
24 | effect: NoSchedule
25 | operator: Equal
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/4-example/1-deployment.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | tolerations:
22 | - key: price
23 | value: spot
24 | effect: NoSchedule
25 | operator: Equal
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/4-example/1-deployment.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | tolerations:
22 | - key: price
23 | value: spot
24 | effect: NoSchedule
25 | operator: Equal
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/4-example/1-deployment.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | tolerations:
22 | - key: price
23 | value: spot
24 | effect: NoSchedule
25 | operator: Equal
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/4-example/1-deployment.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | tolerations:
22 | - key: price
23 | value: spot
24 | effect: NoSchedule
25 | operator: Equal
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/4-example/1-deployment.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | tolerations:
22 | - key: price
23 | value: spot
24 | effect: NoSchedule
25 | operator: Equal
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/4-example/1-deployment.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | tolerations:
22 | - key: price
23 | value: spot
24 | effect: NoSchedule
25 | operator: Equal
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/4-example/1-deployment.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | tolerations:
22 | - key: price
23 | value: spot
24 | effect: NoSchedule
25 | operator: Equal
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/4-example/1-deployment.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | tolerations:
22 | - key: price
23 | value: spot
24 | effect: NoSchedule
25 | operator: Equal
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/4-example/1-deployment.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | tolerations:
22 | - key: price
23 | value: spot
24 | effect: NoSchedule
25 | operator: Equal
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/4-example/1-deployment.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | tolerations:
22 | - key: price
23 | value: spot
24 | effect: NoSchedule
25 | operator: Equal
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/4-example/1-deployment.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | tolerations:
22 | - key: price
23 | value: spot
24 | effect: NoSchedule
25 | operator: Equal
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/4-example/1-deployment.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | tolerations:
22 | - key: price
23 | value: spot
24 | effect: NoSchedule
25 | operator: Equal
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/4-example/1-deployment.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | tolerations:
22 | - key: price
23 | value: spot
24 | effect: NoSchedule
25 | operator: Equal
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/4-example/1-deployment.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | tolerations:
22 | - key: price
23 | value: spot
24 | effect: NoSchedule
25 | operator: Equal
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/4-example/1-deployment.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | tolerations:
22 | - key: price
23 | value: spot
24 | effect: NoSchedule
25 | operator: Equal
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/4-example/1-deployment.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | tolerations:
22 | - key: price
23 | value: spot
24 | effect: NoSchedule
25 | operator: Equal
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/4-example/1-deployment.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | tolerations:
22 | - key: price
23 | value: spot
24 | effect: NoSchedule
25 | operator: Equal
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/4-example/1-deployment.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | tolerations:
22 | - key: price
23 | value: spot
24 | effect: NoSchedule
25 | operator: Equal
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: DaemonSet.default.fluent-bit
File: /lessons/170/4-example/2-daemonset.yaml:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: fluent-bit
6 | spec:
7 | selector:
8 | matchLabels:
9 | app: fluent-bit
10 | template:
11 | metadata:
12 | labels:
13 | app: fluent-bit
14 | spec:
15 | containers:
16 | - name: fluent-bit
17 | image: nginx:1.14.2
18 | tolerations:
19 | - effect: NoSchedule
20 | operator: Exists
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: DaemonSet.default.fluent-bit
File: /lessons/170/4-example/2-daemonset.yaml:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: fluent-bit
6 | spec:
7 | selector:
8 | matchLabels:
9 | app: fluent-bit
10 | template:
11 | metadata:
12 | labels:
13 | app: fluent-bit
14 | spec:
15 | containers:
16 | - name: fluent-bit
17 | image: nginx:1.14.2
18 | tolerations:
19 | - effect: NoSchedule
20 | operator: Exists
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: DaemonSet.default.fluent-bit
File: /lessons/170/4-example/2-daemonset.yaml:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: fluent-bit
6 | spec:
7 | selector:
8 | matchLabels:
9 | app: fluent-bit
10 | template:
11 | metadata:
12 | labels:
13 | app: fluent-bit
14 | spec:
15 | containers:
16 | - name: fluent-bit
17 | image: nginx:1.14.2
18 | tolerations:
19 | - effect: NoSchedule
20 | operator: Exists
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: DaemonSet.default.fluent-bit
File: /lessons/170/4-example/2-daemonset.yaml:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: fluent-bit
6 | spec:
7 | selector:
8 | matchLabels:
9 | app: fluent-bit
10 | template:
11 | metadata:
12 | labels:
13 | app: fluent-bit
14 | spec:
15 | containers:
16 | - name: fluent-bit
17 | image: nginx:1.14.2
18 | tolerations:
19 | - effect: NoSchedule
20 | operator: Exists
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: DaemonSet.default.fluent-bit
File: /lessons/170/4-example/2-daemonset.yaml:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: fluent-bit
6 | spec:
7 | selector:
8 | matchLabels:
9 | app: fluent-bit
10 | template:
11 | metadata:
12 | labels:
13 | app: fluent-bit
14 | spec:
15 | containers:
16 | - name: fluent-bit
17 | image: nginx:1.14.2
18 | tolerations:
19 | - effect: NoSchedule
20 | operator: Exists
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: DaemonSet.default.fluent-bit
File: /lessons/170/4-example/2-daemonset.yaml:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: fluent-bit
6 | spec:
7 | selector:
8 | matchLabels:
9 | app: fluent-bit
10 | template:
11 | metadata:
12 | labels:
13 | app: fluent-bit
14 | spec:
15 | containers:
16 | - name: fluent-bit
17 | image: nginx:1.14.2
18 | tolerations:
19 | - effect: NoSchedule
20 | operator: Exists
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: DaemonSet.default.fluent-bit
File: /lessons/170/4-example/2-daemonset.yaml:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: fluent-bit
6 | spec:
7 | selector:
8 | matchLabels:
9 | app: fluent-bit
10 | template:
11 | metadata:
12 | labels:
13 | app: fluent-bit
14 | spec:
15 | containers:
16 | - name: fluent-bit
17 | image: nginx:1.14.2
18 | tolerations:
19 | - effect: NoSchedule
20 | operator: Exists
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: DaemonSet.default.fluent-bit
File: /lessons/170/4-example/2-daemonset.yaml:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: fluent-bit
6 | spec:
7 | selector:
8 | matchLabels:
9 | app: fluent-bit
10 | template:
11 | metadata:
12 | labels:
13 | app: fluent-bit
14 | spec:
15 | containers:
16 | - name: fluent-bit
17 | image: nginx:1.14.2
18 | tolerations:
19 | - effect: NoSchedule
20 | operator: Exists
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: DaemonSet.default.fluent-bit
File: /lessons/170/4-example/2-daemonset.yaml:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: fluent-bit
6 | spec:
7 | selector:
8 | matchLabels:
9 | app: fluent-bit
10 | template:
11 | metadata:
12 | labels:
13 | app: fluent-bit
14 | spec:
15 | containers:
16 | - name: fluent-bit
17 | image: nginx:1.14.2
18 | tolerations:
19 | - effect: NoSchedule
20 | operator: Exists
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: DaemonSet.default.fluent-bit
File: /lessons/170/4-example/2-daemonset.yaml:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: fluent-bit
6 | spec:
7 | selector:
8 | matchLabels:
9 | app: fluent-bit
10 | template:
11 | metadata:
12 | labels:
13 | app: fluent-bit
14 | spec:
15 | containers:
16 | - name: fluent-bit
17 | image: nginx:1.14.2
18 | tolerations:
19 | - effect: NoSchedule
20 | operator: Exists
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: DaemonSet.default.fluent-bit
File: /lessons/170/4-example/2-daemonset.yaml:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: fluent-bit
6 | spec:
7 | selector:
8 | matchLabels:
9 | app: fluent-bit
10 | template:
11 | metadata:
12 | labels:
13 | app: fluent-bit
14 | spec:
15 | containers:
16 | - name: fluent-bit
17 | image: nginx:1.14.2
18 | tolerations:
19 | - effect: NoSchedule
20 | operator: Exists
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: DaemonSet.default.fluent-bit
File: /lessons/170/4-example/2-daemonset.yaml:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: fluent-bit
6 | spec:
7 | selector:
8 | matchLabels:
9 | app: fluent-bit
10 | template:
11 | metadata:
12 | labels:
13 | app: fluent-bit
14 | spec:
15 | containers:
16 | - name: fluent-bit
17 | image: nginx:1.14.2
18 | tolerations:
19 | - effect: NoSchedule
20 | operator: Exists
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: DaemonSet.default.fluent-bit
File: /lessons/170/4-example/2-daemonset.yaml:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: fluent-bit
6 | spec:
7 | selector:
8 | matchLabels:
9 | app: fluent-bit
10 | template:
11 | metadata:
12 | labels:
13 | app: fluent-bit
14 | spec:
15 | containers:
16 | - name: fluent-bit
17 | image: nginx:1.14.2
18 | tolerations:
19 | - effect: NoSchedule
20 | operator: Exists
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: DaemonSet.default.fluent-bit
File: /lessons/170/4-example/2-daemonset.yaml:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: fluent-bit
6 | spec:
7 | selector:
8 | matchLabels:
9 | app: fluent-bit
10 | template:
11 | metadata:
12 | labels:
13 | app: fluent-bit
14 | spec:
15 | containers:
16 | - name: fluent-bit
17 | image: nginx:1.14.2
18 | tolerations:
19 | - effect: NoSchedule
20 | operator: Exists
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: DaemonSet.default.fluent-bit
File: /lessons/170/4-example/2-daemonset.yaml:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: fluent-bit
6 | spec:
7 | selector:
8 | matchLabels:
9 | app: fluent-bit
10 | template:
11 | metadata:
12 | labels:
13 | app: fluent-bit
14 | spec:
15 | containers:
16 | - name: fluent-bit
17 | image: nginx:1.14.2
18 | tolerations:
19 | - effect: NoSchedule
20 | operator: Exists
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: DaemonSet.default.fluent-bit
File: /lessons/170/4-example/2-daemonset.yaml:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: fluent-bit
6 | spec:
7 | selector:
8 | matchLabels:
9 | app: fluent-bit
10 | template:
11 | metadata:
12 | labels:
13 | app: fluent-bit
14 | spec:
15 | containers:
16 | - name: fluent-bit
17 | image: nginx:1.14.2
18 | tolerations:
19 | - effect: NoSchedule
20 | operator: Exists
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: DaemonSet.default.fluent-bit
File: /lessons/170/4-example/2-daemonset.yaml:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: fluent-bit
6 | spec:
7 | selector:
8 | matchLabels:
9 | app: fluent-bit
10 | template:
11 | metadata:
12 | labels:
13 | app: fluent-bit
14 | spec:
15 | containers:
16 | - name: fluent-bit
17 | image: nginx:1.14.2
18 | tolerations:
19 | - effect: NoSchedule
20 | operator: Exists
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: DaemonSet.default.fluent-bit
File: /lessons/170/4-example/2-daemonset.yaml:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: fluent-bit
6 | spec:
7 | selector:
8 | matchLabels:
9 | app: fluent-bit
10 | template:
11 | metadata:
12 | labels:
13 | app: fluent-bit
14 | spec:
15 | containers:
16 | - name: fluent-bit
17 | image: nginx:1.14.2
18 | tolerations:
19 | - effect: NoSchedule
20 | operator: Exists
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: DaemonSet.default.fluent-bit
File: /lessons/170/4-example/2-daemonset.yaml:2-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: fluent-bit
6 | spec:
7 | selector:
8 | matchLabels:
9 | app: fluent-bit
10 | template:
11 | metadata:
12 | labels:
13 | app: fluent-bit
14 | spec:
15 | containers:
16 | - name: fluent-bit
17 | image: nginx:1.14.2
18 | tolerations:
19 | - effect: NoSchedule
20 | operator: Exists
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/3-example/2-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 4
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 100
25 | podAffinityTerm:
26 | labelSelector:
27 | matchExpressions:
28 | - key: app
29 | operator: In
30 | values:
31 | - nginx
32 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/3-example/2-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 4
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 100
25 | podAffinityTerm:
26 | labelSelector:
27 | matchExpressions:
28 | - key: app
29 | operator: In
30 | values:
31 | - nginx
32 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/3-example/2-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 4
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 100
25 | podAffinityTerm:
26 | labelSelector:
27 | matchExpressions:
28 | - key: app
29 | operator: In
30 | values:
31 | - nginx
32 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/3-example/2-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 4
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 100
25 | podAffinityTerm:
26 | labelSelector:
27 | matchExpressions:
28 | - key: app
29 | operator: In
30 | values:
31 | - nginx
32 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/3-example/2-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 4
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 100
25 | podAffinityTerm:
26 | labelSelector:
27 | matchExpressions:
28 | - key: app
29 | operator: In
30 | values:
31 | - nginx
32 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/3-example/2-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 4
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 100
25 | podAffinityTerm:
26 | labelSelector:
27 | matchExpressions:
28 | - key: app
29 | operator: In
30 | values:
31 | - nginx
32 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/3-example/2-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 4
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 100
25 | podAffinityTerm:
26 | labelSelector:
27 | matchExpressions:
28 | - key: app
29 | operator: In
30 | values:
31 | - nginx
32 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/3-example/2-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 4
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 100
25 | podAffinityTerm:
26 | labelSelector:
27 | matchExpressions:
28 | - key: app
29 | operator: In
30 | values:
31 | - nginx
32 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/3-example/2-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 4
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 100
25 | podAffinityTerm:
26 | labelSelector:
27 | matchExpressions:
28 | - key: app
29 | operator: In
30 | values:
31 | - nginx
32 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/3-example/2-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 4
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 100
25 | podAffinityTerm:
26 | labelSelector:
27 | matchExpressions:
28 | - key: app
29 | operator: In
30 | values:
31 | - nginx
32 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/3-example/2-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 4
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 100
25 | podAffinityTerm:
26 | labelSelector:
27 | matchExpressions:
28 | - key: app
29 | operator: In
30 | values:
31 | - nginx
32 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/3-example/2-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 4
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 100
25 | podAffinityTerm:
26 | labelSelector:
27 | matchExpressions:
28 | - key: app
29 | operator: In
30 | values:
31 | - nginx
32 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/3-example/2-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 4
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 100
25 | podAffinityTerm:
26 | labelSelector:
27 | matchExpressions:
28 | - key: app
29 | operator: In
30 | values:
31 | - nginx
32 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/3-example/2-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 4
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 100
25 | podAffinityTerm:
26 | labelSelector:
27 | matchExpressions:
28 | - key: app
29 | operator: In
30 | values:
31 | - nginx
32 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/3-example/2-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 4
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 100
25 | podAffinityTerm:
26 | labelSelector:
27 | matchExpressions:
28 | - key: app
29 | operator: In
30 | values:
31 | - nginx
32 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/3-example/2-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 4
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 100
25 | podAffinityTerm:
26 | labelSelector:
27 | matchExpressions:
28 | - key: app
29 | operator: In
30 | values:
31 | - nginx
32 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/3-example/2-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 4
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 100
25 | podAffinityTerm:
26 | labelSelector:
27 | matchExpressions:
28 | - key: app
29 | operator: In
30 | values:
31 | - nginx
32 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/3-example/2-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 4
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 100
25 | podAffinityTerm:
26 | labelSelector:
27 | matchExpressions:
28 | - key: app
29 | operator: In
30 | values:
31 | - nginx
32 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/3-example/2-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 4
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 100
25 | podAffinityTerm:
26 | labelSelector:
27 | matchExpressions:
28 | - key: app
29 | operator: In
30 | values:
31 | - nginx
32 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.kafka.kafka
File: /lessons/170/3-example/3-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: kafka
6 | namespace: kafka
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: kafka
12 | template:
13 | metadata:
14 | labels:
15 | app: kafka
16 | spec:
17 | containers:
18 | - name: kafka
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | affinity:
23 | podAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | - labelSelector:
26 | matchExpressions:
27 | - key: app
28 | operator: In
29 | values:
30 | - kafka
31 | - zookeeper
32 | topologyKey: "kubernetes.io/hostname"
33 | namespaceSelector: {}
34 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.kafka.kafka
File: /lessons/170/3-example/3-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: kafka
6 | namespace: kafka
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: kafka
12 | template:
13 | metadata:
14 | labels:
15 | app: kafka
16 | spec:
17 | containers:
18 | - name: kafka
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | affinity:
23 | podAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | - labelSelector:
26 | matchExpressions:
27 | - key: app
28 | operator: In
29 | values:
30 | - kafka
31 | - zookeeper
32 | topologyKey: "kubernetes.io/hostname"
33 | namespaceSelector: {}
34 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.kafka.kafka
File: /lessons/170/3-example/3-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: kafka
6 | namespace: kafka
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: kafka
12 | template:
13 | metadata:
14 | labels:
15 | app: kafka
16 | spec:
17 | containers:
18 | - name: kafka
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | affinity:
23 | podAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | - labelSelector:
26 | matchExpressions:
27 | - key: app
28 | operator: In
29 | values:
30 | - kafka
31 | - zookeeper
32 | topologyKey: "kubernetes.io/hostname"
33 | namespaceSelector: {}
34 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.kafka.kafka
File: /lessons/170/3-example/3-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: kafka
6 | namespace: kafka
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: kafka
12 | template:
13 | metadata:
14 | labels:
15 | app: kafka
16 | spec:
17 | containers:
18 | - name: kafka
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | affinity:
23 | podAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | - labelSelector:
26 | matchExpressions:
27 | - key: app
28 | operator: In
29 | values:
30 | - kafka
31 | - zookeeper
32 | topologyKey: "kubernetes.io/hostname"
33 | namespaceSelector: {}
34 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.kafka.kafka
File: /lessons/170/3-example/3-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: kafka
6 | namespace: kafka
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: kafka
12 | template:
13 | metadata:
14 | labels:
15 | app: kafka
16 | spec:
17 | containers:
18 | - name: kafka
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | affinity:
23 | podAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | - labelSelector:
26 | matchExpressions:
27 | - key: app
28 | operator: In
29 | values:
30 | - kafka
31 | - zookeeper
32 | topologyKey: "kubernetes.io/hostname"
33 | namespaceSelector: {}
34 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.kafka.kafka
File: /lessons/170/3-example/3-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: kafka
6 | namespace: kafka
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: kafka
12 | template:
13 | metadata:
14 | labels:
15 | app: kafka
16 | spec:
17 | containers:
18 | - name: kafka
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | affinity:
23 | podAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | - labelSelector:
26 | matchExpressions:
27 | - key: app
28 | operator: In
29 | values:
30 | - kafka
31 | - zookeeper
32 | topologyKey: "kubernetes.io/hostname"
33 | namespaceSelector: {}
34 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.kafka.kafka
File: /lessons/170/3-example/3-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: kafka
6 | namespace: kafka
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: kafka
12 | template:
13 | metadata:
14 | labels:
15 | app: kafka
16 | spec:
17 | containers:
18 | - name: kafka
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | affinity:
23 | podAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | - labelSelector:
26 | matchExpressions:
27 | - key: app
28 | operator: In
29 | values:
30 | - kafka
31 | - zookeeper
32 | topologyKey: "kubernetes.io/hostname"
33 | namespaceSelector: {}
34 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.kafka.kafka
File: /lessons/170/3-example/3-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: kafka
6 | namespace: kafka
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: kafka
12 | template:
13 | metadata:
14 | labels:
15 | app: kafka
16 | spec:
17 | containers:
18 | - name: kafka
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | affinity:
23 | podAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | - labelSelector:
26 | matchExpressions:
27 | - key: app
28 | operator: In
29 | values:
30 | - kafka
31 | - zookeeper
32 | topologyKey: "kubernetes.io/hostname"
33 | namespaceSelector: {}
34 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.kafka.kafka
File: /lessons/170/3-example/3-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: kafka
6 | namespace: kafka
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: kafka
12 | template:
13 | metadata:
14 | labels:
15 | app: kafka
16 | spec:
17 | containers:
18 | - name: kafka
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | affinity:
23 | podAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | - labelSelector:
26 | matchExpressions:
27 | - key: app
28 | operator: In
29 | values:
30 | - kafka
31 | - zookeeper
32 | topologyKey: "kubernetes.io/hostname"
33 | namespaceSelector: {}
34 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.kafka.kafka
File: /lessons/170/3-example/3-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: kafka
6 | namespace: kafka
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: kafka
12 | template:
13 | metadata:
14 | labels:
15 | app: kafka
16 | spec:
17 | containers:
18 | - name: kafka
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | affinity:
23 | podAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | - labelSelector:
26 | matchExpressions:
27 | - key: app
28 | operator: In
29 | values:
30 | - kafka
31 | - zookeeper
32 | topologyKey: "kubernetes.io/hostname"
33 | namespaceSelector: {}
34 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.kafka.kafka
File: /lessons/170/3-example/3-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: kafka
6 | namespace: kafka
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: kafka
12 | template:
13 | metadata:
14 | labels:
15 | app: kafka
16 | spec:
17 | containers:
18 | - name: kafka
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | affinity:
23 | podAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | - labelSelector:
26 | matchExpressions:
27 | - key: app
28 | operator: In
29 | values:
30 | - kafka
31 | - zookeeper
32 | topologyKey: "kubernetes.io/hostname"
33 | namespaceSelector: {}
34 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.kafka.kafka
File: /lessons/170/3-example/3-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: kafka
6 | namespace: kafka
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: kafka
12 | template:
13 | metadata:
14 | labels:
15 | app: kafka
16 | spec:
17 | containers:
18 | - name: kafka
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | affinity:
23 | podAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | - labelSelector:
26 | matchExpressions:
27 | - key: app
28 | operator: In
29 | values:
30 | - kafka
31 | - zookeeper
32 | topologyKey: "kubernetes.io/hostname"
33 | namespaceSelector: {}
34 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.kafka.kafka
File: /lessons/170/3-example/3-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: kafka
6 | namespace: kafka
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: kafka
12 | template:
13 | metadata:
14 | labels:
15 | app: kafka
16 | spec:
17 | containers:
18 | - name: kafka
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | affinity:
23 | podAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | - labelSelector:
26 | matchExpressions:
27 | - key: app
28 | operator: In
29 | values:
30 | - kafka
31 | - zookeeper
32 | topologyKey: "kubernetes.io/hostname"
33 | namespaceSelector: {}
34 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.kafka.kafka
File: /lessons/170/3-example/3-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: kafka
6 | namespace: kafka
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: kafka
12 | template:
13 | metadata:
14 | labels:
15 | app: kafka
16 | spec:
17 | containers:
18 | - name: kafka
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | affinity:
23 | podAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | - labelSelector:
26 | matchExpressions:
27 | - key: app
28 | operator: In
29 | values:
30 | - kafka
31 | - zookeeper
32 | topologyKey: "kubernetes.io/hostname"
33 | namespaceSelector: {}
34 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.kafka.kafka
File: /lessons/170/3-example/3-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: kafka
6 | namespace: kafka
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: kafka
12 | template:
13 | metadata:
14 | labels:
15 | app: kafka
16 | spec:
17 | containers:
18 | - name: kafka
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | affinity:
23 | podAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | - labelSelector:
26 | matchExpressions:
27 | - key: app
28 | operator: In
29 | values:
30 | - kafka
31 | - zookeeper
32 | topologyKey: "kubernetes.io/hostname"
33 | namespaceSelector: {}
34 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.kafka.kafka
File: /lessons/170/3-example/3-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: kafka
6 | namespace: kafka
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: kafka
12 | template:
13 | metadata:
14 | labels:
15 | app: kafka
16 | spec:
17 | containers:
18 | - name: kafka
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | affinity:
23 | podAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | - labelSelector:
26 | matchExpressions:
27 | - key: app
28 | operator: In
29 | values:
30 | - kafka
31 | - zookeeper
32 | topologyKey: "kubernetes.io/hostname"
33 | namespaceSelector: {}
34 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.kafka.kafka
File: /lessons/170/3-example/3-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: kafka
6 | namespace: kafka
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: kafka
12 | template:
13 | metadata:
14 | labels:
15 | app: kafka
16 | spec:
17 | containers:
18 | - name: kafka
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | affinity:
23 | podAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | - labelSelector:
26 | matchExpressions:
27 | - key: app
28 | operator: In
29 | values:
30 | - kafka
31 | - zookeeper
32 | topologyKey: "kubernetes.io/hostname"
33 | namespaceSelector: {}
34 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.kafka.kafka
File: /lessons/170/3-example/3-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: kafka
6 | namespace: kafka
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: kafka
12 | template:
13 | metadata:
14 | labels:
15 | app: kafka
16 | spec:
17 | containers:
18 | - name: kafka
19 | image: nginx:1.14.2
20 | ports:
21 | - containerPort: 80
22 | affinity:
23 | podAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | - labelSelector:
26 | matchExpressions:
27 | - key: app
28 | operator: In
29 | values:
30 | - kafka
31 | - zookeeper
32 | topologyKey: "kubernetes.io/hostname"
33 | namespaceSelector: {}
34 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.zookeeper.zookeeper
File: /lessons/170/3-example/3-deployment.yaml:35-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
35 | apiVersion: apps/v1
36 | kind: Deployment
37 | metadata:
38 | name: zookeeper
39 | namespace: zookeeper
40 | spec:
41 | replicas: 1
42 | selector:
43 | matchLabels:
44 | app: zookeeper
45 | template:
46 | metadata:
47 | labels:
48 | app: zookeeper
49 | spec:
50 | containers:
51 | - name: zookeeper
52 | image: nginx:1.14.2
53 | ports:
54 | - containerPort: 80
55 | affinity:
56 | podAffinity:
57 | requiredDuringSchedulingIgnoredDuringExecution:
58 | - labelSelector:
59 | matchExpressions:
60 | - key: app
61 | operator: In
62 | values:
63 | - kafka
64 | - zookeeper
65 | topologyKey: "kubernetes.io/hostname"
66 | namespaceSelector: {}
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.zookeeper.zookeeper
File: /lessons/170/3-example/3-deployment.yaml:35-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
35 | apiVersion: apps/v1
36 | kind: Deployment
37 | metadata:
38 | name: zookeeper
39 | namespace: zookeeper
40 | spec:
41 | replicas: 1
42 | selector:
43 | matchLabels:
44 | app: zookeeper
45 | template:
46 | metadata:
47 | labels:
48 | app: zookeeper
49 | spec:
50 | containers:
51 | - name: zookeeper
52 | image: nginx:1.14.2
53 | ports:
54 | - containerPort: 80
55 | affinity:
56 | podAffinity:
57 | requiredDuringSchedulingIgnoredDuringExecution:
58 | - labelSelector:
59 | matchExpressions:
60 | - key: app
61 | operator: In
62 | values:
63 | - kafka
64 | - zookeeper
65 | topologyKey: "kubernetes.io/hostname"
66 | namespaceSelector: {}
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.zookeeper.zookeeper
File: /lessons/170/3-example/3-deployment.yaml:35-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
35 | apiVersion: apps/v1
36 | kind: Deployment
37 | metadata:
38 | name: zookeeper
39 | namespace: zookeeper
40 | spec:
41 | replicas: 1
42 | selector:
43 | matchLabels:
44 | app: zookeeper
45 | template:
46 | metadata:
47 | labels:
48 | app: zookeeper
49 | spec:
50 | containers:
51 | - name: zookeeper
52 | image: nginx:1.14.2
53 | ports:
54 | - containerPort: 80
55 | affinity:
56 | podAffinity:
57 | requiredDuringSchedulingIgnoredDuringExecution:
58 | - labelSelector:
59 | matchExpressions:
60 | - key: app
61 | operator: In
62 | values:
63 | - kafka
64 | - zookeeper
65 | topologyKey: "kubernetes.io/hostname"
66 | namespaceSelector: {}
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.zookeeper.zookeeper
File: /lessons/170/3-example/3-deployment.yaml:35-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
35 | apiVersion: apps/v1
36 | kind: Deployment
37 | metadata:
38 | name: zookeeper
39 | namespace: zookeeper
40 | spec:
41 | replicas: 1
42 | selector:
43 | matchLabels:
44 | app: zookeeper
45 | template:
46 | metadata:
47 | labels:
48 | app: zookeeper
49 | spec:
50 | containers:
51 | - name: zookeeper
52 | image: nginx:1.14.2
53 | ports:
54 | - containerPort: 80
55 | affinity:
56 | podAffinity:
57 | requiredDuringSchedulingIgnoredDuringExecution:
58 | - labelSelector:
59 | matchExpressions:
60 | - key: app
61 | operator: In
62 | values:
63 | - kafka
64 | - zookeeper
65 | topologyKey: "kubernetes.io/hostname"
66 | namespaceSelector: {}
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.zookeeper.zookeeper
File: /lessons/170/3-example/3-deployment.yaml:35-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
35 | apiVersion: apps/v1
36 | kind: Deployment
37 | metadata:
38 | name: zookeeper
39 | namespace: zookeeper
40 | spec:
41 | replicas: 1
42 | selector:
43 | matchLabels:
44 | app: zookeeper
45 | template:
46 | metadata:
47 | labels:
48 | app: zookeeper
49 | spec:
50 | containers:
51 | - name: zookeeper
52 | image: nginx:1.14.2
53 | ports:
54 | - containerPort: 80
55 | affinity:
56 | podAffinity:
57 | requiredDuringSchedulingIgnoredDuringExecution:
58 | - labelSelector:
59 | matchExpressions:
60 | - key: app
61 | operator: In
62 | values:
63 | - kafka
64 | - zookeeper
65 | topologyKey: "kubernetes.io/hostname"
66 | namespaceSelector: {}
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.zookeeper.zookeeper
File: /lessons/170/3-example/3-deployment.yaml:35-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
35 | apiVersion: apps/v1
36 | kind: Deployment
37 | metadata:
38 | name: zookeeper
39 | namespace: zookeeper
40 | spec:
41 | replicas: 1
42 | selector:
43 | matchLabels:
44 | app: zookeeper
45 | template:
46 | metadata:
47 | labels:
48 | app: zookeeper
49 | spec:
50 | containers:
51 | - name: zookeeper
52 | image: nginx:1.14.2
53 | ports:
54 | - containerPort: 80
55 | affinity:
56 | podAffinity:
57 | requiredDuringSchedulingIgnoredDuringExecution:
58 | - labelSelector:
59 | matchExpressions:
60 | - key: app
61 | operator: In
62 | values:
63 | - kafka
64 | - zookeeper
65 | topologyKey: "kubernetes.io/hostname"
66 | namespaceSelector: {}
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.zookeeper.zookeeper
File: /lessons/170/3-example/3-deployment.yaml:35-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
35 | apiVersion: apps/v1
36 | kind: Deployment
37 | metadata:
38 | name: zookeeper
39 | namespace: zookeeper
40 | spec:
41 | replicas: 1
42 | selector:
43 | matchLabels:
44 | app: zookeeper
45 | template:
46 | metadata:
47 | labels:
48 | app: zookeeper
49 | spec:
50 | containers:
51 | - name: zookeeper
52 | image: nginx:1.14.2
53 | ports:
54 | - containerPort: 80
55 | affinity:
56 | podAffinity:
57 | requiredDuringSchedulingIgnoredDuringExecution:
58 | - labelSelector:
59 | matchExpressions:
60 | - key: app
61 | operator: In
62 | values:
63 | - kafka
64 | - zookeeper
65 | topologyKey: "kubernetes.io/hostname"
66 | namespaceSelector: {}
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.zookeeper.zookeeper
File: /lessons/170/3-example/3-deployment.yaml:35-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
35 | apiVersion: apps/v1
36 | kind: Deployment
37 | metadata:
38 | name: zookeeper
39 | namespace: zookeeper
40 | spec:
41 | replicas: 1
42 | selector:
43 | matchLabels:
44 | app: zookeeper
45 | template:
46 | metadata:
47 | labels:
48 | app: zookeeper
49 | spec:
50 | containers:
51 | - name: zookeeper
52 | image: nginx:1.14.2
53 | ports:
54 | - containerPort: 80
55 | affinity:
56 | podAffinity:
57 | requiredDuringSchedulingIgnoredDuringExecution:
58 | - labelSelector:
59 | matchExpressions:
60 | - key: app
61 | operator: In
62 | values:
63 | - kafka
64 | - zookeeper
65 | topologyKey: "kubernetes.io/hostname"
66 | namespaceSelector: {}
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.zookeeper.zookeeper
File: /lessons/170/3-example/3-deployment.yaml:35-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
35 | apiVersion: apps/v1
36 | kind: Deployment
37 | metadata:
38 | name: zookeeper
39 | namespace: zookeeper
40 | spec:
41 | replicas: 1
42 | selector:
43 | matchLabels:
44 | app: zookeeper
45 | template:
46 | metadata:
47 | labels:
48 | app: zookeeper
49 | spec:
50 | containers:
51 | - name: zookeeper
52 | image: nginx:1.14.2
53 | ports:
54 | - containerPort: 80
55 | affinity:
56 | podAffinity:
57 | requiredDuringSchedulingIgnoredDuringExecution:
58 | - labelSelector:
59 | matchExpressions:
60 | - key: app
61 | operator: In
62 | values:
63 | - kafka
64 | - zookeeper
65 | topologyKey: "kubernetes.io/hostname"
66 | namespaceSelector: {}
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.zookeeper.zookeeper
File: /lessons/170/3-example/3-deployment.yaml:35-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
35 | apiVersion: apps/v1
36 | kind: Deployment
37 | metadata:
38 | name: zookeeper
39 | namespace: zookeeper
40 | spec:
41 | replicas: 1
42 | selector:
43 | matchLabels:
44 | app: zookeeper
45 | template:
46 | metadata:
47 | labels:
48 | app: zookeeper
49 | spec:
50 | containers:
51 | - name: zookeeper
52 | image: nginx:1.14.2
53 | ports:
54 | - containerPort: 80
55 | affinity:
56 | podAffinity:
57 | requiredDuringSchedulingIgnoredDuringExecution:
58 | - labelSelector:
59 | matchExpressions:
60 | - key: app
61 | operator: In
62 | values:
63 | - kafka
64 | - zookeeper
65 | topologyKey: "kubernetes.io/hostname"
66 | namespaceSelector: {}
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.zookeeper.zookeeper
File: /lessons/170/3-example/3-deployment.yaml:35-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
35 | apiVersion: apps/v1
36 | kind: Deployment
37 | metadata:
38 | name: zookeeper
39 | namespace: zookeeper
40 | spec:
41 | replicas: 1
42 | selector:
43 | matchLabels:
44 | app: zookeeper
45 | template:
46 | metadata:
47 | labels:
48 | app: zookeeper
49 | spec:
50 | containers:
51 | - name: zookeeper
52 | image: nginx:1.14.2
53 | ports:
54 | - containerPort: 80
55 | affinity:
56 | podAffinity:
57 | requiredDuringSchedulingIgnoredDuringExecution:
58 | - labelSelector:
59 | matchExpressions:
60 | - key: app
61 | operator: In
62 | values:
63 | - kafka
64 | - zookeeper
65 | topologyKey: "kubernetes.io/hostname"
66 | namespaceSelector: {}
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.zookeeper.zookeeper
File: /lessons/170/3-example/3-deployment.yaml:35-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
35 | apiVersion: apps/v1
36 | kind: Deployment
37 | metadata:
38 | name: zookeeper
39 | namespace: zookeeper
40 | spec:
41 | replicas: 1
42 | selector:
43 | matchLabels:
44 | app: zookeeper
45 | template:
46 | metadata:
47 | labels:
48 | app: zookeeper
49 | spec:
50 | containers:
51 | - name: zookeeper
52 | image: nginx:1.14.2
53 | ports:
54 | - containerPort: 80
55 | affinity:
56 | podAffinity:
57 | requiredDuringSchedulingIgnoredDuringExecution:
58 | - labelSelector:
59 | matchExpressions:
60 | - key: app
61 | operator: In
62 | values:
63 | - kafka
64 | - zookeeper
65 | topologyKey: "kubernetes.io/hostname"
66 | namespaceSelector: {}
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.zookeeper.zookeeper
File: /lessons/170/3-example/3-deployment.yaml:35-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
35 | apiVersion: apps/v1
36 | kind: Deployment
37 | metadata:
38 | name: zookeeper
39 | namespace: zookeeper
40 | spec:
41 | replicas: 1
42 | selector:
43 | matchLabels:
44 | app: zookeeper
45 | template:
46 | metadata:
47 | labels:
48 | app: zookeeper
49 | spec:
50 | containers:
51 | - name: zookeeper
52 | image: nginx:1.14.2
53 | ports:
54 | - containerPort: 80
55 | affinity:
56 | podAffinity:
57 | requiredDuringSchedulingIgnoredDuringExecution:
58 | - labelSelector:
59 | matchExpressions:
60 | - key: app
61 | operator: In
62 | values:
63 | - kafka
64 | - zookeeper
65 | topologyKey: "kubernetes.io/hostname"
66 | namespaceSelector: {}
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.zookeeper.zookeeper
File: /lessons/170/3-example/3-deployment.yaml:35-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
35 | apiVersion: apps/v1
36 | kind: Deployment
37 | metadata:
38 | name: zookeeper
39 | namespace: zookeeper
40 | spec:
41 | replicas: 1
42 | selector:
43 | matchLabels:
44 | app: zookeeper
45 | template:
46 | metadata:
47 | labels:
48 | app: zookeeper
49 | spec:
50 | containers:
51 | - name: zookeeper
52 | image: nginx:1.14.2
53 | ports:
54 | - containerPort: 80
55 | affinity:
56 | podAffinity:
57 | requiredDuringSchedulingIgnoredDuringExecution:
58 | - labelSelector:
59 | matchExpressions:
60 | - key: app
61 | operator: In
62 | values:
63 | - kafka
64 | - zookeeper
65 | topologyKey: "kubernetes.io/hostname"
66 | namespaceSelector: {}
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.zookeeper.zookeeper
File: /lessons/170/3-example/3-deployment.yaml:35-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
35 | apiVersion: apps/v1
36 | kind: Deployment
37 | metadata:
38 | name: zookeeper
39 | namespace: zookeeper
40 | spec:
41 | replicas: 1
42 | selector:
43 | matchLabels:
44 | app: zookeeper
45 | template:
46 | metadata:
47 | labels:
48 | app: zookeeper
49 | spec:
50 | containers:
51 | - name: zookeeper
52 | image: nginx:1.14.2
53 | ports:
54 | - containerPort: 80
55 | affinity:
56 | podAffinity:
57 | requiredDuringSchedulingIgnoredDuringExecution:
58 | - labelSelector:
59 | matchExpressions:
60 | - key: app
61 | operator: In
62 | values:
63 | - kafka
64 | - zookeeper
65 | topologyKey: "kubernetes.io/hostname"
66 | namespaceSelector: {}
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.zookeeper.zookeeper
File: /lessons/170/3-example/3-deployment.yaml:35-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
35 | apiVersion: apps/v1
36 | kind: Deployment
37 | metadata:
38 | name: zookeeper
39 | namespace: zookeeper
40 | spec:
41 | replicas: 1
42 | selector:
43 | matchLabels:
44 | app: zookeeper
45 | template:
46 | metadata:
47 | labels:
48 | app: zookeeper
49 | spec:
50 | containers:
51 | - name: zookeeper
52 | image: nginx:1.14.2
53 | ports:
54 | - containerPort: 80
55 | affinity:
56 | podAffinity:
57 | requiredDuringSchedulingIgnoredDuringExecution:
58 | - labelSelector:
59 | matchExpressions:
60 | - key: app
61 | operator: In
62 | values:
63 | - kafka
64 | - zookeeper
65 | topologyKey: "kubernetes.io/hostname"
66 | namespaceSelector: {}
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.zookeeper.zookeeper
File: /lessons/170/3-example/3-deployment.yaml:35-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
35 | apiVersion: apps/v1
36 | kind: Deployment
37 | metadata:
38 | name: zookeeper
39 | namespace: zookeeper
40 | spec:
41 | replicas: 1
42 | selector:
43 | matchLabels:
44 | app: zookeeper
45 | template:
46 | metadata:
47 | labels:
48 | app: zookeeper
49 | spec:
50 | containers:
51 | - name: zookeeper
52 | image: nginx:1.14.2
53 | ports:
54 | - containerPort: 80
55 | affinity:
56 | podAffinity:
57 | requiredDuringSchedulingIgnoredDuringExecution:
58 | - labelSelector:
59 | matchExpressions:
60 | - key: app
61 | operator: In
62 | values:
63 | - kafka
64 | - zookeeper
65 | topologyKey: "kubernetes.io/hostname"
66 | namespaceSelector: {}
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.zookeeper.zookeeper
File: /lessons/170/3-example/3-deployment.yaml:35-66
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
35 | apiVersion: apps/v1
36 | kind: Deployment
37 | metadata:
38 | name: zookeeper
39 | namespace: zookeeper
40 | spec:
41 | replicas: 1
42 | selector:
43 | matchLabels:
44 | app: zookeeper
45 | template:
46 | metadata:
47 | labels:
48 | app: zookeeper
49 | spec:
50 | containers:
51 | - name: zookeeper
52 | image: nginx:1.14.2
53 | ports:
54 | - containerPort: 80
55 | affinity:
56 | podAffinity:
57 | requiredDuringSchedulingIgnoredDuringExecution:
58 | - labelSelector:
59 | matchExpressions:
60 | - key: app
61 | operator: In
62 | values:
63 | - kafka
64 | - zookeeper
65 | topologyKey: "kubernetes.io/hostname"
66 | namespaceSelector: {}
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/3-example/1-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/3-example/1-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/3-example/1-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/3-example/1-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/3-example/1-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/3-example/1-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/3-example/1-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/3-example/1-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/3-example/1-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/3-example/1-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/3-example/1-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/3-example/1-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/3-example/1-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/3-example/1-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/3-example/1-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/3-example/1-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/3-example/1-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/3-example/1-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx
File: /lessons/170/3-example/1-deployment.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 5
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | requiredDuringSchedulingIgnoredDuringExecution:
24 | - labelSelector:
25 | matchExpressions:
26 | - key: app
27 | operator: In
28 | values:
29 | - nginx
30 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.1-example.nginx
File: /lessons/167/1-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 1-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.1-example.nginx
File: /lessons/167/1-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 1-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.1-example.nginx
File: /lessons/167/1-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 1-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.1-example.nginx
File: /lessons/167/1-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 1-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.1-example.nginx
File: /lessons/167/1-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 1-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.1-example.nginx
File: /lessons/167/1-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 1-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.1-example.nginx
File: /lessons/167/1-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 1-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.1-example.nginx
File: /lessons/167/1-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 1-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.1-example.nginx
File: /lessons/167/1-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 1-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.1-example.nginx
File: /lessons/167/1-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 1-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.1-example.nginx
File: /lessons/167/1-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 1-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.1-example.nginx
File: /lessons/167/1-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 1-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.1-example.nginx
File: /lessons/167/1-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 1-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.1-example.nginx
File: /lessons/167/1-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 1-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.1-example.nginx
File: /lessons/167/1-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 1-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.1-example.nginx
File: /lessons/167/1-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 1-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.1-example.nginx
File: /lessons/167/1-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 1-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.1-example.nginx
File: /lessons/167/1-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 1-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /lessons/167/1-example/3-dashboard.yaml:146-213
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /lessons/167/1-example/3-dashboard.yaml:146-213
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /lessons/167/1-example/3-dashboard.yaml:146-213
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /lessons/167/1-example/3-dashboard.yaml:146-213
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /lessons/167/1-example/3-dashboard.yaml:146-213
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_33: "Ensure the Kubernetes dashboard is not deployed"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /lessons/167/1-example/3-dashboard.yaml:146-213
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-31.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /lessons/167/1-example/3-dashboard.yaml:146-213
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /lessons/167/1-example/3-dashboard.yaml:146-213
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /lessons/167/1-example/3-dashboard.yaml:146-213
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /lessons/167/1-example/3-dashboard.yaml:146-213
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /lessons/167/1-example/3-dashboard.yaml:146-213
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /lessons/167/1-example/3-dashboard.yaml:229-280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /lessons/167/1-example/3-dashboard.yaml:229-280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /lessons/167/1-example/3-dashboard.yaml:229-280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /lessons/167/1-example/3-dashboard.yaml:229-280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /lessons/167/1-example/3-dashboard.yaml:229-280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_33: "Ensure the Kubernetes dashboard is not deployed"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /lessons/167/1-example/3-dashboard.yaml:229-280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-31.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /lessons/167/1-example/3-dashboard.yaml:229-280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /lessons/167/1-example/3-dashboard.yaml:229-280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /lessons/167/1-example/3-dashboard.yaml:229-280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /lessons/167/1-example/3-dashboard.yaml:229-280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /lessons/167/1-example/3-dashboard.yaml:229-280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /lessons/167/1-example/3-dashboard.yaml:229-280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.9-example.echoserver
File: /lessons/167/9-example/1-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: 9-example
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.9-example.echoserver
File: /lessons/167/9-example/1-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: 9-example
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.9-example.echoserver
File: /lessons/167/9-example/1-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: 9-example
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.9-example.echoserver
File: /lessons/167/9-example/1-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: 9-example
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.9-example.echoserver
File: /lessons/167/9-example/1-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: 9-example
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.9-example.echoserver
File: /lessons/167/9-example/1-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: 9-example
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.9-example.echoserver
File: /lessons/167/9-example/1-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: 9-example
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.9-example.echoserver
File: /lessons/167/9-example/1-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: 9-example
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.9-example.echoserver
File: /lessons/167/9-example/1-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: 9-example
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.9-example.echoserver
File: /lessons/167/9-example/1-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: 9-example
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.9-example.echoserver
File: /lessons/167/9-example/1-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: 9-example
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.9-example.echoserver
File: /lessons/167/9-example/1-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: 9-example
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.9-example.echoserver
File: /lessons/167/9-example/1-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: 9-example
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.9-example.echoserver
File: /lessons/167/9-example/1-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: 9-example
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.9-example.echoserver
File: /lessons/167/9-example/1-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: 9-example
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.9-example.echoserver
File: /lessons/167/9-example/1-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: 9-example
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.9-example.echoserver
File: /lessons/167/9-example/1-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: 9-example
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.9-example.echoserver
File: /lessons/167/9-example/1-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: 9-example
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.2-example.mongo
File: /lessons/167/2-example/1-mongo.yaml:8-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | name: mongo
12 | namespace: 2-example
13 | labels:
14 | app.kubernetes.io/name: mongo
15 | app.kubernetes.io/component: backend
16 | spec:
17 | selector:
18 | matchLabels:
19 | app.kubernetes.io/name: mongo
20 | app.kubernetes.io/component: backend
21 | replicas: 1
22 | template:
23 | metadata:
24 | labels:
25 | app.kubernetes.io/name: mongo
26 | app.kubernetes.io/component: backend
27 | spec:
28 | containers:
29 | - name: mongo
30 | image: mongo:4.2
31 | args:
32 | - --bind_ip
33 | - 0.0.0.0
34 | resources:
35 | requests:
36 | cpu: 100m
37 | memory: 100Mi
38 | ports:
39 | - containerPort: 27017
40 |
41 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.2-example.mongo
File: /lessons/167/2-example/1-mongo.yaml:8-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | name: mongo
12 | namespace: 2-example
13 | labels:
14 | app.kubernetes.io/name: mongo
15 | app.kubernetes.io/component: backend
16 | spec:
17 | selector:
18 | matchLabels:
19 | app.kubernetes.io/name: mongo
20 | app.kubernetes.io/component: backend
21 | replicas: 1
22 | template:
23 | metadata:
24 | labels:
25 | app.kubernetes.io/name: mongo
26 | app.kubernetes.io/component: backend
27 | spec:
28 | containers:
29 | - name: mongo
30 | image: mongo:4.2
31 | args:
32 | - --bind_ip
33 | - 0.0.0.0
34 | resources:
35 | requests:
36 | cpu: 100m
37 | memory: 100Mi
38 | ports:
39 | - containerPort: 27017
40 |
41 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.2-example.mongo
File: /lessons/167/2-example/1-mongo.yaml:8-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | name: mongo
12 | namespace: 2-example
13 | labels:
14 | app.kubernetes.io/name: mongo
15 | app.kubernetes.io/component: backend
16 | spec:
17 | selector:
18 | matchLabels:
19 | app.kubernetes.io/name: mongo
20 | app.kubernetes.io/component: backend
21 | replicas: 1
22 | template:
23 | metadata:
24 | labels:
25 | app.kubernetes.io/name: mongo
26 | app.kubernetes.io/component: backend
27 | spec:
28 | containers:
29 | - name: mongo
30 | image: mongo:4.2
31 | args:
32 | - --bind_ip
33 | - 0.0.0.0
34 | resources:
35 | requests:
36 | cpu: 100m
37 | memory: 100Mi
38 | ports:
39 | - containerPort: 27017
40 |
41 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.2-example.mongo
File: /lessons/167/2-example/1-mongo.yaml:8-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | name: mongo
12 | namespace: 2-example
13 | labels:
14 | app.kubernetes.io/name: mongo
15 | app.kubernetes.io/component: backend
16 | spec:
17 | selector:
18 | matchLabels:
19 | app.kubernetes.io/name: mongo
20 | app.kubernetes.io/component: backend
21 | replicas: 1
22 | template:
23 | metadata:
24 | labels:
25 | app.kubernetes.io/name: mongo
26 | app.kubernetes.io/component: backend
27 | spec:
28 | containers:
29 | - name: mongo
30 | image: mongo:4.2
31 | args:
32 | - --bind_ip
33 | - 0.0.0.0
34 | resources:
35 | requests:
36 | cpu: 100m
37 | memory: 100Mi
38 | ports:
39 | - containerPort: 27017
40 |
41 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.2-example.mongo
File: /lessons/167/2-example/1-mongo.yaml:8-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | name: mongo
12 | namespace: 2-example
13 | labels:
14 | app.kubernetes.io/name: mongo
15 | app.kubernetes.io/component: backend
16 | spec:
17 | selector:
18 | matchLabels:
19 | app.kubernetes.io/name: mongo
20 | app.kubernetes.io/component: backend
21 | replicas: 1
22 | template:
23 | metadata:
24 | labels:
25 | app.kubernetes.io/name: mongo
26 | app.kubernetes.io/component: backend
27 | spec:
28 | containers:
29 | - name: mongo
30 | image: mongo:4.2
31 | args:
32 | - --bind_ip
33 | - 0.0.0.0
34 | resources:
35 | requests:
36 | cpu: 100m
37 | memory: 100Mi
38 | ports:
39 | - containerPort: 27017
40 |
41 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.2-example.mongo
File: /lessons/167/2-example/1-mongo.yaml:8-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | name: mongo
12 | namespace: 2-example
13 | labels:
14 | app.kubernetes.io/name: mongo
15 | app.kubernetes.io/component: backend
16 | spec:
17 | selector:
18 | matchLabels:
19 | app.kubernetes.io/name: mongo
20 | app.kubernetes.io/component: backend
21 | replicas: 1
22 | template:
23 | metadata:
24 | labels:
25 | app.kubernetes.io/name: mongo
26 | app.kubernetes.io/component: backend
27 | spec:
28 | containers:
29 | - name: mongo
30 | image: mongo:4.2
31 | args:
32 | - --bind_ip
33 | - 0.0.0.0
34 | resources:
35 | requests:
36 | cpu: 100m
37 | memory: 100Mi
38 | ports:
39 | - containerPort: 27017
40 |
41 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.2-example.mongo
File: /lessons/167/2-example/1-mongo.yaml:8-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | name: mongo
12 | namespace: 2-example
13 | labels:
14 | app.kubernetes.io/name: mongo
15 | app.kubernetes.io/component: backend
16 | spec:
17 | selector:
18 | matchLabels:
19 | app.kubernetes.io/name: mongo
20 | app.kubernetes.io/component: backend
21 | replicas: 1
22 | template:
23 | metadata:
24 | labels:
25 | app.kubernetes.io/name: mongo
26 | app.kubernetes.io/component: backend
27 | spec:
28 | containers:
29 | - name: mongo
30 | image: mongo:4.2
31 | args:
32 | - --bind_ip
33 | - 0.0.0.0
34 | resources:
35 | requests:
36 | cpu: 100m
37 | memory: 100Mi
38 | ports:
39 | - containerPort: 27017
40 |
41 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.2-example.mongo
File: /lessons/167/2-example/1-mongo.yaml:8-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | name: mongo
12 | namespace: 2-example
13 | labels:
14 | app.kubernetes.io/name: mongo
15 | app.kubernetes.io/component: backend
16 | spec:
17 | selector:
18 | matchLabels:
19 | app.kubernetes.io/name: mongo
20 | app.kubernetes.io/component: backend
21 | replicas: 1
22 | template:
23 | metadata:
24 | labels:
25 | app.kubernetes.io/name: mongo
26 | app.kubernetes.io/component: backend
27 | spec:
28 | containers:
29 | - name: mongo
30 | image: mongo:4.2
31 | args:
32 | - --bind_ip
33 | - 0.0.0.0
34 | resources:
35 | requests:
36 | cpu: 100m
37 | memory: 100Mi
38 | ports:
39 | - containerPort: 27017
40 |
41 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.2-example.mongo
File: /lessons/167/2-example/1-mongo.yaml:8-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | name: mongo
12 | namespace: 2-example
13 | labels:
14 | app.kubernetes.io/name: mongo
15 | app.kubernetes.io/component: backend
16 | spec:
17 | selector:
18 | matchLabels:
19 | app.kubernetes.io/name: mongo
20 | app.kubernetes.io/component: backend
21 | replicas: 1
22 | template:
23 | metadata:
24 | labels:
25 | app.kubernetes.io/name: mongo
26 | app.kubernetes.io/component: backend
27 | spec:
28 | containers:
29 | - name: mongo
30 | image: mongo:4.2
31 | args:
32 | - --bind_ip
33 | - 0.0.0.0
34 | resources:
35 | requests:
36 | cpu: 100m
37 | memory: 100Mi
38 | ports:
39 | - containerPort: 27017
40 |
41 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.2-example.mongo
File: /lessons/167/2-example/1-mongo.yaml:8-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | name: mongo
12 | namespace: 2-example
13 | labels:
14 | app.kubernetes.io/name: mongo
15 | app.kubernetes.io/component: backend
16 | spec:
17 | selector:
18 | matchLabels:
19 | app.kubernetes.io/name: mongo
20 | app.kubernetes.io/component: backend
21 | replicas: 1
22 | template:
23 | metadata:
24 | labels:
25 | app.kubernetes.io/name: mongo
26 | app.kubernetes.io/component: backend
27 | spec:
28 | containers:
29 | - name: mongo
30 | image: mongo:4.2
31 | args:
32 | - --bind_ip
33 | - 0.0.0.0
34 | resources:
35 | requests:
36 | cpu: 100m
37 | memory: 100Mi
38 | ports:
39 | - containerPort: 27017
40 |
41 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.2-example.mongo
File: /lessons/167/2-example/1-mongo.yaml:8-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | name: mongo
12 | namespace: 2-example
13 | labels:
14 | app.kubernetes.io/name: mongo
15 | app.kubernetes.io/component: backend
16 | spec:
17 | selector:
18 | matchLabels:
19 | app.kubernetes.io/name: mongo
20 | app.kubernetes.io/component: backend
21 | replicas: 1
22 | template:
23 | metadata:
24 | labels:
25 | app.kubernetes.io/name: mongo
26 | app.kubernetes.io/component: backend
27 | spec:
28 | containers:
29 | - name: mongo
30 | image: mongo:4.2
31 | args:
32 | - --bind_ip
33 | - 0.0.0.0
34 | resources:
35 | requests:
36 | cpu: 100m
37 | memory: 100Mi
38 | ports:
39 | - containerPort: 27017
40 |
41 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.2-example.mongo
File: /lessons/167/2-example/1-mongo.yaml:8-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | name: mongo
12 | namespace: 2-example
13 | labels:
14 | app.kubernetes.io/name: mongo
15 | app.kubernetes.io/component: backend
16 | spec:
17 | selector:
18 | matchLabels:
19 | app.kubernetes.io/name: mongo
20 | app.kubernetes.io/component: backend
21 | replicas: 1
22 | template:
23 | metadata:
24 | labels:
25 | app.kubernetes.io/name: mongo
26 | app.kubernetes.io/component: backend
27 | spec:
28 | containers:
29 | - name: mongo
30 | image: mongo:4.2
31 | args:
32 | - --bind_ip
33 | - 0.0.0.0
34 | resources:
35 | requests:
36 | cpu: 100m
37 | memory: 100Mi
38 | ports:
39 | - containerPort: 27017
40 |
41 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.2-example.mongo
File: /lessons/167/2-example/1-mongo.yaml:8-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | name: mongo
12 | namespace: 2-example
13 | labels:
14 | app.kubernetes.io/name: mongo
15 | app.kubernetes.io/component: backend
16 | spec:
17 | selector:
18 | matchLabels:
19 | app.kubernetes.io/name: mongo
20 | app.kubernetes.io/component: backend
21 | replicas: 1
22 | template:
23 | metadata:
24 | labels:
25 | app.kubernetes.io/name: mongo
26 | app.kubernetes.io/component: backend
27 | spec:
28 | containers:
29 | - name: mongo
30 | image: mongo:4.2
31 | args:
32 | - --bind_ip
33 | - 0.0.0.0
34 | resources:
35 | requests:
36 | cpu: 100m
37 | memory: 100Mi
38 | ports:
39 | - containerPort: 27017
40 |
41 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.2-example.mongo
File: /lessons/167/2-example/1-mongo.yaml:8-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | name: mongo
12 | namespace: 2-example
13 | labels:
14 | app.kubernetes.io/name: mongo
15 | app.kubernetes.io/component: backend
16 | spec:
17 | selector:
18 | matchLabels:
19 | app.kubernetes.io/name: mongo
20 | app.kubernetes.io/component: backend
21 | replicas: 1
22 | template:
23 | metadata:
24 | labels:
25 | app.kubernetes.io/name: mongo
26 | app.kubernetes.io/component: backend
27 | spec:
28 | containers:
29 | - name: mongo
30 | image: mongo:4.2
31 | args:
32 | - --bind_ip
33 | - 0.0.0.0
34 | resources:
35 | requests:
36 | cpu: 100m
37 | memory: 100Mi
38 | ports:
39 | - containerPort: 27017
40 |
41 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.2-example.mongo
File: /lessons/167/2-example/1-mongo.yaml:8-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | name: mongo
12 | namespace: 2-example
13 | labels:
14 | app.kubernetes.io/name: mongo
15 | app.kubernetes.io/component: backend
16 | spec:
17 | selector:
18 | matchLabels:
19 | app.kubernetes.io/name: mongo
20 | app.kubernetes.io/component: backend
21 | replicas: 1
22 | template:
23 | metadata:
24 | labels:
25 | app.kubernetes.io/name: mongo
26 | app.kubernetes.io/component: backend
27 | spec:
28 | containers:
29 | - name: mongo
30 | image: mongo:4.2
31 | args:
32 | - --bind_ip
33 | - 0.0.0.0
34 | resources:
35 | requests:
36 | cpu: 100m
37 | memory: 100Mi
38 | ports:
39 | - containerPort: 27017
40 |
41 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.2-example.mongo
File: /lessons/167/2-example/1-mongo.yaml:8-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
8 | apiVersion: apps/v1
9 | kind: Deployment
10 | metadata:
11 | name: mongo
12 | namespace: 2-example
13 | labels:
14 | app.kubernetes.io/name: mongo
15 | app.kubernetes.io/component: backend
16 | spec:
17 | selector:
18 | matchLabels:
19 | app.kubernetes.io/name: mongo
20 | app.kubernetes.io/component: backend
21 | replicas: 1
22 | template:
23 | metadata:
24 | labels:
25 | app.kubernetes.io/name: mongo
26 | app.kubernetes.io/component: backend
27 | spec:
28 | containers:
29 | - name: mongo
30 | image: mongo:4.2
31 | args:
32 | - --bind_ip
33 | - 0.0.0.0
34 | resources:
35 | requests:
36 | cpu: 100m
37 | memory: 100Mi
38 | ports:
39 | - containerPort: 27017
40 |
41 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.2-example.service-a
File: /lessons/167/2-example/2-service-a.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: 2-example
7 | labels:
8 | app: service-a
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: service-a
14 | template:
15 | metadata:
16 | labels:
17 | app: service-a
18 | spec:
19 | containers:
20 | - name: service-a
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
24 |
25 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.2-example.service-a
File: /lessons/167/2-example/2-service-a.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: 2-example
7 | labels:
8 | app: service-a
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: service-a
14 | template:
15 | metadata:
16 | labels:
17 | app: service-a
18 | spec:
19 | containers:
20 | - name: service-a
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
24 |
25 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.2-example.service-a
File: /lessons/167/2-example/2-service-a.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: 2-example
7 | labels:
8 | app: service-a
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: service-a
14 | template:
15 | metadata:
16 | labels:
17 | app: service-a
18 | spec:
19 | containers:
20 | - name: service-a
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
24 |
25 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.2-example.service-a
File: /lessons/167/2-example/2-service-a.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: 2-example
7 | labels:
8 | app: service-a
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: service-a
14 | template:
15 | metadata:
16 | labels:
17 | app: service-a
18 | spec:
19 | containers:
20 | - name: service-a
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
24 |
25 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.2-example.service-a
File: /lessons/167/2-example/2-service-a.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: 2-example
7 | labels:
8 | app: service-a
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: service-a
14 | template:
15 | metadata:
16 | labels:
17 | app: service-a
18 | spec:
19 | containers:
20 | - name: service-a
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
24 |
25 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.2-example.service-a
File: /lessons/167/2-example/2-service-a.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: 2-example
7 | labels:
8 | app: service-a
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: service-a
14 | template:
15 | metadata:
16 | labels:
17 | app: service-a
18 | spec:
19 | containers:
20 | - name: service-a
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
24 |
25 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.2-example.service-a
File: /lessons/167/2-example/2-service-a.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: 2-example
7 | labels:
8 | app: service-a
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: service-a
14 | template:
15 | metadata:
16 | labels:
17 | app: service-a
18 | spec:
19 | containers:
20 | - name: service-a
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
24 |
25 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.2-example.service-a
File: /lessons/167/2-example/2-service-a.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: 2-example
7 | labels:
8 | app: service-a
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: service-a
14 | template:
15 | metadata:
16 | labels:
17 | app: service-a
18 | spec:
19 | containers:
20 | - name: service-a
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
24 |
25 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.2-example.service-a
File: /lessons/167/2-example/2-service-a.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: 2-example
7 | labels:
8 | app: service-a
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: service-a
14 | template:
15 | metadata:
16 | labels:
17 | app: service-a
18 | spec:
19 | containers:
20 | - name: service-a
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
24 |
25 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.2-example.service-a
File: /lessons/167/2-example/2-service-a.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: 2-example
7 | labels:
8 | app: service-a
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: service-a
14 | template:
15 | metadata:
16 | labels:
17 | app: service-a
18 | spec:
19 | containers:
20 | - name: service-a
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
24 |
25 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.2-example.service-a
File: /lessons/167/2-example/2-service-a.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: 2-example
7 | labels:
8 | app: service-a
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: service-a
14 | template:
15 | metadata:
16 | labels:
17 | app: service-a
18 | spec:
19 | containers:
20 | - name: service-a
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
24 |
25 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.2-example.service-a
File: /lessons/167/2-example/2-service-a.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: 2-example
7 | labels:
8 | app: service-a
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: service-a
14 | template:
15 | metadata:
16 | labels:
17 | app: service-a
18 | spec:
19 | containers:
20 | - name: service-a
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
24 |
25 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.2-example.service-a
File: /lessons/167/2-example/2-service-a.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: 2-example
7 | labels:
8 | app: service-a
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: service-a
14 | template:
15 | metadata:
16 | labels:
17 | app: service-a
18 | spec:
19 | containers:
20 | - name: service-a
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
24 |
25 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.2-example.service-a
File: /lessons/167/2-example/2-service-a.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: 2-example
7 | labels:
8 | app: service-a
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: service-a
14 | template:
15 | metadata:
16 | labels:
17 | app: service-a
18 | spec:
19 | containers:
20 | - name: service-a
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
24 |
25 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.2-example.service-a
File: /lessons/167/2-example/2-service-a.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: 2-example
7 | labels:
8 | app: service-a
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: service-a
14 | template:
15 | metadata:
16 | labels:
17 | app: service-a
18 | spec:
19 | containers:
20 | - name: service-a
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
24 |
25 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.2-example.service-a
File: /lessons/167/2-example/2-service-a.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: 2-example
7 | labels:
8 | app: service-a
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: service-a
14 | template:
15 | metadata:
16 | labels:
17 | app: service-a
18 | spec:
19 | containers:
20 | - name: service-a
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
24 |
25 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.2-example.service-a
File: /lessons/167/2-example/2-service-a.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: 2-example
7 | labels:
8 | app: service-a
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: service-a
14 | template:
15 | metadata:
16 | labels:
17 | app: service-a
18 | spec:
19 | containers:
20 | - name: service-a
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
24 |
25 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.2-example.service-a
File: /lessons/167/2-example/2-service-a.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: 2-example
7 | labels:
8 | app: service-a
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: service-a
14 | template:
15 | metadata:
16 | labels:
17 | app: service-a
18 | spec:
19 | containers:
20 | - name: service-a
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
24 |
25 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.4-example.nginx
File: /lessons/167/4-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 4-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.4-example.nginx
File: /lessons/167/4-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 4-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.4-example.nginx
File: /lessons/167/4-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 4-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.4-example.nginx
File: /lessons/167/4-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 4-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.4-example.nginx
File: /lessons/167/4-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 4-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.4-example.nginx
File: /lessons/167/4-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 4-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.4-example.nginx
File: /lessons/167/4-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 4-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.4-example.nginx
File: /lessons/167/4-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 4-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.4-example.nginx
File: /lessons/167/4-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 4-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.4-example.nginx
File: /lessons/167/4-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 4-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.4-example.nginx
File: /lessons/167/4-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 4-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.4-example.nginx
File: /lessons/167/4-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 4-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.4-example.nginx
File: /lessons/167/4-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 4-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.4-example.nginx
File: /lessons/167/4-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 4-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.4-example.nginx
File: /lessons/167/4-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 4-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.4-example.nginx
File: /lessons/167/4-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 4-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.4-example.nginx
File: /lessons/167/4-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 4-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.4-example.nginx
File: /lessons/167/4-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 4-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.7-example.nginx
File: /lessons/167/7-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 7-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.7-example.nginx
File: /lessons/167/7-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 7-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.7-example.nginx
File: /lessons/167/7-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 7-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.7-example.nginx
File: /lessons/167/7-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 7-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.7-example.nginx
File: /lessons/167/7-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 7-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.7-example.nginx
File: /lessons/167/7-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 7-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.7-example.nginx
File: /lessons/167/7-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 7-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.7-example.nginx
File: /lessons/167/7-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 7-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.7-example.nginx
File: /lessons/167/7-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 7-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.7-example.nginx
File: /lessons/167/7-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 7-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.7-example.nginx
File: /lessons/167/7-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 7-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.7-example.nginx
File: /lessons/167/7-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 7-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.7-example.nginx
File: /lessons/167/7-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 7-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.7-example.nginx
File: /lessons/167/7-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 7-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.7-example.nginx
File: /lessons/167/7-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 7-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.7-example.nginx
File: /lessons/167/7-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 7-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.7-example.nginx
File: /lessons/167/7-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 7-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.7-example.nginx
File: /lessons/167/7-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 7-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: DaemonSet.3-example.service-b
File: /lessons/167/3-example/1-daemonset.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: service-b
6 | namespace: 3-example
7 | spec:
8 | selector:
9 | matchLabels:
10 | name: service-b
11 | template:
12 | metadata:
13 | labels:
14 | name: service-b
15 | spec:
16 | hostNetwork: true
17 | containers:
18 | - name: service-b
19 | image: nginx:1.25.0
20 | ports:
21 | - containerPort: 80
22 | affinity:
23 | nodeAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | nodeSelectorTerms:
26 | - matchExpressions:
27 | - key: role
28 | operator: In
29 | values:
30 | - public-nodes
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: DaemonSet.3-example.service-b
File: /lessons/167/3-example/1-daemonset.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: service-b
6 | namespace: 3-example
7 | spec:
8 | selector:
9 | matchLabels:
10 | name: service-b
11 | template:
12 | metadata:
13 | labels:
14 | name: service-b
15 | spec:
16 | hostNetwork: true
17 | containers:
18 | - name: service-b
19 | image: nginx:1.25.0
20 | ports:
21 | - containerPort: 80
22 | affinity:
23 | nodeAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | nodeSelectorTerms:
26 | - matchExpressions:
27 | - key: role
28 | operator: In
29 | values:
30 | - public-nodes
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: DaemonSet.3-example.service-b
File: /lessons/167/3-example/1-daemonset.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: service-b
6 | namespace: 3-example
7 | spec:
8 | selector:
9 | matchLabels:
10 | name: service-b
11 | template:
12 | metadata:
13 | labels:
14 | name: service-b
15 | spec:
16 | hostNetwork: true
17 | containers:
18 | - name: service-b
19 | image: nginx:1.25.0
20 | ports:
21 | - containerPort: 80
22 | affinity:
23 | nodeAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | nodeSelectorTerms:
26 | - matchExpressions:
27 | - key: role
28 | operator: In
29 | values:
30 | - public-nodes
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: DaemonSet.3-example.service-b
File: /lessons/167/3-example/1-daemonset.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: service-b
6 | namespace: 3-example
7 | spec:
8 | selector:
9 | matchLabels:
10 | name: service-b
11 | template:
12 | metadata:
13 | labels:
14 | name: service-b
15 | spec:
16 | hostNetwork: true
17 | containers:
18 | - name: service-b
19 | image: nginx:1.25.0
20 | ports:
21 | - containerPort: 80
22 | affinity:
23 | nodeAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | nodeSelectorTerms:
26 | - matchExpressions:
27 | - key: role
28 | operator: In
29 | values:
30 | - public-nodes
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: DaemonSet.3-example.service-b
File: /lessons/167/3-example/1-daemonset.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: service-b
6 | namespace: 3-example
7 | spec:
8 | selector:
9 | matchLabels:
10 | name: service-b
11 | template:
12 | metadata:
13 | labels:
14 | name: service-b
15 | spec:
16 | hostNetwork: true
17 | containers:
18 | - name: service-b
19 | image: nginx:1.25.0
20 | ports:
21 | - containerPort: 80
22 | affinity:
23 | nodeAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | nodeSelectorTerms:
26 | - matchExpressions:
27 | - key: role
28 | operator: In
29 | values:
30 | - public-nodes
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: DaemonSet.3-example.service-b
File: /lessons/167/3-example/1-daemonset.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: service-b
6 | namespace: 3-example
7 | spec:
8 | selector:
9 | matchLabels:
10 | name: service-b
11 | template:
12 | metadata:
13 | labels:
14 | name: service-b
15 | spec:
16 | hostNetwork: true
17 | containers:
18 | - name: service-b
19 | image: nginx:1.25.0
20 | ports:
21 | - containerPort: 80
22 | affinity:
23 | nodeAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | nodeSelectorTerms:
26 | - matchExpressions:
27 | - key: role
28 | operator: In
29 | values:
30 | - public-nodes
Check: CKV_K8S_19: "Containers should not share the host network namespace"
FAILED for resource: DaemonSet.3-example.service-b
File: /lessons/167/3-example/1-daemonset.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-18.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: service-b
6 | namespace: 3-example
7 | spec:
8 | selector:
9 | matchLabels:
10 | name: service-b
11 | template:
12 | metadata:
13 | labels:
14 | name: service-b
15 | spec:
16 | hostNetwork: true
17 | containers:
18 | - name: service-b
19 | image: nginx:1.25.0
20 | ports:
21 | - containerPort: 80
22 | affinity:
23 | nodeAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | nodeSelectorTerms:
26 | - matchExpressions:
27 | - key: role
28 | operator: In
29 | values:
30 | - public-nodes
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: DaemonSet.3-example.service-b
File: /lessons/167/3-example/1-daemonset.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: service-b
6 | namespace: 3-example
7 | spec:
8 | selector:
9 | matchLabels:
10 | name: service-b
11 | template:
12 | metadata:
13 | labels:
14 | name: service-b
15 | spec:
16 | hostNetwork: true
17 | containers:
18 | - name: service-b
19 | image: nginx:1.25.0
20 | ports:
21 | - containerPort: 80
22 | affinity:
23 | nodeAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | nodeSelectorTerms:
26 | - matchExpressions:
27 | - key: role
28 | operator: In
29 | values:
30 | - public-nodes
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: DaemonSet.3-example.service-b
File: /lessons/167/3-example/1-daemonset.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: service-b
6 | namespace: 3-example
7 | spec:
8 | selector:
9 | matchLabels:
10 | name: service-b
11 | template:
12 | metadata:
13 | labels:
14 | name: service-b
15 | spec:
16 | hostNetwork: true
17 | containers:
18 | - name: service-b
19 | image: nginx:1.25.0
20 | ports:
21 | - containerPort: 80
22 | affinity:
23 | nodeAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | nodeSelectorTerms:
26 | - matchExpressions:
27 | - key: role
28 | operator: In
29 | values:
30 | - public-nodes
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: DaemonSet.3-example.service-b
File: /lessons/167/3-example/1-daemonset.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: service-b
6 | namespace: 3-example
7 | spec:
8 | selector:
9 | matchLabels:
10 | name: service-b
11 | template:
12 | metadata:
13 | labels:
14 | name: service-b
15 | spec:
16 | hostNetwork: true
17 | containers:
18 | - name: service-b
19 | image: nginx:1.25.0
20 | ports:
21 | - containerPort: 80
22 | affinity:
23 | nodeAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | nodeSelectorTerms:
26 | - matchExpressions:
27 | - key: role
28 | operator: In
29 | values:
30 | - public-nodes
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: DaemonSet.3-example.service-b
File: /lessons/167/3-example/1-daemonset.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: service-b
6 | namespace: 3-example
7 | spec:
8 | selector:
9 | matchLabels:
10 | name: service-b
11 | template:
12 | metadata:
13 | labels:
14 | name: service-b
15 | spec:
16 | hostNetwork: true
17 | containers:
18 | - name: service-b
19 | image: nginx:1.25.0
20 | ports:
21 | - containerPort: 80
22 | affinity:
23 | nodeAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | nodeSelectorTerms:
26 | - matchExpressions:
27 | - key: role
28 | operator: In
29 | values:
30 | - public-nodes
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: DaemonSet.3-example.service-b
File: /lessons/167/3-example/1-daemonset.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: service-b
6 | namespace: 3-example
7 | spec:
8 | selector:
9 | matchLabels:
10 | name: service-b
11 | template:
12 | metadata:
13 | labels:
14 | name: service-b
15 | spec:
16 | hostNetwork: true
17 | containers:
18 | - name: service-b
19 | image: nginx:1.25.0
20 | ports:
21 | - containerPort: 80
22 | affinity:
23 | nodeAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | nodeSelectorTerms:
26 | - matchExpressions:
27 | - key: role
28 | operator: In
29 | values:
30 | - public-nodes
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: DaemonSet.3-example.service-b
File: /lessons/167/3-example/1-daemonset.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: service-b
6 | namespace: 3-example
7 | spec:
8 | selector:
9 | matchLabels:
10 | name: service-b
11 | template:
12 | metadata:
13 | labels:
14 | name: service-b
15 | spec:
16 | hostNetwork: true
17 | containers:
18 | - name: service-b
19 | image: nginx:1.25.0
20 | ports:
21 | - containerPort: 80
22 | affinity:
23 | nodeAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | nodeSelectorTerms:
26 | - matchExpressions:
27 | - key: role
28 | operator: In
29 | values:
30 | - public-nodes
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: DaemonSet.3-example.service-b
File: /lessons/167/3-example/1-daemonset.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: service-b
6 | namespace: 3-example
7 | spec:
8 | selector:
9 | matchLabels:
10 | name: service-b
11 | template:
12 | metadata:
13 | labels:
14 | name: service-b
15 | spec:
16 | hostNetwork: true
17 | containers:
18 | - name: service-b
19 | image: nginx:1.25.0
20 | ports:
21 | - containerPort: 80
22 | affinity:
23 | nodeAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | nodeSelectorTerms:
26 | - matchExpressions:
27 | - key: role
28 | operator: In
29 | values:
30 | - public-nodes
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: DaemonSet.3-example.service-b
File: /lessons/167/3-example/1-daemonset.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: service-b
6 | namespace: 3-example
7 | spec:
8 | selector:
9 | matchLabels:
10 | name: service-b
11 | template:
12 | metadata:
13 | labels:
14 | name: service-b
15 | spec:
16 | hostNetwork: true
17 | containers:
18 | - name: service-b
19 | image: nginx:1.25.0
20 | ports:
21 | - containerPort: 80
22 | affinity:
23 | nodeAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | nodeSelectorTerms:
26 | - matchExpressions:
27 | - key: role
28 | operator: In
29 | values:
30 | - public-nodes
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: DaemonSet.3-example.service-b
File: /lessons/167/3-example/1-daemonset.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: service-b
6 | namespace: 3-example
7 | spec:
8 | selector:
9 | matchLabels:
10 | name: service-b
11 | template:
12 | metadata:
13 | labels:
14 | name: service-b
15 | spec:
16 | hostNetwork: true
17 | containers:
18 | - name: service-b
19 | image: nginx:1.25.0
20 | ports:
21 | - containerPort: 80
22 | affinity:
23 | nodeAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | nodeSelectorTerms:
26 | - matchExpressions:
27 | - key: role
28 | operator: In
29 | values:
30 | - public-nodes
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: DaemonSet.3-example.service-b
File: /lessons/167/3-example/1-daemonset.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: service-b
6 | namespace: 3-example
7 | spec:
8 | selector:
9 | matchLabels:
10 | name: service-b
11 | template:
12 | metadata:
13 | labels:
14 | name: service-b
15 | spec:
16 | hostNetwork: true
17 | containers:
18 | - name: service-b
19 | image: nginx:1.25.0
20 | ports:
21 | - containerPort: 80
22 | affinity:
23 | nodeAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | nodeSelectorTerms:
26 | - matchExpressions:
27 | - key: role
28 | operator: In
29 | values:
30 | - public-nodes
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: DaemonSet.3-example.service-b
File: /lessons/167/3-example/1-daemonset.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: service-b
6 | namespace: 3-example
7 | spec:
8 | selector:
9 | matchLabels:
10 | name: service-b
11 | template:
12 | metadata:
13 | labels:
14 | name: service-b
15 | spec:
16 | hostNetwork: true
17 | containers:
18 | - name: service-b
19 | image: nginx:1.25.0
20 | ports:
21 | - containerPort: 80
22 | affinity:
23 | nodeAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | nodeSelectorTerms:
26 | - matchExpressions:
27 | - key: role
28 | operator: In
29 | values:
30 | - public-nodes
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: DaemonSet.3-example.service-b
File: /lessons/167/3-example/1-daemonset.yaml:2-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: DaemonSet
4 | metadata:
5 | name: service-b
6 | namespace: 3-example
7 | spec:
8 | selector:
9 | matchLabels:
10 | name: service-b
11 | template:
12 | metadata:
13 | labels:
14 | name: service-b
15 | spec:
16 | hostNetwork: true
17 | containers:
18 | - name: service-b
19 | image: nginx:1.25.0
20 | ports:
21 | - containerPort: 80
22 | affinity:
23 | nodeAffinity:
24 | requiredDuringSchedulingIgnoredDuringExecution:
25 | nodeSelectorTerms:
26 | - matchExpressions:
27 | - key: role
28 | operator: In
29 | values:
30 | - public-nodes
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.6-example.nginx
File: /lessons/167/6-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 6-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.6-example.nginx
File: /lessons/167/6-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 6-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.6-example.nginx
File: /lessons/167/6-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 6-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.6-example.nginx
File: /lessons/167/6-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 6-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.6-example.nginx
File: /lessons/167/6-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 6-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.6-example.nginx
File: /lessons/167/6-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 6-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.6-example.nginx
File: /lessons/167/6-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 6-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.6-example.nginx
File: /lessons/167/6-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 6-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.6-example.nginx
File: /lessons/167/6-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 6-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.6-example.nginx
File: /lessons/167/6-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 6-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.6-example.nginx
File: /lessons/167/6-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 6-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.6-example.nginx
File: /lessons/167/6-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 6-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.6-example.nginx
File: /lessons/167/6-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 6-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.6-example.nginx
File: /lessons/167/6-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 6-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.6-example.nginx
File: /lessons/167/6-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 6-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.6-example.nginx
File: /lessons/167/6-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 6-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.6-example.nginx
File: /lessons/167/6-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 6-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.6-example.nginx
File: /lessons/167/6-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 6-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.8-example.nginx
File: /lessons/167/8-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 8-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.8-example.nginx
File: /lessons/167/8-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 8-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.8-example.nginx
File: /lessons/167/8-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 8-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.8-example.nginx
File: /lessons/167/8-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 8-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.8-example.nginx
File: /lessons/167/8-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 8-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.8-example.nginx
File: /lessons/167/8-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 8-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.8-example.nginx
File: /lessons/167/8-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 8-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.8-example.nginx
File: /lessons/167/8-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 8-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.8-example.nginx
File: /lessons/167/8-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 8-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.8-example.nginx
File: /lessons/167/8-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 8-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.8-example.nginx
File: /lessons/167/8-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 8-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.8-example.nginx
File: /lessons/167/8-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 8-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.8-example.nginx
File: /lessons/167/8-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 8-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.8-example.nginx
File: /lessons/167/8-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 8-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.8-example.nginx
File: /lessons/167/8-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 8-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.8-example.nginx
File: /lessons/167/8-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 8-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.8-example.nginx
File: /lessons/167/8-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 8-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.8-example.nginx
File: /lessons/167/8-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 8-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.5-example.nginx
File: /lessons/167/5-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 5-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.5-example.nginx
File: /lessons/167/5-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 5-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.5-example.nginx
File: /lessons/167/5-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 5-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.5-example.nginx
File: /lessons/167/5-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 5-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.5-example.nginx
File: /lessons/167/5-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 5-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.5-example.nginx
File: /lessons/167/5-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 5-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.5-example.nginx
File: /lessons/167/5-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 5-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.5-example.nginx
File: /lessons/167/5-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 5-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.5-example.nginx
File: /lessons/167/5-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 5-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.5-example.nginx
File: /lessons/167/5-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 5-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.5-example.nginx
File: /lessons/167/5-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 5-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.5-example.nginx
File: /lessons/167/5-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 5-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.5-example.nginx
File: /lessons/167/5-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 5-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.5-example.nginx
File: /lessons/167/5-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 5-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.5-example.nginx
File: /lessons/167/5-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 5-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.5-example.nginx
File: /lessons/167/5-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 5-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.5-example.nginx
File: /lessons/167/5-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 5-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.5-example.nginx
File: /lessons/167/5-example/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: 5-example
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.25.0
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.default.guaranteed-pod
File: /lessons/094/examples/1-guaranteed.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: guaranteed-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 128Mi
13 | cpu: 500m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Pod.default.guaranteed-pod
File: /lessons/094/examples/1-guaranteed.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: guaranteed-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 128Mi
13 | cpu: 500m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.default.guaranteed-pod
File: /lessons/094/examples/1-guaranteed.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: guaranteed-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 128Mi
13 | cpu: 500m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.default.guaranteed-pod
File: /lessons/094/examples/1-guaranteed.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: guaranteed-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 128Mi
13 | cpu: 500m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.default.guaranteed-pod
File: /lessons/094/examples/1-guaranteed.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: guaranteed-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 128Mi
13 | cpu: 500m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.default.guaranteed-pod
File: /lessons/094/examples/1-guaranteed.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: guaranteed-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 128Mi
13 | cpu: 500m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.default.guaranteed-pod
File: /lessons/094/examples/1-guaranteed.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: guaranteed-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 128Mi
13 | cpu: 500m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.default.guaranteed-pod
File: /lessons/094/examples/1-guaranteed.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: guaranteed-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 128Mi
13 | cpu: 500m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.default.guaranteed-pod
File: /lessons/094/examples/1-guaranteed.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: guaranteed-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 128Mi
13 | cpu: 500m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.default.guaranteed-pod
File: /lessons/094/examples/1-guaranteed.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: guaranteed-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 128Mi
13 | cpu: 500m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.default.guaranteed-pod
File: /lessons/094/examples/1-guaranteed.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: guaranteed-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 128Mi
13 | cpu: 500m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.default.guaranteed-pod
File: /lessons/094/examples/1-guaranteed.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: guaranteed-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 128Mi
13 | cpu: 500m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.default.guaranteed-pod
File: /lessons/094/examples/1-guaranteed.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: guaranteed-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 128Mi
13 | cpu: 500m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Pod.default.guaranteed-pod
File: /lessons/094/examples/1-guaranteed.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: guaranteed-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 128Mi
13 | cpu: 500m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.default.guaranteed-pod
File: /lessons/094/examples/1-guaranteed.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: guaranteed-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 128Mi
13 | cpu: 500m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.default.best-effort-pod
File: /lessons/094/examples/4-best-effort-pod.yaml:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: best-effort-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.default.best-effort-pod
File: /lessons/094/examples/4-best-effort-pod.yaml:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: best-effort-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Pod.default.best-effort-pod
File: /lessons/094/examples/4-best-effort-pod.yaml:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: best-effort-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Pod.default.best-effort-pod
File: /lessons/094/examples/4-best-effort-pod.yaml:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: best-effort-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.default.best-effort-pod
File: /lessons/094/examples/4-best-effort-pod.yaml:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: best-effort-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.default.best-effort-pod
File: /lessons/094/examples/4-best-effort-pod.yaml:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: best-effort-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.default.best-effort-pod
File: /lessons/094/examples/4-best-effort-pod.yaml:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: best-effort-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.default.best-effort-pod
File: /lessons/094/examples/4-best-effort-pod.yaml:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: best-effort-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.default.best-effort-pod
File: /lessons/094/examples/4-best-effort-pod.yaml:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: best-effort-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.default.best-effort-pod
File: /lessons/094/examples/4-best-effort-pod.yaml:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: best-effort-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.default.best-effort-pod
File: /lessons/094/examples/4-best-effort-pod.yaml:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: best-effort-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.default.best-effort-pod
File: /lessons/094/examples/4-best-effort-pod.yaml:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: best-effort-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.default.best-effort-pod
File: /lessons/094/examples/4-best-effort-pod.yaml:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: best-effort-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.default.best-effort-pod
File: /lessons/094/examples/4-best-effort-pod.yaml:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: best-effort-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.default.best-effort-pod
File: /lessons/094/examples/4-best-effort-pod.yaml:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: best-effort-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.default.best-effort-pod
File: /lessons/094/examples/4-best-effort-pod.yaml:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: best-effort-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Pod.default.best-effort-pod
File: /lessons/094/examples/4-best-effort-pod.yaml:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: best-effort-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Pod.default.best-effort-pod
File: /lessons/094/examples/4-best-effort-pod.yaml:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: best-effort-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.default.best-effort-pod
File: /lessons/094/examples/4-best-effort-pod.yaml:2-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: best-effort-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.default.burstable-pod
File: /lessons/094/examples/2-burstable-pod.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: burstable-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 200m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Pod.default.burstable-pod
File: /lessons/094/examples/2-burstable-pod.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: burstable-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 200m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.default.burstable-pod
File: /lessons/094/examples/2-burstable-pod.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: burstable-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 200m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.default.burstable-pod
File: /lessons/094/examples/2-burstable-pod.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: burstable-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 200m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.default.burstable-pod
File: /lessons/094/examples/2-burstable-pod.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: burstable-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 200m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.default.burstable-pod
File: /lessons/094/examples/2-burstable-pod.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: burstable-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 200m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.default.burstable-pod
File: /lessons/094/examples/2-burstable-pod.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: burstable-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 200m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.default.burstable-pod
File: /lessons/094/examples/2-burstable-pod.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: burstable-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 200m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.default.burstable-pod
File: /lessons/094/examples/2-burstable-pod.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: burstable-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 200m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.default.burstable-pod
File: /lessons/094/examples/2-burstable-pod.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: burstable-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 200m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.default.burstable-pod
File: /lessons/094/examples/2-burstable-pod.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: burstable-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 200m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.default.burstable-pod
File: /lessons/094/examples/2-burstable-pod.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: burstable-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 200m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.default.burstable-pod
File: /lessons/094/examples/2-burstable-pod.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: burstable-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 200m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Pod.default.burstable-pod
File: /lessons/094/examples/2-burstable-pod.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: burstable-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 200m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.default.burstable-pod
File: /lessons/094/examples/2-burstable-pod.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: burstable-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 200m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.default.burstable-no-limit-pod
File: /lessons/094/examples/3-burstable-no-limit-pod.yaml:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: burstable-no-limit-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 200m
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.default.burstable-no-limit-pod
File: /lessons/094/examples/3-burstable-no-limit-pod.yaml:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: burstable-no-limit-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 200m
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Pod.default.burstable-no-limit-pod
File: /lessons/094/examples/3-burstable-no-limit-pod.yaml:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: burstable-no-limit-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 200m
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.default.burstable-no-limit-pod
File: /lessons/094/examples/3-burstable-no-limit-pod.yaml:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: burstable-no-limit-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 200m
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.default.burstable-no-limit-pod
File: /lessons/094/examples/3-burstable-no-limit-pod.yaml:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: burstable-no-limit-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 200m
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.default.burstable-no-limit-pod
File: /lessons/094/examples/3-burstable-no-limit-pod.yaml:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: burstable-no-limit-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 200m
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.default.burstable-no-limit-pod
File: /lessons/094/examples/3-burstable-no-limit-pod.yaml:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: burstable-no-limit-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 200m
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.default.burstable-no-limit-pod
File: /lessons/094/examples/3-burstable-no-limit-pod.yaml:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: burstable-no-limit-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 200m
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.default.burstable-no-limit-pod
File: /lessons/094/examples/3-burstable-no-limit-pod.yaml:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: burstable-no-limit-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 200m
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.default.burstable-no-limit-pod
File: /lessons/094/examples/3-burstable-no-limit-pod.yaml:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: burstable-no-limit-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 200m
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.default.burstable-no-limit-pod
File: /lessons/094/examples/3-burstable-no-limit-pod.yaml:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: burstable-no-limit-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 200m
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.default.burstable-no-limit-pod
File: /lessons/094/examples/3-burstable-no-limit-pod.yaml:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: burstable-no-limit-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 200m
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.default.burstable-no-limit-pod
File: /lessons/094/examples/3-burstable-no-limit-pod.yaml:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: burstable-no-limit-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 200m
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.default.burstable-no-limit-pod
File: /lessons/094/examples/3-burstable-no-limit-pod.yaml:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: burstable-no-limit-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 200m
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.default.burstable-no-limit-pod
File: /lessons/094/examples/3-burstable-no-limit-pod.yaml:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: burstable-no-limit-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 200m
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Pod.default.burstable-no-limit-pod
File: /lessons/094/examples/3-burstable-no-limit-pod.yaml:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: burstable-no-limit-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 200m
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.default.burstable-no-limit-pod
File: /lessons/094/examples/3-burstable-no-limit-pod.yaml:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: burstable-no-limit-pod
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 200m
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.default.example
File: /lessons/094/examples/0-req-limits.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: example
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 250m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Pod.default.example
File: /lessons/094/examples/0-req-limits.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: example
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 250m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.default.example
File: /lessons/094/examples/0-req-limits.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: example
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 250m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.default.example
File: /lessons/094/examples/0-req-limits.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: example
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 250m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.default.example
File: /lessons/094/examples/0-req-limits.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: example
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 250m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.default.example
File: /lessons/094/examples/0-req-limits.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: example
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 250m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.default.example
File: /lessons/094/examples/0-req-limits.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: example
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 250m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.default.example
File: /lessons/094/examples/0-req-limits.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: example
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 250m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.default.example
File: /lessons/094/examples/0-req-limits.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: example
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 250m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.default.example
File: /lessons/094/examples/0-req-limits.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: example
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 250m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.default.example
File: /lessons/094/examples/0-req-limits.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: example
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 250m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.default.example
File: /lessons/094/examples/0-req-limits.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: example
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 250m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.default.example
File: /lessons/094/examples/0-req-limits.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: example
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 250m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Pod.default.example
File: /lessons/094/examples/0-req-limits.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: example
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 250m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.default.example
File: /lessons/094/examples/0-req-limits.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: example
6 | spec:
7 | containers:
8 | - name: app
9 | image: nginx:1.14.2
10 | resources:
11 | requests:
12 | memory: 64Mi
13 | cpu: 250m
14 | limits:
15 | memory: 128Mi
16 | cpu: 500m
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.example-1.api
File: /lessons/139/5-example-1/2-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: example-1
6 | name: api
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: api
12 | template:
13 | metadata:
14 | labels:
15 | app: api
16 | spec:
17 | containers:
18 | - image: kennethreitz/httpbin
19 | name: api
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.example-1.api
File: /lessons/139/5-example-1/2-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: example-1
6 | name: api
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: api
12 | template:
13 | metadata:
14 | labels:
15 | app: api
16 | spec:
17 | containers:
18 | - image: kennethreitz/httpbin
19 | name: api
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.example-1.api
File: /lessons/139/5-example-1/2-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: example-1
6 | name: api
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: api
12 | template:
13 | metadata:
14 | labels:
15 | app: api
16 | spec:
17 | containers:
18 | - image: kennethreitz/httpbin
19 | name: api
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.example-1.api
File: /lessons/139/5-example-1/2-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: example-1
6 | name: api
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: api
12 | template:
13 | metadata:
14 | labels:
15 | app: api
16 | spec:
17 | containers:
18 | - image: kennethreitz/httpbin
19 | name: api
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.example-1.api
File: /lessons/139/5-example-1/2-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: example-1
6 | name: api
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: api
12 | template:
13 | metadata:
14 | labels:
15 | app: api
16 | spec:
17 | containers:
18 | - image: kennethreitz/httpbin
19 | name: api
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.example-1.api
File: /lessons/139/5-example-1/2-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: example-1
6 | name: api
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: api
12 | template:
13 | metadata:
14 | labels:
15 | app: api
16 | spec:
17 | containers:
18 | - image: kennethreitz/httpbin
19 | name: api
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.example-1.api
File: /lessons/139/5-example-1/2-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: example-1
6 | name: api
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: api
12 | template:
13 | metadata:
14 | labels:
15 | app: api
16 | spec:
17 | containers:
18 | - image: kennethreitz/httpbin
19 | name: api
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.example-1.api
File: /lessons/139/5-example-1/2-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: example-1
6 | name: api
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: api
12 | template:
13 | metadata:
14 | labels:
15 | app: api
16 | spec:
17 | containers:
18 | - image: kennethreitz/httpbin
19 | name: api
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.example-1.api
File: /lessons/139/5-example-1/2-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: example-1
6 | name: api
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: api
12 | template:
13 | metadata:
14 | labels:
15 | app: api
16 | spec:
17 | containers:
18 | - image: kennethreitz/httpbin
19 | name: api
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.example-1.api
File: /lessons/139/5-example-1/2-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: example-1
6 | name: api
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: api
12 | template:
13 | metadata:
14 | labels:
15 | app: api
16 | spec:
17 | containers:
18 | - image: kennethreitz/httpbin
19 | name: api
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.example-1.api
File: /lessons/139/5-example-1/2-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: example-1
6 | name: api
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: api
12 | template:
13 | metadata:
14 | labels:
15 | app: api
16 | spec:
17 | containers:
18 | - image: kennethreitz/httpbin
19 | name: api
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.example-1.api
File: /lessons/139/5-example-1/2-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: example-1
6 | name: api
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: api
12 | template:
13 | metadata:
14 | labels:
15 | app: api
16 | spec:
17 | containers:
18 | - image: kennethreitz/httpbin
19 | name: api
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.example-1.api
File: /lessons/139/5-example-1/2-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: example-1
6 | name: api
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: api
12 | template:
13 | metadata:
14 | labels:
15 | app: api
16 | spec:
17 | containers:
18 | - image: kennethreitz/httpbin
19 | name: api
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.example-1.api
File: /lessons/139/5-example-1/2-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: example-1
6 | name: api
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: api
12 | template:
13 | metadata:
14 | labels:
15 | app: api
16 | spec:
17 | containers:
18 | - image: kennethreitz/httpbin
19 | name: api
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.example-1.api
File: /lessons/139/5-example-1/2-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: example-1
6 | name: api
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: api
12 | template:
13 | metadata:
14 | labels:
15 | app: api
16 | spec:
17 | containers:
18 | - image: kennethreitz/httpbin
19 | name: api
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.example-1.api
File: /lessons/139/5-example-1/2-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: example-1
6 | name: api
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: api
12 | template:
13 | metadata:
14 | labels:
15 | app: api
16 | spec:
17 | containers:
18 | - image: kennethreitz/httpbin
19 | name: api
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.example-1.api
File: /lessons/139/5-example-1/2-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: example-1
6 | name: api
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: api
12 | template:
13 | metadata:
14 | labels:
15 | app: api
16 | spec:
17 | containers:
18 | - image: kennethreitz/httpbin
19 | name: api
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.example-1.api
File: /lessons/139/5-example-1/2-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: example-1
6 | name: api
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: api
12 | template:
13 | metadata:
14 | labels:
15 | app: api
16 | spec:
17 | containers:
18 | - image: kennethreitz/httpbin
19 | name: api
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_155: "Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations"
FAILED for resource: ClusterRole.default.cert-manager-cainjector
File: /lessons/139/6-cert-manager/cert-manager.yaml:4477-4506
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-control-over-validating-or-mutating-admission-webhook-configurations-are-minimized.html
4477 | apiVersion: rbac.authorization.k8s.io/v1
4478 | kind: ClusterRole
4479 | metadata:
4480 | name: cert-manager-cainjector
4481 | labels:
4482 | app: cainjector
4483 | app.kubernetes.io/name: cainjector
4484 | app.kubernetes.io/instance: cert-manager
4485 | app.kubernetes.io/component: "cainjector"
4486 | app.kubernetes.io/version: "v1.10.1"
4487 | rules:
4488 | - apiGroups: ["cert-manager.io"]
4489 | resources: ["certificates"]
4490 | verbs: ["get", "list", "watch"]
4491 | - apiGroups: [""]
4492 | resources: ["secrets"]
4493 | verbs: ["get", "list", "watch"]
4494 | - apiGroups: [""]
4495 | resources: ["events"]
4496 | verbs: ["get", "create", "update", "patch"]
4497 | - apiGroups: ["admissionregistration.k8s.io"]
4498 | resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
4499 | verbs: ["get", "list", "watch", "update"]
4500 | - apiGroups: ["apiregistration.k8s.io"]
4501 | resources: ["apiservices"]
4502 | verbs: ["get", "list", "watch", "update"]
4503 | - apiGroups: ["apiextensions.k8s.io"]
4504 | resources: ["customresourcedefinitions"]
4505 | verbs: ["get", "list", "watch", "update"]
4506 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /lessons/139/6-cert-manager/cert-manager.yaml:5229-5280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /lessons/139/6-cert-manager/cert-manager.yaml:5229-5280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /lessons/139/6-cert-manager/cert-manager.yaml:5229-5280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /lessons/139/6-cert-manager/cert-manager.yaml:5229-5280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /lessons/139/6-cert-manager/cert-manager.yaml:5229-5280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /lessons/139/6-cert-manager/cert-manager.yaml:5229-5280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /lessons/139/6-cert-manager/cert-manager.yaml:5229-5280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /lessons/139/6-cert-manager/cert-manager.yaml:5229-5280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /lessons/139/6-cert-manager/cert-manager.yaml:5229-5280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /lessons/139/6-cert-manager/cert-manager.yaml:5229-5280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /lessons/139/6-cert-manager/cert-manager.yaml:5229-5280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /lessons/139/6-cert-manager/cert-manager.yaml:5282-5343
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /lessons/139/6-cert-manager/cert-manager.yaml:5282-5343
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /lessons/139/6-cert-manager/cert-manager.yaml:5282-5343
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /lessons/139/6-cert-manager/cert-manager.yaml:5282-5343
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /lessons/139/6-cert-manager/cert-manager.yaml:5282-5343
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /lessons/139/6-cert-manager/cert-manager.yaml:5282-5343
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /lessons/139/6-cert-manager/cert-manager.yaml:5282-5343
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /lessons/139/6-cert-manager/cert-manager.yaml:5282-5343
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /lessons/139/6-cert-manager/cert-manager.yaml:5282-5343
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /lessons/139/6-cert-manager/cert-manager.yaml:5282-5343
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /lessons/139/6-cert-manager/cert-manager.yaml:5282-5343
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /lessons/139/6-cert-manager/cert-manager.yaml:5345-5429
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /lessons/139/6-cert-manager/cert-manager.yaml:5345-5429
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /lessons/139/6-cert-manager/cert-manager.yaml:5345-5429
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /lessons/139/6-cert-manager/cert-manager.yaml:5345-5429
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /lessons/139/6-cert-manager/cert-manager.yaml:5345-5429
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /lessons/139/6-cert-manager/cert-manager.yaml:5345-5429
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /lessons/139/6-cert-manager/cert-manager.yaml:5345-5429
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /lessons/139/6-cert-manager/cert-manager.yaml:5345-5429
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /lessons/139/6-cert-manager/cert-manager.yaml:5345-5429
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_156: "Minimize ClusterRoles that grant permissions to approve CertificateSigningRequests"
FAILED for resource: ClusterRole.default.istiod-istio-system
File: /lessons/139/2-istio-crds/istio-cluster.yaml:7288-7394
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-permissions-to-approve-certificatesigningrequests-are-minimized.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_155: "Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations"
FAILED for resource: ClusterRole.default.istiod-istio-system
File: /lessons/139/2-istio-crds/istio-cluster.yaml:7288-7394
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-control-over-validating-or-mutating-admission-webhook-configurations-are-minimized.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: ClusterRole.default.istio-reader-istio-system
File: /lessons/139/2-istio-crds/istio-cluster.yaml:7396-7439
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
7396 | apiVersion: rbac.authorization.k8s.io/v1
7397 | kind: ClusterRole
7398 | metadata:
7399 | name: istio-reader-istio-system
7400 | labels:
7401 | app: istio-reader
7402 | release: istio
7403 | rules:
7404 | - apiGroups:
7405 | - "config.istio.io"
7406 | - "security.istio.io"
7407 | - "networking.istio.io"
7408 | - "authentication.istio.io"
7409 | - "rbac.istio.io"
7410 | resources: ["*"]
7411 | verbs: ["get", "list", "watch"]
7412 | - apiGroups: [""]
7413 | resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
7414 | verbs: ["get", "list", "watch"]
7415 | - apiGroups: ["networking.istio.io"]
7416 | verbs: [ "get", "watch", "list" ]
7417 | resources: [ "workloadentries" ]
7418 | - apiGroups: ["apiextensions.k8s.io"]
7419 | resources: ["customresourcedefinitions"]
7420 | verbs: ["get", "list", "watch"]
7421 | - apiGroups: ["discovery.k8s.io"]
7422 | resources: ["endpointslices"]
7423 | verbs: ["get", "list", "watch"]
7424 | - apiGroups: ["apps"]
7425 | resources: ["replicasets"]
7426 | verbs: ["get", "list", "watch"]
7427 | - apiGroups: ["authentication.k8s.io"]
7428 | resources: ["tokenreviews"]
7429 | verbs: ["create"]
7430 | - apiGroups: ["authorization.k8s.io"]
7431 | resources: ["subjectaccessreviews"]
7432 | verbs: ["create"]
7433 | - apiGroups: ["multicluster.x-k8s.io"]
7434 | resources: ["serviceexports"]
7435 | verbs: ["get", "watch", "list"]
7436 | - apiGroups: ["multicluster.x-k8s.io"]
7437 | resources: ["serviceimports"]
7438 | verbs: ["get", "watch", "list"]
7439 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/139/9-monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/139/9-monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/139/9-monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/139/9-monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/139/9-monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/139/9-monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/139/9-monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/139/9-monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/139/9-monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/139/9-monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/139/9-monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/139/9-monitoring/prometheus-operator/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/139/9-monitoring/prometheus-operator/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/139/9-monitoring/prometheus-operator/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/139/9-monitoring/prometheus-operator/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/139/9-monitoring/prometheus-operator/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/139/9-monitoring/prometheus-operator/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: ClusterRole.default.prometheus-operator
File: /lessons/139/9-monitoring/prometheus-operator/1-cluster-role.yaml:2-81
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_156: "Minimize ClusterRoles that grant permissions to approve CertificateSigningRequests"
FAILED for resource: ClusterRole.default.istiod-clusterrole-istio-system
File: /lessons/139/3-istiod/clusterrole.yaml:3-109
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-permissions-to-approve-certificatesigningrequests-are-minimized.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_155: "Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations"
FAILED for resource: ClusterRole.default.istiod-clusterrole-istio-system
File: /lessons/139/3-istiod/clusterrole.yaml:3-109
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-control-over-validating-or-mutating-admission-webhook-configurations-are-minimized.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: ClusterRole.default.istio-reader-clusterrole-istio-system
File: /lessons/139/3-istiod/reader-clusterrole.yaml:3-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
3 | apiVersion: rbac.authorization.k8s.io/v1
4 | kind: ClusterRole
5 | metadata:
6 | name: istio-reader-clusterrole-istio-system
7 | labels:
8 | app: istio-reader
9 | release: driver
10 | rules:
11 | - apiGroups:
12 | - "config.istio.io"
13 | - "security.istio.io"
14 | - "networking.istio.io"
15 | - "authentication.istio.io"
16 | - "rbac.istio.io"
17 | resources: ["*"]
18 | verbs: ["get", "list", "watch"]
19 | - apiGroups: [""]
20 | resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
21 | verbs: ["get", "list", "watch"]
22 | - apiGroups: ["networking.istio.io"]
23 | verbs: [ "get", "watch", "list" ]
24 | resources: [ "workloadentries" ]
25 | - apiGroups: ["apiextensions.k8s.io"]
26 | resources: ["customresourcedefinitions"]
27 | verbs: ["get", "list", "watch"]
28 | - apiGroups: ["discovery.k8s.io"]
29 | resources: ["endpointslices"]
30 | verbs: ["get", "list", "watch"]
31 | - apiGroups: ["multicluster.x-k8s.io"]
32 | resources: ["serviceexports"]
33 | verbs: ["get", "list", "watch", "create", "delete"]
34 | - apiGroups: ["multicluster.x-k8s.io"]
35 | resources: ["serviceimports"]
36 | verbs: ["get", "list", "watch"]
37 | - apiGroups: ["apps"]
38 | resources: ["replicasets"]
39 | verbs: ["get", "list", "watch"]
40 | - apiGroups: ["authentication.k8s.io"]
41 | resources: ["tokenreviews"]
42 | verbs: ["create"]
43 | - apiGroups: ["authorization.k8s.io"]
44 | resources: ["subjectaccessreviews"]
45 | verbs: ["create"]
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.istio-system.istiod
File: /lessons/139/3-istiod/deployment.yaml:3-163
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.istio-system.istiod
File: /lessons/139/3-istiod/deployment.yaml:3-163
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.istio-system.istiod
File: /lessons/139/3-istiod/deployment.yaml:3-163
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.istio-system.istiod
File: /lessons/139/3-istiod/deployment.yaml:3-163
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.istio-system.istiod
File: /lessons/139/3-istiod/deployment.yaml:3-163
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.istio-system.istiod
File: /lessons/139/3-istiod/deployment.yaml:3-163
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.istio-system.istiod
File: /lessons/139/3-istiod/deployment.yaml:3-163
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.istio-system.istiod
File: /lessons/139/3-istiod/deployment.yaml:3-163
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.example-2.apiv2
File: /lessons/139/7-example-2/2-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: example-2
6 | name: apiv2
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: apiv2
12 | template:
13 | metadata:
14 | labels:
15 | app: apiv2
16 | spec:
17 | containers:
18 | - image: kennethreitz/httpbin
19 | name: apiv2
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.example-2.apiv2
File: /lessons/139/7-example-2/2-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: example-2
6 | name: apiv2
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: apiv2
12 | template:
13 | metadata:
14 | labels:
15 | app: apiv2
16 | spec:
17 | containers:
18 | - image: kennethreitz/httpbin
19 | name: apiv2
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.example-2.apiv2
File: /lessons/139/7-example-2/2-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: example-2
6 | name: apiv2
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: apiv2
12 | template:
13 | metadata:
14 | labels:
15 | app: apiv2
16 | spec:
17 | containers:
18 | - image: kennethreitz/httpbin
19 | name: apiv2
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.example-2.apiv2
File: /lessons/139/7-example-2/2-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: example-2
6 | name: apiv2
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: apiv2
12 | template:
13 | metadata:
14 | labels:
15 | app: apiv2
16 | spec:
17 | containers:
18 | - image: kennethreitz/httpbin
19 | name: apiv2
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.example-2.apiv2
File: /lessons/139/7-example-2/2-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: example-2
6 | name: apiv2
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: apiv2
12 | template:
13 | metadata:
14 | labels:
15 | app: apiv2
16 | spec:
17 | containers:
18 | - image: kennethreitz/httpbin
19 | name: apiv2
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.example-2.apiv2
File: /lessons/139/7-example-2/2-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: example-2
6 | name: apiv2
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: apiv2
12 | template:
13 | metadata:
14 | labels:
15 | app: apiv2
16 | spec:
17 | containers:
18 | - image: kennethreitz/httpbin
19 | name: apiv2
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.example-2.apiv2
File: /lessons/139/7-example-2/2-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: example-2
6 | name: apiv2
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: apiv2
12 | template:
13 | metadata:
14 | labels:
15 | app: apiv2
16 | spec:
17 | containers:
18 | - image: kennethreitz/httpbin
19 | name: apiv2
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.example-2.apiv2
File: /lessons/139/7-example-2/2-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: example-2
6 | name: apiv2
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: apiv2
12 | template:
13 | metadata:
14 | labels:
15 | app: apiv2
16 | spec:
17 | containers:
18 | - image: kennethreitz/httpbin
19 | name: apiv2
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.example-2.apiv2
File: /lessons/139/7-example-2/2-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: example-2
6 | name: apiv2
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: apiv2
12 | template:
13 | metadata:
14 | labels:
15 | app: apiv2
16 | spec:
17 | containers:
18 | - image: kennethreitz/httpbin
19 | name: apiv2
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.example-2.apiv2
File: /lessons/139/7-example-2/2-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: example-2
6 | name: apiv2
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: apiv2
12 | template:
13 | metadata:
14 | labels:
15 | app: apiv2
16 | spec:
17 | containers:
18 | - image: kennethreitz/httpbin
19 | name: apiv2
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.example-2.apiv2
File: /lessons/139/7-example-2/2-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: example-2
6 | name: apiv2
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: apiv2
12 | template:
13 | metadata:
14 | labels:
15 | app: apiv2
16 | spec:
17 | containers:
18 | - image: kennethreitz/httpbin
19 | name: apiv2
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.example-2.apiv2
File: /lessons/139/7-example-2/2-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: example-2
6 | name: apiv2
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: apiv2
12 | template:
13 | metadata:
14 | labels:
15 | app: apiv2
16 | spec:
17 | containers:
18 | - image: kennethreitz/httpbin
19 | name: apiv2
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.example-2.apiv2
File: /lessons/139/7-example-2/2-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: example-2
6 | name: apiv2
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: apiv2
12 | template:
13 | metadata:
14 | labels:
15 | app: apiv2
16 | spec:
17 | containers:
18 | - image: kennethreitz/httpbin
19 | name: apiv2
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.example-2.apiv2
File: /lessons/139/7-example-2/2-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: example-2
6 | name: apiv2
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: apiv2
12 | template:
13 | metadata:
14 | labels:
15 | app: apiv2
16 | spec:
17 | containers:
18 | - image: kennethreitz/httpbin
19 | name: apiv2
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.example-2.apiv2
File: /lessons/139/7-example-2/2-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: example-2
6 | name: apiv2
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: apiv2
12 | template:
13 | metadata:
14 | labels:
15 | app: apiv2
16 | spec:
17 | containers:
18 | - image: kennethreitz/httpbin
19 | name: apiv2
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.example-2.apiv2
File: /lessons/139/7-example-2/2-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: example-2
6 | name: apiv2
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: apiv2
12 | template:
13 | metadata:
14 | labels:
15 | app: apiv2
16 | spec:
17 | containers:
18 | - image: kennethreitz/httpbin
19 | name: apiv2
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.example-2.apiv2
File: /lessons/139/7-example-2/2-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: example-2
6 | name: apiv2
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: apiv2
12 | template:
13 | metadata:
14 | labels:
15 | app: apiv2
16 | spec:
17 | containers:
18 | - image: kennethreitz/httpbin
19 | name: apiv2
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.example-2.apiv2
File: /lessons/139/7-example-2/2-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | namespace: example-2
6 | name: apiv2
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: apiv2
12 | template:
13 | metadata:
14 | labels:
15 | app: apiv2
16 | spec:
17 | containers:
18 | - image: kennethreitz/httpbin
19 | name: apiv2
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.bar.nginx
File: /lessons/158/lesson-158/environments/staging/second-app/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: bar
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: aputra/nginx:v0.1.3
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.bar.nginx
File: /lessons/158/lesson-158/environments/staging/second-app/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: bar
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: aputra/nginx:v0.1.3
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.bar.nginx
File: /lessons/158/lesson-158/environments/staging/second-app/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: bar
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: aputra/nginx:v0.1.3
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.bar.nginx
File: /lessons/158/lesson-158/environments/staging/second-app/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: bar
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: aputra/nginx:v0.1.3
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.bar.nginx
File: /lessons/158/lesson-158/environments/staging/second-app/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: bar
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: aputra/nginx:v0.1.3
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.bar.nginx
File: /lessons/158/lesson-158/environments/staging/second-app/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: bar
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: aputra/nginx:v0.1.3
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.bar.nginx
File: /lessons/158/lesson-158/environments/staging/second-app/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: bar
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: aputra/nginx:v0.1.3
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.bar.nginx
File: /lessons/158/lesson-158/environments/staging/second-app/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: bar
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: aputra/nginx:v0.1.3
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.bar.nginx
File: /lessons/158/lesson-158/environments/staging/second-app/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: bar
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: aputra/nginx:v0.1.3
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.bar.nginx
File: /lessons/158/lesson-158/environments/staging/second-app/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: bar
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: aputra/nginx:v0.1.3
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.bar.nginx
File: /lessons/158/lesson-158/environments/staging/second-app/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: bar
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: aputra/nginx:v0.1.3
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.bar.nginx
File: /lessons/158/lesson-158/environments/staging/second-app/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: bar
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: aputra/nginx:v0.1.3
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.bar.nginx
File: /lessons/158/lesson-158/environments/staging/second-app/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: bar
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: aputra/nginx:v0.1.3
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.bar.nginx
File: /lessons/158/lesson-158/environments/staging/second-app/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: bar
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: aputra/nginx:v0.1.3
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.bar.nginx
File: /lessons/158/lesson-158/environments/staging/second-app/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: bar
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: aputra/nginx:v0.1.3
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.bar.nginx
File: /lessons/158/lesson-158/environments/staging/second-app/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: bar
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: aputra/nginx:v0.1.3
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.bar.nginx
File: /lessons/158/lesson-158/environments/staging/second-app/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: bar
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: aputra/nginx:v0.1.3
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.bar.nginx
File: /lessons/158/lesson-158/environments/staging/second-app/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: bar
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: aputra/nginx:v0.1.3
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.foo.nginx
File: /lessons/158/lesson-158/environments/staging/my-app/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: foo
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: aputra/nginx:v0.1.3
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.foo.nginx
File: /lessons/158/lesson-158/environments/staging/my-app/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: foo
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: aputra/nginx:v0.1.3
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.foo.nginx
File: /lessons/158/lesson-158/environments/staging/my-app/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: foo
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: aputra/nginx:v0.1.3
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.foo.nginx
File: /lessons/158/lesson-158/environments/staging/my-app/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: foo
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: aputra/nginx:v0.1.3
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.foo.nginx
File: /lessons/158/lesson-158/environments/staging/my-app/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: foo
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: aputra/nginx:v0.1.3
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.foo.nginx
File: /lessons/158/lesson-158/environments/staging/my-app/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: foo
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: aputra/nginx:v0.1.3
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.foo.nginx
File: /lessons/158/lesson-158/environments/staging/my-app/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: foo
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: aputra/nginx:v0.1.3
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.foo.nginx
File: /lessons/158/lesson-158/environments/staging/my-app/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: foo
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: aputra/nginx:v0.1.3
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.foo.nginx
File: /lessons/158/lesson-158/environments/staging/my-app/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: foo
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: aputra/nginx:v0.1.3
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.foo.nginx
File: /lessons/158/lesson-158/environments/staging/my-app/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: foo
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: aputra/nginx:v0.1.3
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.foo.nginx
File: /lessons/158/lesson-158/environments/staging/my-app/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: foo
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: aputra/nginx:v0.1.3
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.foo.nginx
File: /lessons/158/lesson-158/environments/staging/my-app/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: foo
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: aputra/nginx:v0.1.3
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.foo.nginx
File: /lessons/158/lesson-158/environments/staging/my-app/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: foo
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: aputra/nginx:v0.1.3
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.foo.nginx
File: /lessons/158/lesson-158/environments/staging/my-app/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: foo
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: aputra/nginx:v0.1.3
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.foo.nginx
File: /lessons/158/lesson-158/environments/staging/my-app/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: foo
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: aputra/nginx:v0.1.3
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.foo.nginx
File: /lessons/158/lesson-158/environments/staging/my-app/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: foo
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: aputra/nginx:v0.1.3
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.foo.nginx
File: /lessons/158/lesson-158/environments/staging/my-app/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: foo
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: aputra/nginx:v0.1.3
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.foo.nginx
File: /lessons/158/lesson-158/environments/staging/my-app/1-deployment.yaml:2-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: foo
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: aputra/nginx:v0.1.3
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/158/lesson-158-private/my-app-base/deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | imagePullPolicy: Always
19 | image: aputra/nginx
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx
File: /lessons/158/lesson-158-private/my-app-base/deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | imagePullPolicy: Always
19 | image: aputra/nginx
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/158/lesson-158-private/my-app-base/deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | imagePullPolicy: Always
19 | image: aputra/nginx
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx
File: /lessons/158/lesson-158-private/my-app-base/deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | imagePullPolicy: Always
19 | image: aputra/nginx
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/158/lesson-158-private/my-app-base/deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | imagePullPolicy: Always
19 | image: aputra/nginx
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/158/lesson-158-private/my-app-base/deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | imagePullPolicy: Always
19 | image: aputra/nginx
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /lessons/158/lesson-158-private/my-app-base/deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | imagePullPolicy: Always
19 | image: aputra/nginx
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx
File: /lessons/158/lesson-158-private/my-app-base/deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | imagePullPolicy: Always
19 | image: aputra/nginx
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx
File: /lessons/158/lesson-158-private/my-app-base/deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | imagePullPolicy: Always
19 | image: aputra/nginx
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/158/lesson-158-private/my-app-base/deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | imagePullPolicy: Always
19 | image: aputra/nginx
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /lessons/158/lesson-158-private/my-app-base/deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | imagePullPolicy: Always
19 | image: aputra/nginx
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx
File: /lessons/158/lesson-158-private/my-app-base/deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | imagePullPolicy: Always
19 | image: aputra/nginx
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/158/lesson-158-private/my-app-base/deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | imagePullPolicy: Always
19 | image: aputra/nginx
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx
File: /lessons/158/lesson-158-private/my-app-base/deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | imagePullPolicy: Always
19 | image: aputra/nginx
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx
File: /lessons/158/lesson-158-private/my-app-base/deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | imagePullPolicy: Always
19 | image: aputra/nginx
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx
File: /lessons/158/lesson-158-private/my-app-base/deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | imagePullPolicy: Always
19 | image: aputra/nginx
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/158/lesson-158-private/my-app-base/deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | imagePullPolicy: Always
19 | image: aputra/nginx
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.nginx
File: /lessons/158/lesson-158-private/my-app-base/deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | imagePullPolicy: Always
19 | image: aputra/nginx
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx
File: /lessons/158/lesson-158-private/my-app-base/deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | imagePullPolicy: Always
19 | image: aputra/nginx
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.foo.nginx
File: /lessons/158/lesson-158-private/my-app/1-deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: foo
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | imagePullPolicy: Always
22 | image: aputra/nginx-private:v0.1.0
23 | ports:
24 | - containerPort: 80
25 | imagePullSecrets:
26 | - name: dockerconfigjson
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.foo.nginx
File: /lessons/158/lesson-158-private/my-app/1-deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: foo
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | imagePullPolicy: Always
22 | image: aputra/nginx-private:v0.1.0
23 | ports:
24 | - containerPort: 80
25 | imagePullSecrets:
26 | - name: dockerconfigjson
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.foo.nginx
File: /lessons/158/lesson-158-private/my-app/1-deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: foo
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | imagePullPolicy: Always
22 | image: aputra/nginx-private:v0.1.0
23 | ports:
24 | - containerPort: 80
25 | imagePullSecrets:
26 | - name: dockerconfigjson
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.foo.nginx
File: /lessons/158/lesson-158-private/my-app/1-deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: foo
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | imagePullPolicy: Always
22 | image: aputra/nginx-private:v0.1.0
23 | ports:
24 | - containerPort: 80
25 | imagePullSecrets:
26 | - name: dockerconfigjson
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.foo.nginx
File: /lessons/158/lesson-158-private/my-app/1-deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: foo
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | imagePullPolicy: Always
22 | image: aputra/nginx-private:v0.1.0
23 | ports:
24 | - containerPort: 80
25 | imagePullSecrets:
26 | - name: dockerconfigjson
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.foo.nginx
File: /lessons/158/lesson-158-private/my-app/1-deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: foo
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | imagePullPolicy: Always
22 | image: aputra/nginx-private:v0.1.0
23 | ports:
24 | - containerPort: 80
25 | imagePullSecrets:
26 | - name: dockerconfigjson
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.foo.nginx
File: /lessons/158/lesson-158-private/my-app/1-deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: foo
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | imagePullPolicy: Always
22 | image: aputra/nginx-private:v0.1.0
23 | ports:
24 | - containerPort: 80
25 | imagePullSecrets:
26 | - name: dockerconfigjson
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.foo.nginx
File: /lessons/158/lesson-158-private/my-app/1-deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: foo
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | imagePullPolicy: Always
22 | image: aputra/nginx-private:v0.1.0
23 | ports:
24 | - containerPort: 80
25 | imagePullSecrets:
26 | - name: dockerconfigjson
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.foo.nginx
File: /lessons/158/lesson-158-private/my-app/1-deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: foo
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | imagePullPolicy: Always
22 | image: aputra/nginx-private:v0.1.0
23 | ports:
24 | - containerPort: 80
25 | imagePullSecrets:
26 | - name: dockerconfigjson
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.foo.nginx
File: /lessons/158/lesson-158-private/my-app/1-deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: foo
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | imagePullPolicy: Always
22 | image: aputra/nginx-private:v0.1.0
23 | ports:
24 | - containerPort: 80
25 | imagePullSecrets:
26 | - name: dockerconfigjson
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.foo.nginx
File: /lessons/158/lesson-158-private/my-app/1-deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: foo
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | imagePullPolicy: Always
22 | image: aputra/nginx-private:v0.1.0
23 | ports:
24 | - containerPort: 80
25 | imagePullSecrets:
26 | - name: dockerconfigjson
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.foo.nginx
File: /lessons/158/lesson-158-private/my-app/1-deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: foo
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | imagePullPolicy: Always
22 | image: aputra/nginx-private:v0.1.0
23 | ports:
24 | - containerPort: 80
25 | imagePullSecrets:
26 | - name: dockerconfigjson
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.foo.nginx
File: /lessons/158/lesson-158-private/my-app/1-deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: foo
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | imagePullPolicy: Always
22 | image: aputra/nginx-private:v0.1.0
23 | ports:
24 | - containerPort: 80
25 | imagePullSecrets:
26 | - name: dockerconfigjson
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.foo.nginx
File: /lessons/158/lesson-158-private/my-app/1-deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: foo
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | imagePullPolicy: Always
22 | image: aputra/nginx-private:v0.1.0
23 | ports:
24 | - containerPort: 80
25 | imagePullSecrets:
26 | - name: dockerconfigjson
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.foo.nginx
File: /lessons/158/lesson-158-private/my-app/1-deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: foo
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | imagePullPolicy: Always
22 | image: aputra/nginx-private:v0.1.0
23 | ports:
24 | - containerPort: 80
25 | imagePullSecrets:
26 | - name: dockerconfigjson
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.foo.nginx
File: /lessons/158/lesson-158-private/my-app/1-deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: foo
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | imagePullPolicy: Always
22 | image: aputra/nginx-private:v0.1.0
23 | ports:
24 | - containerPort: 80
25 | imagePullSecrets:
26 | - name: dockerconfigjson
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.foo.nginx
File: /lessons/158/lesson-158-private/my-app/1-deployment.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | namespace: foo
7 | labels:
8 | app: nginx
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: nginx
14 | template:
15 | metadata:
16 | labels:
17 | app: nginx
18 | spec:
19 | containers:
20 | - name: nginx
21 | imagePullPolicy: Always
22 | image: aputra/nginx-private:v0.1.0
23 | ports:
24 | - containerPort: 80
25 | imagePullSecrets:
26 | - name: dockerconfigjson
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.echoserver
File: /lessons/125/k8s/echoserver.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
22 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.echoserver
File: /lessons/125/k8s/echoserver.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
22 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.echoserver
File: /lessons/125/k8s/echoserver.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.echoserver
File: /lessons/125/k8s/echoserver.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
22 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.echoserver
File: /lessons/125/k8s/echoserver.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
22 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.echoserver
File: /lessons/125/k8s/echoserver.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
22 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.echoserver
File: /lessons/125/k8s/echoserver.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
22 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.echoserver
File: /lessons/125/k8s/echoserver.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
22 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.echoserver
File: /lessons/125/k8s/echoserver.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
22 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.echoserver
File: /lessons/125/k8s/echoserver.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
22 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.echoserver
File: /lessons/125/k8s/echoserver.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
22 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.echoserver
File: /lessons/125/k8s/echoserver.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
22 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.echoserver
File: /lessons/125/k8s/echoserver.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
22 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.echoserver
File: /lessons/125/k8s/echoserver.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
22 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.echoserver
File: /lessons/125/k8s/echoserver.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
22 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.echoserver
File: /lessons/125/k8s/echoserver.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
22 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.echoserver
File: /lessons/125/k8s/echoserver.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
22 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.echoserver
File: /lessons/125/k8s/echoserver.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
22 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.echoserver
File: /lessons/125/k8s/echoserver.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: echoserver
6 | namespace: default
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: echoserver
11 | replicas: 1
12 | template:
13 | metadata:
14 | labels:
15 | app: echoserver
16 | spec:
17 | containers:
18 | - image: k8s.gcr.io/e2e-test-images/echoserver:2.5
19 | name: echoserver
20 | ports:
21 | - containerPort: 8080
22 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.echoserver
File: /lessons/125/k8s/echoserver.yaml:23-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: v1
24 | kind: Service
25 | metadata:
26 | name: echoserver
27 | namespace: default
28 | spec:
29 | ports:
30 | - port: 8080
31 | protocol: TCP
32 | type: ClusterIP
33 | selector:
34 | app: echoserver
35 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.echoserver
File: /lessons/125/k8s/echoserver.yaml:36-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
36 | apiVersion: networking.k8s.io/v1
37 | kind: Ingress
38 | metadata:
39 | name: echoserver
40 | namespace: default
41 | annotations:
42 | alb.ingress.kubernetes.io/scheme: internet-facing
43 | alb.ingress.kubernetes.io/target-type: ip
44 | spec:
45 | ingressClassName: alb
46 | rules:
47 | - host: echo.devopsbyexample.io
48 | http:
49 | paths:
50 | - path: /
51 | pathType: Exact
52 | backend:
53 | service:
54 | name: echoserver
55 | port:
56 | number: 8080
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/125/k8s/nginx.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | spec:
7 | replicas: 4
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | resources:
20 | requests:
21 | cpu: "1"
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/125/k8s/nginx.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | spec:
7 | replicas: 4
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | resources:
20 | requests:
21 | cpu: "1"
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/125/k8s/nginx.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | spec:
7 | replicas: 4
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | resources:
20 | requests:
21 | cpu: "1"
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/125/k8s/nginx.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | spec:
7 | replicas: 4
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | resources:
20 | requests:
21 | cpu: "1"
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/125/k8s/nginx.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | spec:
7 | replicas: 4
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | resources:
20 | requests:
21 | cpu: "1"
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/125/k8s/nginx.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | spec:
7 | replicas: 4
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | resources:
20 | requests:
21 | cpu: "1"
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/125/k8s/nginx.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | spec:
7 | replicas: 4
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | resources:
20 | requests:
21 | cpu: "1"
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/125/k8s/nginx.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | spec:
7 | replicas: 4
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | resources:
20 | requests:
21 | cpu: "1"
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/125/k8s/nginx.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | spec:
7 | replicas: 4
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | resources:
20 | requests:
21 | cpu: "1"
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/125/k8s/nginx.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | spec:
7 | replicas: 4
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | resources:
20 | requests:
21 | cpu: "1"
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/125/k8s/nginx.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | spec:
7 | replicas: 4
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | resources:
20 | requests:
21 | cpu: "1"
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/125/k8s/nginx.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | spec:
7 | replicas: 4
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | resources:
20 | requests:
21 | cpu: "1"
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/125/k8s/nginx.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | spec:
7 | replicas: 4
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | resources:
20 | requests:
21 | cpu: "1"
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/125/k8s/nginx.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | spec:
7 | replicas: 4
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | resources:
20 | requests:
21 | cpu: "1"
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/125/k8s/nginx.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | spec:
7 | replicas: 4
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | resources:
20 | requests:
21 | cpu: "1"
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/125/k8s/nginx.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | spec:
7 | replicas: 4
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | resources:
20 | requests:
21 | cpu: "1"
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/125/k8s/nginx.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | spec:
7 | replicas: 4
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | resources:
20 | requests:
21 | cpu: "1"
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/125/k8s/nginx.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx-deployment
6 | spec:
7 | replicas: 4
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | resources:
20 | requests:
21 | cpu: "1"
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/098/examples/0-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 100
25 | podAffinityTerm:
26 | labelSelector:
27 | matchExpressions:
28 | - key: app
29 | operator: In
30 | values:
31 | - nginx-controller
32 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx
File: /lessons/098/examples/0-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 100
25 | podAffinityTerm:
26 | labelSelector:
27 | matchExpressions:
28 | - key: app
29 | operator: In
30 | values:
31 | - nginx-controller
32 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/098/examples/0-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 100
25 | podAffinityTerm:
26 | labelSelector:
27 | matchExpressions:
28 | - key: app
29 | operator: In
30 | values:
31 | - nginx-controller
32 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx
File: /lessons/098/examples/0-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 100
25 | podAffinityTerm:
26 | labelSelector:
27 | matchExpressions:
28 | - key: app
29 | operator: In
30 | values:
31 | - nginx-controller
32 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/098/examples/0-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 100
25 | podAffinityTerm:
26 | labelSelector:
27 | matchExpressions:
28 | - key: app
29 | operator: In
30 | values:
31 | - nginx-controller
32 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/098/examples/0-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 100
25 | podAffinityTerm:
26 | labelSelector:
27 | matchExpressions:
28 | - key: app
29 | operator: In
30 | values:
31 | - nginx-controller
32 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /lessons/098/examples/0-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 100
25 | podAffinityTerm:
26 | labelSelector:
27 | matchExpressions:
28 | - key: app
29 | operator: In
30 | values:
31 | - nginx-controller
32 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx
File: /lessons/098/examples/0-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 100
25 | podAffinityTerm:
26 | labelSelector:
27 | matchExpressions:
28 | - key: app
29 | operator: In
30 | values:
31 | - nginx-controller
32 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx
File: /lessons/098/examples/0-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 100
25 | podAffinityTerm:
26 | labelSelector:
27 | matchExpressions:
28 | - key: app
29 | operator: In
30 | values:
31 | - nginx-controller
32 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/098/examples/0-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 100
25 | podAffinityTerm:
26 | labelSelector:
27 | matchExpressions:
28 | - key: app
29 | operator: In
30 | values:
31 | - nginx-controller
32 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /lessons/098/examples/0-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 100
25 | podAffinityTerm:
26 | labelSelector:
27 | matchExpressions:
28 | - key: app
29 | operator: In
30 | values:
31 | - nginx-controller
32 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx
File: /lessons/098/examples/0-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 100
25 | podAffinityTerm:
26 | labelSelector:
27 | matchExpressions:
28 | - key: app
29 | operator: In
30 | values:
31 | - nginx-controller
32 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/098/examples/0-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 100
25 | podAffinityTerm:
26 | labelSelector:
27 | matchExpressions:
28 | - key: app
29 | operator: In
30 | values:
31 | - nginx-controller
32 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx
File: /lessons/098/examples/0-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 100
25 | podAffinityTerm:
26 | labelSelector:
27 | matchExpressions:
28 | - key: app
29 | operator: In
30 | values:
31 | - nginx-controller
32 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx
File: /lessons/098/examples/0-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 100
25 | podAffinityTerm:
26 | labelSelector:
27 | matchExpressions:
28 | - key: app
29 | operator: In
30 | values:
31 | - nginx-controller
32 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx
File: /lessons/098/examples/0-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 100
25 | podAffinityTerm:
26 | labelSelector:
27 | matchExpressions:
28 | - key: app
29 | operator: In
30 | values:
31 | - nginx-controller
32 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/098/examples/0-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 100
25 | podAffinityTerm:
26 | labelSelector:
27 | matchExpressions:
28 | - key: app
29 | operator: In
30 | values:
31 | - nginx-controller
32 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.nginx
File: /lessons/098/examples/0-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 100
25 | podAffinityTerm:
26 | labelSelector:
27 | matchExpressions:
28 | - key: app
29 | operator: In
30 | values:
31 | - nginx-controller
32 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx
File: /lessons/098/examples/0-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: nginx-controller
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx-controller
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
21 | affinity:
22 | podAntiAffinity:
23 | preferredDuringSchedulingIgnoredDuringExecution:
24 | - weight: 100
25 | podAffinityTerm:
26 | labelSelector:
27 | matchExpressions:
28 | - key: app
29 | operator: In
30 | values:
31 | - nginx-controller
32 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/155/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/155/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/155/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/155/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/155/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/155/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/155/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/155/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/155/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/155/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/155/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/155/monitoring/prometheus-operator/deployment/3-deployment.yaml:1-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/155/monitoring/prometheus-operator/deployment/3-deployment.yaml:1-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/155/monitoring/prometheus-operator/deployment/3-deployment.yaml:1-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/155/monitoring/prometheus-operator/deployment/3-deployment.yaml:1-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/155/monitoring/prometheus-operator/deployment/3-deployment.yaml:1-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/155/monitoring/prometheus-operator/deployment/3-deployment.yaml:1-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: ClusterRole.default.prometheus-operator
File: /lessons/155/monitoring/prometheus-operator/deployment/1-cluster-role.yaml:1-81
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.istio-system.kiali
File: /lessons/155/monitoring/kiali/deployment.yaml:2-105
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.istio-system.kiali
File: /lessons/155/monitoring/kiali/deployment.yaml:2-105
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.istio-system.kiali
File: /lessons/155/monitoring/kiali/deployment.yaml:2-105
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.istio-system.kiali
File: /lessons/155/monitoring/kiali/deployment.yaml:2-105
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.istio-system.kiali
File: /lessons/155/monitoring/kiali/deployment.yaml:2-105
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.istio-system.kiali
File: /lessons/155/monitoring/kiali/deployment.yaml:2-105
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.backend.client
File: /lessons/155/1-example/6-client.yaml:9-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
9 | apiVersion: v1
10 | kind: Pod
11 | metadata:
12 | name: client
13 | namespace: backend
14 | spec:
15 | containers:
16 | - name: client
17 | image: curlimages/curl:latest
18 | command: ["/bin/sh", "-c", "--"]
19 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.backend.client
File: /lessons/155/1-example/6-client.yaml:9-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
9 | apiVersion: v1
10 | kind: Pod
11 | metadata:
12 | name: client
13 | namespace: backend
14 | spec:
15 | containers:
16 | - name: client
17 | image: curlimages/curl:latest
18 | command: ["/bin/sh", "-c", "--"]
19 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Pod.backend.client
File: /lessons/155/1-example/6-client.yaml:9-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
9 | apiVersion: v1
10 | kind: Pod
11 | metadata:
12 | name: client
13 | namespace: backend
14 | spec:
15 | containers:
16 | - name: client
17 | image: curlimages/curl:latest
18 | command: ["/bin/sh", "-c", "--"]
19 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.backend.client
File: /lessons/155/1-example/6-client.yaml:9-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
9 | apiVersion: v1
10 | kind: Pod
11 | metadata:
12 | name: client
13 | namespace: backend
14 | spec:
15 | containers:
16 | - name: client
17 | image: curlimages/curl:latest
18 | command: ["/bin/sh", "-c", "--"]
19 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.backend.client
File: /lessons/155/1-example/6-client.yaml:9-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
9 | apiVersion: v1
10 | kind: Pod
11 | metadata:
12 | name: client
13 | namespace: backend
14 | spec:
15 | containers:
16 | - name: client
17 | image: curlimages/curl:latest
18 | command: ["/bin/sh", "-c", "--"]
19 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.backend.client
File: /lessons/155/1-example/6-client.yaml:9-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
9 | apiVersion: v1
10 | kind: Pod
11 | metadata:
12 | name: client
13 | namespace: backend
14 | spec:
15 | containers:
16 | - name: client
17 | image: curlimages/curl:latest
18 | command: ["/bin/sh", "-c", "--"]
19 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.backend.client
File: /lessons/155/1-example/6-client.yaml:9-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
9 | apiVersion: v1
10 | kind: Pod
11 | metadata:
12 | name: client
13 | namespace: backend
14 | spec:
15 | containers:
16 | - name: client
17 | image: curlimages/curl:latest
18 | command: ["/bin/sh", "-c", "--"]
19 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.backend.client
File: /lessons/155/1-example/6-client.yaml:9-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
9 | apiVersion: v1
10 | kind: Pod
11 | metadata:
12 | name: client
13 | namespace: backend
14 | spec:
15 | containers:
16 | - name: client
17 | image: curlimages/curl:latest
18 | command: ["/bin/sh", "-c", "--"]
19 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.backend.client
File: /lessons/155/1-example/6-client.yaml:9-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
9 | apiVersion: v1
10 | kind: Pod
11 | metadata:
12 | name: client
13 | namespace: backend
14 | spec:
15 | containers:
16 | - name: client
17 | image: curlimages/curl:latest
18 | command: ["/bin/sh", "-c", "--"]
19 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.backend.client
File: /lessons/155/1-example/6-client.yaml:9-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
9 | apiVersion: v1
10 | kind: Pod
11 | metadata:
12 | name: client
13 | namespace: backend
14 | spec:
15 | containers:
16 | - name: client
17 | image: curlimages/curl:latest
18 | command: ["/bin/sh", "-c", "--"]
19 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.backend.client
File: /lessons/155/1-example/6-client.yaml:9-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
9 | apiVersion: v1
10 | kind: Pod
11 | metadata:
12 | name: client
13 | namespace: backend
14 | spec:
15 | containers:
16 | - name: client
17 | image: curlimages/curl:latest
18 | command: ["/bin/sh", "-c", "--"]
19 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.backend.client
File: /lessons/155/1-example/6-client.yaml:9-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
9 | apiVersion: v1
10 | kind: Pod
11 | metadata:
12 | name: client
13 | namespace: backend
14 | spec:
15 | containers:
16 | - name: client
17 | image: curlimages/curl:latest
18 | command: ["/bin/sh", "-c", "--"]
19 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.backend.client
File: /lessons/155/1-example/6-client.yaml:9-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
9 | apiVersion: v1
10 | kind: Pod
11 | metadata:
12 | name: client
13 | namespace: backend
14 | spec:
15 | containers:
16 | - name: client
17 | image: curlimages/curl:latest
18 | command: ["/bin/sh", "-c", "--"]
19 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.backend.client
File: /lessons/155/1-example/6-client.yaml:9-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
9 | apiVersion: v1
10 | kind: Pod
11 | metadata:
12 | name: client
13 | namespace: backend
14 | spec:
15 | containers:
16 | - name: client
17 | image: curlimages/curl:latest
18 | command: ["/bin/sh", "-c", "--"]
19 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.backend.client
File: /lessons/155/1-example/6-client.yaml:9-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
9 | apiVersion: v1
10 | kind: Pod
11 | metadata:
12 | name: client
13 | namespace: backend
14 | spec:
15 | containers:
16 | - name: client
17 | image: curlimages/curl:latest
18 | command: ["/bin/sh", "-c", "--"]
19 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Pod.backend.client
File: /lessons/155/1-example/6-client.yaml:9-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
9 | apiVersion: v1
10 | kind: Pod
11 | metadata:
12 | name: client
13 | namespace: backend
14 | spec:
15 | containers:
16 | - name: client
17 | image: curlimages/curl:latest
18 | command: ["/bin/sh", "-c", "--"]
19 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.backend.client
File: /lessons/155/1-example/6-client.yaml:9-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
9 | apiVersion: v1
10 | kind: Pod
11 | metadata:
12 | name: client
13 | namespace: backend
14 | spec:
15 | containers:
16 | - name: client
17 | image: curlimages/curl:latest
18 | command: ["/bin/sh", "-c", "--"]
19 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.backend.client
File: /lessons/155/1-example/6-client.yaml:9-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
9 | apiVersion: v1
10 | kind: Pod
11 | metadata:
12 | name: client
13 | namespace: backend
14 | spec:
15 | containers:
16 | - name: client
17 | image: curlimages/curl:latest
18 | command: ["/bin/sh", "-c", "--"]
19 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/155/1-example/1-deployment-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/155/1-example/1-deployment-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/155/1-example/1-deployment-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/155/1-example/1-deployment-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/155/1-example/1-deployment-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/155/1-example/1-deployment-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/155/1-example/1-deployment-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/155/1-example/1-deployment-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/155/1-example/1-deployment-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/155/1-example/1-deployment-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/155/1-example/1-deployment-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/155/1-example/1-deployment-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/155/1-example/1-deployment-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/155/1-example/1-deployment-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/155/1-example/1-deployment-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/155/1-example/1-deployment-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/155/1-example/1-deployment-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.first-app-v1
File: /lessons/155/1-example/1-deployment-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v1
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.staging.first-app-v2
File: /lessons/155/1-example/2-deployment-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v2
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.first-app-v2
File: /lessons/155/1-example/2-deployment-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v2
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.staging.first-app-v2
File: /lessons/155/1-example/2-deployment-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v2
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.first-app-v2
File: /lessons/155/1-example/2-deployment-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v2
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.first-app-v2
File: /lessons/155/1-example/2-deployment-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v2
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.staging.first-app-v2
File: /lessons/155/1-example/2-deployment-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v2
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.first-app-v2
File: /lessons/155/1-example/2-deployment-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v2
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.first-app-v2
File: /lessons/155/1-example/2-deployment-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v2
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.first-app-v2
File: /lessons/155/1-example/2-deployment-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v2
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.staging.first-app-v2
File: /lessons/155/1-example/2-deployment-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v2
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.first-app-v2
File: /lessons/155/1-example/2-deployment-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v2
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.staging.first-app-v2
File: /lessons/155/1-example/2-deployment-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v2
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.first-app-v2
File: /lessons/155/1-example/2-deployment-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v2
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.first-app-v2
File: /lessons/155/1-example/2-deployment-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v2
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.first-app-v2
File: /lessons/155/1-example/2-deployment-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v2
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.staging.first-app-v2
File: /lessons/155/1-example/2-deployment-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v2
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.staging.first-app-v2
File: /lessons/155/1-example/2-deployment-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v2
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.first-app-v2
File: /lessons/155/1-example/2-deployment-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: first-app-v2
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: first-app
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: first-app
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: first-app
24 | env:
25 | - name: SERVICE
26 | value: first-app
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_155: "Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations"
FAILED for resource: ClusterRole.default.cert-manager-cainjector
File: /lessons/155/cert-manager/cert-manager.yaml:4486-4515
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-control-over-validating-or-mutating-admission-webhook-configurations-are-minimized.html
4486 | apiVersion: rbac.authorization.k8s.io/v1
4487 | kind: ClusterRole
4488 | metadata:
4489 | name: cert-manager-cainjector
4490 | labels:
4491 | app: cainjector
4492 | app.kubernetes.io/name: cainjector
4493 | app.kubernetes.io/instance: cert-manager
4494 | app.kubernetes.io/component: "cainjector"
4495 | app.kubernetes.io/version: "v1.11.0"
4496 | rules:
4497 | - apiGroups: ["cert-manager.io"]
4498 | resources: ["certificates"]
4499 | verbs: ["get", "list", "watch"]
4500 | - apiGroups: [""]
4501 | resources: ["secrets"]
4502 | verbs: ["get", "list", "watch"]
4503 | - apiGroups: [""]
4504 | resources: ["events"]
4505 | verbs: ["get", "create", "update", "patch"]
4506 | - apiGroups: ["admissionregistration.k8s.io"]
4507 | resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
4508 | verbs: ["get", "list", "watch", "update"]
4509 | - apiGroups: ["apiregistration.k8s.io"]
4510 | resources: ["apiservices"]
4511 | verbs: ["get", "list", "watch", "update"]
4512 | - apiGroups: ["apiextensions.k8s.io"]
4513 | resources: ["customresourcedefinitions"]
4514 | verbs: ["get", "list", "watch", "update"]
4515 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /lessons/155/cert-manager/cert-manager.yaml:5238-5289
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /lessons/155/cert-manager/cert-manager.yaml:5238-5289
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /lessons/155/cert-manager/cert-manager.yaml:5238-5289
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /lessons/155/cert-manager/cert-manager.yaml:5238-5289
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /lessons/155/cert-manager/cert-manager.yaml:5238-5289
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /lessons/155/cert-manager/cert-manager.yaml:5238-5289
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /lessons/155/cert-manager/cert-manager.yaml:5238-5289
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /lessons/155/cert-manager/cert-manager.yaml:5238-5289
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /lessons/155/cert-manager/cert-manager.yaml:5238-5289
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /lessons/155/cert-manager/cert-manager.yaml:5238-5289
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /lessons/155/cert-manager/cert-manager.yaml:5238-5289
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /lessons/155/cert-manager/cert-manager.yaml:5291-5353
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /lessons/155/cert-manager/cert-manager.yaml:5291-5353
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /lessons/155/cert-manager/cert-manager.yaml:5291-5353
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /lessons/155/cert-manager/cert-manager.yaml:5291-5353
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /lessons/155/cert-manager/cert-manager.yaml:5291-5353
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /lessons/155/cert-manager/cert-manager.yaml:5291-5353
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /lessons/155/cert-manager/cert-manager.yaml:5291-5353
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /lessons/155/cert-manager/cert-manager.yaml:5291-5353
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /lessons/155/cert-manager/cert-manager.yaml:5291-5353
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /lessons/155/cert-manager/cert-manager.yaml:5291-5353
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /lessons/155/cert-manager/cert-manager.yaml:5291-5353
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /lessons/155/cert-manager/cert-manager.yaml:5355-5439
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /lessons/155/cert-manager/cert-manager.yaml:5355-5439
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /lessons/155/cert-manager/cert-manager.yaml:5355-5439
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /lessons/155/cert-manager/cert-manager.yaml:5355-5439
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /lessons/155/cert-manager/cert-manager.yaml:5355-5439
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /lessons/155/cert-manager/cert-manager.yaml:5355-5439
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /lessons/155/cert-manager/cert-manager.yaml:5355-5439
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /lessons/155/cert-manager/cert-manager.yaml:5355-5439
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /lessons/155/cert-manager/cert-manager.yaml:5355-5439
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.dev.myapp-v2
File: /lessons/155/2-example/2-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-v2
6 | namespace: dev
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: myapp
24 | env:
25 | - name: SERVICE
26 | value: myapp
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.dev.myapp-v2
File: /lessons/155/2-example/2-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-v2
6 | namespace: dev
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: myapp
24 | env:
25 | - name: SERVICE
26 | value: myapp
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.dev.myapp-v2
File: /lessons/155/2-example/2-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-v2
6 | namespace: dev
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: myapp
24 | env:
25 | - name: SERVICE
26 | value: myapp
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.dev.myapp-v2
File: /lessons/155/2-example/2-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-v2
6 | namespace: dev
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: myapp
24 | env:
25 | - name: SERVICE
26 | value: myapp
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.dev.myapp-v2
File: /lessons/155/2-example/2-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-v2
6 | namespace: dev
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: myapp
24 | env:
25 | - name: SERVICE
26 | value: myapp
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.dev.myapp-v2
File: /lessons/155/2-example/2-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-v2
6 | namespace: dev
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: myapp
24 | env:
25 | - name: SERVICE
26 | value: myapp
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.dev.myapp-v2
File: /lessons/155/2-example/2-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-v2
6 | namespace: dev
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: myapp
24 | env:
25 | - name: SERVICE
26 | value: myapp
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.dev.myapp-v2
File: /lessons/155/2-example/2-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-v2
6 | namespace: dev
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: myapp
24 | env:
25 | - name: SERVICE
26 | value: myapp
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.dev.myapp-v2
File: /lessons/155/2-example/2-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-v2
6 | namespace: dev
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: myapp
24 | env:
25 | - name: SERVICE
26 | value: myapp
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.dev.myapp-v2
File: /lessons/155/2-example/2-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-v2
6 | namespace: dev
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: myapp
24 | env:
25 | - name: SERVICE
26 | value: myapp
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.dev.myapp-v2
File: /lessons/155/2-example/2-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-v2
6 | namespace: dev
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: myapp
24 | env:
25 | - name: SERVICE
26 | value: myapp
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.dev.myapp-v2
File: /lessons/155/2-example/2-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-v2
6 | namespace: dev
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: myapp
24 | env:
25 | - name: SERVICE
26 | value: myapp
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.dev.myapp-v2
File: /lessons/155/2-example/2-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-v2
6 | namespace: dev
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: myapp
24 | env:
25 | - name: SERVICE
26 | value: myapp
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.dev.myapp-v2
File: /lessons/155/2-example/2-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-v2
6 | namespace: dev
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: myapp
24 | env:
25 | - name: SERVICE
26 | value: myapp
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.dev.myapp-v2
File: /lessons/155/2-example/2-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-v2
6 | namespace: dev
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: myapp
24 | env:
25 | - name: SERVICE
26 | value: myapp
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.dev.myapp-v2
File: /lessons/155/2-example/2-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-v2
6 | namespace: dev
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: myapp
24 | env:
25 | - name: SERVICE
26 | value: myapp
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.dev.myapp-v2
File: /lessons/155/2-example/2-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-v2
6 | namespace: dev
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: myapp
24 | env:
25 | - name: SERVICE
26 | value: myapp
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.dev.myapp-v2
File: /lessons/155/2-example/2-deployment.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-v2
6 | namespace: dev
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: myapp
24 | env:
25 | - name: SERVICE
26 | value: myapp
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.dev.myapp-v1
File: /lessons/155/2-example/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-v1
6 | namespace: dev
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | version: v1
18 | istio: monitor
19 | sidecar.istio.io/inject: "true"
20 | spec:
21 | containers:
22 | - image: aputra/myapp-lesson155:latest
23 | imagePullPolicy: Always
24 | name: myapp
25 | env:
26 | - name: SERVICE
27 | value: myapp
28 | - name: VERSION
29 | value: v1
30 | ports:
31 | - name: http
32 | containerPort: 8080
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.dev.myapp-v1
File: /lessons/155/2-example/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-v1
6 | namespace: dev
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | version: v1
18 | istio: monitor
19 | sidecar.istio.io/inject: "true"
20 | spec:
21 | containers:
22 | - image: aputra/myapp-lesson155:latest
23 | imagePullPolicy: Always
24 | name: myapp
25 | env:
26 | - name: SERVICE
27 | value: myapp
28 | - name: VERSION
29 | value: v1
30 | ports:
31 | - name: http
32 | containerPort: 8080
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.dev.myapp-v1
File: /lessons/155/2-example/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-v1
6 | namespace: dev
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | version: v1
18 | istio: monitor
19 | sidecar.istio.io/inject: "true"
20 | spec:
21 | containers:
22 | - image: aputra/myapp-lesson155:latest
23 | imagePullPolicy: Always
24 | name: myapp
25 | env:
26 | - name: SERVICE
27 | value: myapp
28 | - name: VERSION
29 | value: v1
30 | ports:
31 | - name: http
32 | containerPort: 8080
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.dev.myapp-v1
File: /lessons/155/2-example/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-v1
6 | namespace: dev
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | version: v1
18 | istio: monitor
19 | sidecar.istio.io/inject: "true"
20 | spec:
21 | containers:
22 | - image: aputra/myapp-lesson155:latest
23 | imagePullPolicy: Always
24 | name: myapp
25 | env:
26 | - name: SERVICE
27 | value: myapp
28 | - name: VERSION
29 | value: v1
30 | ports:
31 | - name: http
32 | containerPort: 8080
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.dev.myapp-v1
File: /lessons/155/2-example/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-v1
6 | namespace: dev
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | version: v1
18 | istio: monitor
19 | sidecar.istio.io/inject: "true"
20 | spec:
21 | containers:
22 | - image: aputra/myapp-lesson155:latest
23 | imagePullPolicy: Always
24 | name: myapp
25 | env:
26 | - name: SERVICE
27 | value: myapp
28 | - name: VERSION
29 | value: v1
30 | ports:
31 | - name: http
32 | containerPort: 8080
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.dev.myapp-v1
File: /lessons/155/2-example/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-v1
6 | namespace: dev
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | version: v1
18 | istio: monitor
19 | sidecar.istio.io/inject: "true"
20 | spec:
21 | containers:
22 | - image: aputra/myapp-lesson155:latest
23 | imagePullPolicy: Always
24 | name: myapp
25 | env:
26 | - name: SERVICE
27 | value: myapp
28 | - name: VERSION
29 | value: v1
30 | ports:
31 | - name: http
32 | containerPort: 8080
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.dev.myapp-v1
File: /lessons/155/2-example/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-v1
6 | namespace: dev
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | version: v1
18 | istio: monitor
19 | sidecar.istio.io/inject: "true"
20 | spec:
21 | containers:
22 | - image: aputra/myapp-lesson155:latest
23 | imagePullPolicy: Always
24 | name: myapp
25 | env:
26 | - name: SERVICE
27 | value: myapp
28 | - name: VERSION
29 | value: v1
30 | ports:
31 | - name: http
32 | containerPort: 8080
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.dev.myapp-v1
File: /lessons/155/2-example/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-v1
6 | namespace: dev
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | version: v1
18 | istio: monitor
19 | sidecar.istio.io/inject: "true"
20 | spec:
21 | containers:
22 | - image: aputra/myapp-lesson155:latest
23 | imagePullPolicy: Always
24 | name: myapp
25 | env:
26 | - name: SERVICE
27 | value: myapp
28 | - name: VERSION
29 | value: v1
30 | ports:
31 | - name: http
32 | containerPort: 8080
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.dev.myapp-v1
File: /lessons/155/2-example/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-v1
6 | namespace: dev
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | version: v1
18 | istio: monitor
19 | sidecar.istio.io/inject: "true"
20 | spec:
21 | containers:
22 | - image: aputra/myapp-lesson155:latest
23 | imagePullPolicy: Always
24 | name: myapp
25 | env:
26 | - name: SERVICE
27 | value: myapp
28 | - name: VERSION
29 | value: v1
30 | ports:
31 | - name: http
32 | containerPort: 8080
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.dev.myapp-v1
File: /lessons/155/2-example/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-v1
6 | namespace: dev
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | version: v1
18 | istio: monitor
19 | sidecar.istio.io/inject: "true"
20 | spec:
21 | containers:
22 | - image: aputra/myapp-lesson155:latest
23 | imagePullPolicy: Always
24 | name: myapp
25 | env:
26 | - name: SERVICE
27 | value: myapp
28 | - name: VERSION
29 | value: v1
30 | ports:
31 | - name: http
32 | containerPort: 8080
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.dev.myapp-v1
File: /lessons/155/2-example/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-v1
6 | namespace: dev
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | version: v1
18 | istio: monitor
19 | sidecar.istio.io/inject: "true"
20 | spec:
21 | containers:
22 | - image: aputra/myapp-lesson155:latest
23 | imagePullPolicy: Always
24 | name: myapp
25 | env:
26 | - name: SERVICE
27 | value: myapp
28 | - name: VERSION
29 | value: v1
30 | ports:
31 | - name: http
32 | containerPort: 8080
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.dev.myapp-v1
File: /lessons/155/2-example/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-v1
6 | namespace: dev
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | version: v1
18 | istio: monitor
19 | sidecar.istio.io/inject: "true"
20 | spec:
21 | containers:
22 | - image: aputra/myapp-lesson155:latest
23 | imagePullPolicy: Always
24 | name: myapp
25 | env:
26 | - name: SERVICE
27 | value: myapp
28 | - name: VERSION
29 | value: v1
30 | ports:
31 | - name: http
32 | containerPort: 8080
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.dev.myapp-v1
File: /lessons/155/2-example/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-v1
6 | namespace: dev
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | version: v1
18 | istio: monitor
19 | sidecar.istio.io/inject: "true"
20 | spec:
21 | containers:
22 | - image: aputra/myapp-lesson155:latest
23 | imagePullPolicy: Always
24 | name: myapp
25 | env:
26 | - name: SERVICE
27 | value: myapp
28 | - name: VERSION
29 | value: v1
30 | ports:
31 | - name: http
32 | containerPort: 8080
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.dev.myapp-v1
File: /lessons/155/2-example/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-v1
6 | namespace: dev
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | version: v1
18 | istio: monitor
19 | sidecar.istio.io/inject: "true"
20 | spec:
21 | containers:
22 | - image: aputra/myapp-lesson155:latest
23 | imagePullPolicy: Always
24 | name: myapp
25 | env:
26 | - name: SERVICE
27 | value: myapp
28 | - name: VERSION
29 | value: v1
30 | ports:
31 | - name: http
32 | containerPort: 8080
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.dev.myapp-v1
File: /lessons/155/2-example/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-v1
6 | namespace: dev
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | version: v1
18 | istio: monitor
19 | sidecar.istio.io/inject: "true"
20 | spec:
21 | containers:
22 | - image: aputra/myapp-lesson155:latest
23 | imagePullPolicy: Always
24 | name: myapp
25 | env:
26 | - name: SERVICE
27 | value: myapp
28 | - name: VERSION
29 | value: v1
30 | ports:
31 | - name: http
32 | containerPort: 8080
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.dev.myapp-v1
File: /lessons/155/2-example/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-v1
6 | namespace: dev
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | version: v1
18 | istio: monitor
19 | sidecar.istio.io/inject: "true"
20 | spec:
21 | containers:
22 | - image: aputra/myapp-lesson155:latest
23 | imagePullPolicy: Always
24 | name: myapp
25 | env:
26 | - name: SERVICE
27 | value: myapp
28 | - name: VERSION
29 | value: v1
30 | ports:
31 | - name: http
32 | containerPort: 8080
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.dev.myapp-v1
File: /lessons/155/2-example/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-v1
6 | namespace: dev
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | version: v1
18 | istio: monitor
19 | sidecar.istio.io/inject: "true"
20 | spec:
21 | containers:
22 | - image: aputra/myapp-lesson155:latest
23 | imagePullPolicy: Always
24 | name: myapp
25 | env:
26 | - name: SERVICE
27 | value: myapp
28 | - name: VERSION
29 | value: v1
30 | ports:
31 | - name: http
32 | containerPort: 8080
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.dev.myapp-v1
File: /lessons/155/2-example/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp-v1
6 | namespace: dev
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | version: v1
18 | istio: monitor
19 | sidecar.istio.io/inject: "true"
20 | spec:
21 | containers:
22 | - image: aputra/myapp-lesson155:latest
23 | imagePullPolicy: Always
24 | name: myapp
25 | env:
26 | - name: SERVICE
27 | value: myapp
28 | - name: VERSION
29 | value: v1
30 | ports:
31 | - name: http
32 | containerPort: 8080
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.production.second-app-v1
File: /lessons/155/3-example/1-deployment-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: second-app-v1
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: second-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: second-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: second-app
24 | env:
25 | - name: SERVICE
26 | value: second-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.production.second-app-v1
File: /lessons/155/3-example/1-deployment-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: second-app-v1
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: second-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: second-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: second-app
24 | env:
25 | - name: SERVICE
26 | value: second-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.production.second-app-v1
File: /lessons/155/3-example/1-deployment-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: second-app-v1
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: second-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: second-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: second-app
24 | env:
25 | - name: SERVICE
26 | value: second-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.production.second-app-v1
File: /lessons/155/3-example/1-deployment-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: second-app-v1
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: second-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: second-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: second-app
24 | env:
25 | - name: SERVICE
26 | value: second-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.production.second-app-v1
File: /lessons/155/3-example/1-deployment-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: second-app-v1
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: second-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: second-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: second-app
24 | env:
25 | - name: SERVICE
26 | value: second-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.production.second-app-v1
File: /lessons/155/3-example/1-deployment-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: second-app-v1
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: second-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: second-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: second-app
24 | env:
25 | - name: SERVICE
26 | value: second-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.production.second-app-v1
File: /lessons/155/3-example/1-deployment-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: second-app-v1
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: second-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: second-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: second-app
24 | env:
25 | - name: SERVICE
26 | value: second-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.production.second-app-v1
File: /lessons/155/3-example/1-deployment-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: second-app-v1
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: second-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: second-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: second-app
24 | env:
25 | - name: SERVICE
26 | value: second-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.production.second-app-v1
File: /lessons/155/3-example/1-deployment-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: second-app-v1
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: second-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: second-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: second-app
24 | env:
25 | - name: SERVICE
26 | value: second-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.production.second-app-v1
File: /lessons/155/3-example/1-deployment-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: second-app-v1
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: second-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: second-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: second-app
24 | env:
25 | - name: SERVICE
26 | value: second-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.production.second-app-v1
File: /lessons/155/3-example/1-deployment-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: second-app-v1
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: second-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: second-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: second-app
24 | env:
25 | - name: SERVICE
26 | value: second-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.production.second-app-v1
File: /lessons/155/3-example/1-deployment-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: second-app-v1
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: second-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: second-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: second-app
24 | env:
25 | - name: SERVICE
26 | value: second-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.production.second-app-v1
File: /lessons/155/3-example/1-deployment-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: second-app-v1
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: second-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: second-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: second-app
24 | env:
25 | - name: SERVICE
26 | value: second-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.production.second-app-v1
File: /lessons/155/3-example/1-deployment-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: second-app-v1
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: second-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: second-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: second-app
24 | env:
25 | - name: SERVICE
26 | value: second-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.production.second-app-v1
File: /lessons/155/3-example/1-deployment-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: second-app-v1
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: second-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: second-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: second-app
24 | env:
25 | - name: SERVICE
26 | value: second-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.production.second-app-v1
File: /lessons/155/3-example/1-deployment-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: second-app-v1
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: second-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: second-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: second-app
24 | env:
25 | - name: SERVICE
26 | value: second-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.production.second-app-v1
File: /lessons/155/3-example/1-deployment-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: second-app-v1
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: second-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: second-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: second-app
24 | env:
25 | - name: SERVICE
26 | value: second-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.production.second-app-v1
File: /lessons/155/3-example/1-deployment-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: second-app-v1
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: second-app
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: second-app
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: second-app
24 | env:
25 | - name: SERVICE
26 | value: second-app
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.production.second-app-v2
File: /lessons/155/3-example/2-deployment-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: second-app-v2
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: second-app
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: second-app
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: second-app
24 | env:
25 | - name: SERVICE
26 | value: second-app
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.production.second-app-v2
File: /lessons/155/3-example/2-deployment-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: second-app-v2
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: second-app
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: second-app
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: second-app
24 | env:
25 | - name: SERVICE
26 | value: second-app
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.production.second-app-v2
File: /lessons/155/3-example/2-deployment-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: second-app-v2
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: second-app
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: second-app
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: second-app
24 | env:
25 | - name: SERVICE
26 | value: second-app
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.production.second-app-v2
File: /lessons/155/3-example/2-deployment-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: second-app-v2
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: second-app
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: second-app
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: second-app
24 | env:
25 | - name: SERVICE
26 | value: second-app
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.production.second-app-v2
File: /lessons/155/3-example/2-deployment-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: second-app-v2
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: second-app
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: second-app
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: second-app
24 | env:
25 | - name: SERVICE
26 | value: second-app
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.production.second-app-v2
File: /lessons/155/3-example/2-deployment-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: second-app-v2
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: second-app
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: second-app
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: second-app
24 | env:
25 | - name: SERVICE
26 | value: second-app
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.production.second-app-v2
File: /lessons/155/3-example/2-deployment-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: second-app-v2
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: second-app
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: second-app
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: second-app
24 | env:
25 | - name: SERVICE
26 | value: second-app
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.production.second-app-v2
File: /lessons/155/3-example/2-deployment-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: second-app-v2
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: second-app
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: second-app
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: second-app
24 | env:
25 | - name: SERVICE
26 | value: second-app
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.production.second-app-v2
File: /lessons/155/3-example/2-deployment-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: second-app-v2
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: second-app
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: second-app
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: second-app
24 | env:
25 | - name: SERVICE
26 | value: second-app
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.production.second-app-v2
File: /lessons/155/3-example/2-deployment-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: second-app-v2
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: second-app
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: second-app
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: second-app
24 | env:
25 | - name: SERVICE
26 | value: second-app
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.production.second-app-v2
File: /lessons/155/3-example/2-deployment-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: second-app-v2
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: second-app
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: second-app
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: second-app
24 | env:
25 | - name: SERVICE
26 | value: second-app
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.production.second-app-v2
File: /lessons/155/3-example/2-deployment-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: second-app-v2
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: second-app
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: second-app
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: second-app
24 | env:
25 | - name: SERVICE
26 | value: second-app
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.production.second-app-v2
File: /lessons/155/3-example/2-deployment-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: second-app-v2
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: second-app
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: second-app
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: second-app
24 | env:
25 | - name: SERVICE
26 | value: second-app
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.production.second-app-v2
File: /lessons/155/3-example/2-deployment-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: second-app-v2
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: second-app
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: second-app
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: second-app
24 | env:
25 | - name: SERVICE
26 | value: second-app
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.production.second-app-v2
File: /lessons/155/3-example/2-deployment-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: second-app-v2
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: second-app
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: second-app
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: second-app
24 | env:
25 | - name: SERVICE
26 | value: second-app
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.production.second-app-v2
File: /lessons/155/3-example/2-deployment-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: second-app-v2
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: second-app
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: second-app
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: second-app
24 | env:
25 | - name: SERVICE
26 | value: second-app
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.production.second-app-v2
File: /lessons/155/3-example/2-deployment-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: second-app-v2
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: second-app
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: second-app
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: second-app
24 | env:
25 | - name: SERVICE
26 | value: second-app
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.production.second-app-v2
File: /lessons/155/3-example/2-deployment-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: second-app-v2
6 | namespace: production
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: second-app
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: second-app
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: aputra/myapp-lesson155:latest
22 | imagePullPolicy: Always
23 | name: second-app
24 | env:
25 | - name: SERVICE
26 | value: second-app
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/142/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/142/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/142/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/142/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/142/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/142/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/142/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/142/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/142/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/142/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/142/monitoring/grafana/6-deployment.yaml:2-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/142/monitoring/prometheus-operator/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/142/monitoring/prometheus-operator/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/142/monitoring/prometheus-operator/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/142/monitoring/prometheus-operator/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/142/monitoring/prometheus-operator/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/142/monitoring/prometheus-operator/3-deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: ClusterRole.default.prometheus-operator
File: /lessons/142/monitoring/prometheus-operator/1-cluster-role.yaml:2-81
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.istio-system.kiali
File: /lessons/142/monitoring/kiali/deployment.yaml:2-106
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.istio-system.kiali
File: /lessons/142/monitoring/kiali/deployment.yaml:2-106
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.istio-system.kiali
File: /lessons/142/monitoring/kiali/deployment.yaml:2-106
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.istio-system.kiali
File: /lessons/142/monitoring/kiali/deployment.yaml:2-106
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.istio-system.kiali
File: /lessons/142/monitoring/kiali/deployment.yaml:2-106
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.istio-system.kiali
File: /lessons/142/monitoring/kiali/deployment.yaml:2-106
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.staging.service-a
File: /lessons/142/go-app/deploy/1-deployment-service-a.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a
16 | istio: monitor
17 | spec:
18 | containers:
19 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
20 | imagePullPolicy: Always
21 | name: service-a
22 | env:
23 | - name: SERVICE
24 | value: service-a
25 | ports:
26 | - name: http
27 | containerPort: 8080
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.service-a
File: /lessons/142/go-app/deploy/1-deployment-service-a.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a
16 | istio: monitor
17 | spec:
18 | containers:
19 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
20 | imagePullPolicy: Always
21 | name: service-a
22 | env:
23 | - name: SERVICE
24 | value: service-a
25 | ports:
26 | - name: http
27 | containerPort: 8080
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.staging.service-a
File: /lessons/142/go-app/deploy/1-deployment-service-a.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a
16 | istio: monitor
17 | spec:
18 | containers:
19 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
20 | imagePullPolicy: Always
21 | name: service-a
22 | env:
23 | - name: SERVICE
24 | value: service-a
25 | ports:
26 | - name: http
27 | containerPort: 8080
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.service-a
File: /lessons/142/go-app/deploy/1-deployment-service-a.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a
16 | istio: monitor
17 | spec:
18 | containers:
19 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
20 | imagePullPolicy: Always
21 | name: service-a
22 | env:
23 | - name: SERVICE
24 | value: service-a
25 | ports:
26 | - name: http
27 | containerPort: 8080
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.service-a
File: /lessons/142/go-app/deploy/1-deployment-service-a.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a
16 | istio: monitor
17 | spec:
18 | containers:
19 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
20 | imagePullPolicy: Always
21 | name: service-a
22 | env:
23 | - name: SERVICE
24 | value: service-a
25 | ports:
26 | - name: http
27 | containerPort: 8080
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.staging.service-a
File: /lessons/142/go-app/deploy/1-deployment-service-a.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a
16 | istio: monitor
17 | spec:
18 | containers:
19 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
20 | imagePullPolicy: Always
21 | name: service-a
22 | env:
23 | - name: SERVICE
24 | value: service-a
25 | ports:
26 | - name: http
27 | containerPort: 8080
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.service-a
File: /lessons/142/go-app/deploy/1-deployment-service-a.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a
16 | istio: monitor
17 | spec:
18 | containers:
19 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
20 | imagePullPolicy: Always
21 | name: service-a
22 | env:
23 | - name: SERVICE
24 | value: service-a
25 | ports:
26 | - name: http
27 | containerPort: 8080
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.service-a
File: /lessons/142/go-app/deploy/1-deployment-service-a.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a
16 | istio: monitor
17 | spec:
18 | containers:
19 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
20 | imagePullPolicy: Always
21 | name: service-a
22 | env:
23 | - name: SERVICE
24 | value: service-a
25 | ports:
26 | - name: http
27 | containerPort: 8080
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.service-a
File: /lessons/142/go-app/deploy/1-deployment-service-a.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a
16 | istio: monitor
17 | spec:
18 | containers:
19 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
20 | imagePullPolicy: Always
21 | name: service-a
22 | env:
23 | - name: SERVICE
24 | value: service-a
25 | ports:
26 | - name: http
27 | containerPort: 8080
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.staging.service-a
File: /lessons/142/go-app/deploy/1-deployment-service-a.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a
16 | istio: monitor
17 | spec:
18 | containers:
19 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
20 | imagePullPolicy: Always
21 | name: service-a
22 | env:
23 | - name: SERVICE
24 | value: service-a
25 | ports:
26 | - name: http
27 | containerPort: 8080
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.service-a
File: /lessons/142/go-app/deploy/1-deployment-service-a.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a
16 | istio: monitor
17 | spec:
18 | containers:
19 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
20 | imagePullPolicy: Always
21 | name: service-a
22 | env:
23 | - name: SERVICE
24 | value: service-a
25 | ports:
26 | - name: http
27 | containerPort: 8080
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.staging.service-a
File: /lessons/142/go-app/deploy/1-deployment-service-a.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a
16 | istio: monitor
17 | spec:
18 | containers:
19 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
20 | imagePullPolicy: Always
21 | name: service-a
22 | env:
23 | - name: SERVICE
24 | value: service-a
25 | ports:
26 | - name: http
27 | containerPort: 8080
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.service-a
File: /lessons/142/go-app/deploy/1-deployment-service-a.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a
16 | istio: monitor
17 | spec:
18 | containers:
19 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
20 | imagePullPolicy: Always
21 | name: service-a
22 | env:
23 | - name: SERVICE
24 | value: service-a
25 | ports:
26 | - name: http
27 | containerPort: 8080
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.service-a
File: /lessons/142/go-app/deploy/1-deployment-service-a.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a
16 | istio: monitor
17 | spec:
18 | containers:
19 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
20 | imagePullPolicy: Always
21 | name: service-a
22 | env:
23 | - name: SERVICE
24 | value: service-a
25 | ports:
26 | - name: http
27 | containerPort: 8080
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.service-a
File: /lessons/142/go-app/deploy/1-deployment-service-a.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a
16 | istio: monitor
17 | spec:
18 | containers:
19 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
20 | imagePullPolicy: Always
21 | name: service-a
22 | env:
23 | - name: SERVICE
24 | value: service-a
25 | ports:
26 | - name: http
27 | containerPort: 8080
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.staging.service-a
File: /lessons/142/go-app/deploy/1-deployment-service-a.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a
16 | istio: monitor
17 | spec:
18 | containers:
19 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
20 | imagePullPolicy: Always
21 | name: service-a
22 | env:
23 | - name: SERVICE
24 | value: service-a
25 | ports:
26 | - name: http
27 | containerPort: 8080
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.staging.service-a
File: /lessons/142/go-app/deploy/1-deployment-service-a.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a
16 | istio: monitor
17 | spec:
18 | containers:
19 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
20 | imagePullPolicy: Always
21 | name: service-a
22 | env:
23 | - name: SERVICE
24 | value: service-a
25 | ports:
26 | - name: http
27 | containerPort: 8080
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.service-a
File: /lessons/142/go-app/deploy/1-deployment-service-a.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-a
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-a
12 | template:
13 | metadata:
14 | labels:
15 | app: service-a
16 | istio: monitor
17 | spec:
18 | containers:
19 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
20 | imagePullPolicy: Always
21 | name: service-a
22 | env:
23 | - name: SERVICE
24 | value: service-a
25 | ports:
26 | - name: http
27 | containerPort: 8080
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.staging.service-b-v1
File: /lessons/142/go-app/deploy/3-deployment-service-b-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-v1
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: service-b
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
22 | imagePullPolicy: Always
23 | name: service-b
24 | env:
25 | - name: SERVICE
26 | value: service-b
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.service-b-v1
File: /lessons/142/go-app/deploy/3-deployment-service-b-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-v1
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: service-b
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
22 | imagePullPolicy: Always
23 | name: service-b
24 | env:
25 | - name: SERVICE
26 | value: service-b
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.staging.service-b-v1
File: /lessons/142/go-app/deploy/3-deployment-service-b-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-v1
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: service-b
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
22 | imagePullPolicy: Always
23 | name: service-b
24 | env:
25 | - name: SERVICE
26 | value: service-b
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.service-b-v1
File: /lessons/142/go-app/deploy/3-deployment-service-b-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-v1
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: service-b
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
22 | imagePullPolicy: Always
23 | name: service-b
24 | env:
25 | - name: SERVICE
26 | value: service-b
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.service-b-v1
File: /lessons/142/go-app/deploy/3-deployment-service-b-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-v1
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: service-b
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
22 | imagePullPolicy: Always
23 | name: service-b
24 | env:
25 | - name: SERVICE
26 | value: service-b
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.staging.service-b-v1
File: /lessons/142/go-app/deploy/3-deployment-service-b-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-v1
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: service-b
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
22 | imagePullPolicy: Always
23 | name: service-b
24 | env:
25 | - name: SERVICE
26 | value: service-b
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.service-b-v1
File: /lessons/142/go-app/deploy/3-deployment-service-b-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-v1
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: service-b
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
22 | imagePullPolicy: Always
23 | name: service-b
24 | env:
25 | - name: SERVICE
26 | value: service-b
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.service-b-v1
File: /lessons/142/go-app/deploy/3-deployment-service-b-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-v1
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: service-b
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
22 | imagePullPolicy: Always
23 | name: service-b
24 | env:
25 | - name: SERVICE
26 | value: service-b
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.service-b-v1
File: /lessons/142/go-app/deploy/3-deployment-service-b-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-v1
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: service-b
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
22 | imagePullPolicy: Always
23 | name: service-b
24 | env:
25 | - name: SERVICE
26 | value: service-b
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.staging.service-b-v1
File: /lessons/142/go-app/deploy/3-deployment-service-b-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-v1
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: service-b
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
22 | imagePullPolicy: Always
23 | name: service-b
24 | env:
25 | - name: SERVICE
26 | value: service-b
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.service-b-v1
File: /lessons/142/go-app/deploy/3-deployment-service-b-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-v1
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: service-b
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
22 | imagePullPolicy: Always
23 | name: service-b
24 | env:
25 | - name: SERVICE
26 | value: service-b
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.staging.service-b-v1
File: /lessons/142/go-app/deploy/3-deployment-service-b-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-v1
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: service-b
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
22 | imagePullPolicy: Always
23 | name: service-b
24 | env:
25 | - name: SERVICE
26 | value: service-b
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.service-b-v1
File: /lessons/142/go-app/deploy/3-deployment-service-b-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-v1
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: service-b
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
22 | imagePullPolicy: Always
23 | name: service-b
24 | env:
25 | - name: SERVICE
26 | value: service-b
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.service-b-v1
File: /lessons/142/go-app/deploy/3-deployment-service-b-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-v1
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: service-b
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
22 | imagePullPolicy: Always
23 | name: service-b
24 | env:
25 | - name: SERVICE
26 | value: service-b
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.service-b-v1
File: /lessons/142/go-app/deploy/3-deployment-service-b-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-v1
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: service-b
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
22 | imagePullPolicy: Always
23 | name: service-b
24 | env:
25 | - name: SERVICE
26 | value: service-b
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.staging.service-b-v1
File: /lessons/142/go-app/deploy/3-deployment-service-b-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-v1
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: service-b
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
22 | imagePullPolicy: Always
23 | name: service-b
24 | env:
25 | - name: SERVICE
26 | value: service-b
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.staging.service-b-v1
File: /lessons/142/go-app/deploy/3-deployment-service-b-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-v1
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: service-b
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
22 | imagePullPolicy: Always
23 | name: service-b
24 | env:
25 | - name: SERVICE
26 | value: service-b
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.service-b-v1
File: /lessons/142/go-app/deploy/3-deployment-service-b-v1.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-v1
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | version: v1
13 | template:
14 | metadata:
15 | labels:
16 | app: service-b
17 | version: v1
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
22 | imagePullPolicy: Always
23 | name: service-b
24 | env:
25 | - name: SERVICE
26 | value: service-b
27 | - name: VERSION
28 | value: v1
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.staging.service-b-v2
File: /lessons/142/go-app/deploy/4-deployment-service-b-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-v2
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: service-b
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
22 | imagePullPolicy: Always
23 | name: service-b
24 | env:
25 | - name: SERVICE
26 | value: service-b
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.service-b-v2
File: /lessons/142/go-app/deploy/4-deployment-service-b-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-v2
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: service-b
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
22 | imagePullPolicy: Always
23 | name: service-b
24 | env:
25 | - name: SERVICE
26 | value: service-b
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.staging.service-b-v2
File: /lessons/142/go-app/deploy/4-deployment-service-b-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-v2
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: service-b
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
22 | imagePullPolicy: Always
23 | name: service-b
24 | env:
25 | - name: SERVICE
26 | value: service-b
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.service-b-v2
File: /lessons/142/go-app/deploy/4-deployment-service-b-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-v2
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: service-b
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
22 | imagePullPolicy: Always
23 | name: service-b
24 | env:
25 | - name: SERVICE
26 | value: service-b
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.service-b-v2
File: /lessons/142/go-app/deploy/4-deployment-service-b-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-v2
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: service-b
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
22 | imagePullPolicy: Always
23 | name: service-b
24 | env:
25 | - name: SERVICE
26 | value: service-b
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.staging.service-b-v2
File: /lessons/142/go-app/deploy/4-deployment-service-b-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-v2
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: service-b
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
22 | imagePullPolicy: Always
23 | name: service-b
24 | env:
25 | - name: SERVICE
26 | value: service-b
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.service-b-v2
File: /lessons/142/go-app/deploy/4-deployment-service-b-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-v2
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: service-b
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
22 | imagePullPolicy: Always
23 | name: service-b
24 | env:
25 | - name: SERVICE
26 | value: service-b
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.service-b-v2
File: /lessons/142/go-app/deploy/4-deployment-service-b-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-v2
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: service-b
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
22 | imagePullPolicy: Always
23 | name: service-b
24 | env:
25 | - name: SERVICE
26 | value: service-b
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.service-b-v2
File: /lessons/142/go-app/deploy/4-deployment-service-b-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-v2
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: service-b
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
22 | imagePullPolicy: Always
23 | name: service-b
24 | env:
25 | - name: SERVICE
26 | value: service-b
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.staging.service-b-v2
File: /lessons/142/go-app/deploy/4-deployment-service-b-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-v2
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: service-b
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
22 | imagePullPolicy: Always
23 | name: service-b
24 | env:
25 | - name: SERVICE
26 | value: service-b
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.service-b-v2
File: /lessons/142/go-app/deploy/4-deployment-service-b-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-v2
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: service-b
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
22 | imagePullPolicy: Always
23 | name: service-b
24 | env:
25 | - name: SERVICE
26 | value: service-b
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.staging.service-b-v2
File: /lessons/142/go-app/deploy/4-deployment-service-b-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-v2
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: service-b
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
22 | imagePullPolicy: Always
23 | name: service-b
24 | env:
25 | - name: SERVICE
26 | value: service-b
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.service-b-v2
File: /lessons/142/go-app/deploy/4-deployment-service-b-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-v2
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: service-b
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
22 | imagePullPolicy: Always
23 | name: service-b
24 | env:
25 | - name: SERVICE
26 | value: service-b
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.service-b-v2
File: /lessons/142/go-app/deploy/4-deployment-service-b-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-v2
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: service-b
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
22 | imagePullPolicy: Always
23 | name: service-b
24 | env:
25 | - name: SERVICE
26 | value: service-b
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.service-b-v2
File: /lessons/142/go-app/deploy/4-deployment-service-b-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-v2
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: service-b
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
22 | imagePullPolicy: Always
23 | name: service-b
24 | env:
25 | - name: SERVICE
26 | value: service-b
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.staging.service-b-v2
File: /lessons/142/go-app/deploy/4-deployment-service-b-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-v2
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: service-b
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
22 | imagePullPolicy: Always
23 | name: service-b
24 | env:
25 | - name: SERVICE
26 | value: service-b
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.staging.service-b-v2
File: /lessons/142/go-app/deploy/4-deployment-service-b-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-v2
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: service-b
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
22 | imagePullPolicy: Always
23 | name: service-b
24 | env:
25 | - name: SERVICE
26 | value: service-b
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.service-b-v2
File: /lessons/142/go-app/deploy/4-deployment-service-b-v2.yaml:2-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: service-b-v2
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: service-b
12 | version: v2
13 | template:
14 | metadata:
15 | labels:
16 | app: service-b
17 | version: v2
18 | istio: monitor
19 | spec:
20 | containers:
21 | - image: 424432388155.dkr.ecr.us-east-1.amazonaws.com/go-app:latest
22 | imagePullPolicy: Always
23 | name: service-b
24 | env:
25 | - name: SERVICE
26 | value: service-b
27 | - name: VERSION
28 | value: v2
29 | ports:
30 | - name: http
31 | containerPort: 8080
Check: CKV_K8S_156: "Minimize ClusterRoles that grant permissions to approve CertificateSigningRequests"
FAILED for resource: ClusterRole.default.istiod-clusterrole-istio-system
File: /lessons/142/istiod/clusterrole.yaml:3-109
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-permissions-to-approve-certificatesigningrequests-are-minimized.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_155: "Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations"
FAILED for resource: ClusterRole.default.istiod-clusterrole-istio-system
File: /lessons/142/istiod/clusterrole.yaml:3-109
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-control-over-validating-or-mutating-admission-webhook-configurations-are-minimized.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: ClusterRole.default.istio-reader-clusterrole-istio-system
File: /lessons/142/istiod/reader-clusterrole.yaml:3-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
3 | apiVersion: rbac.authorization.k8s.io/v1
4 | kind: ClusterRole
5 | metadata:
6 | name: istio-reader-clusterrole-istio-system
7 | labels:
8 | app: istio-reader
9 | release: test
10 | rules:
11 | - apiGroups:
12 | - "config.istio.io"
13 | - "security.istio.io"
14 | - "networking.istio.io"
15 | - "authentication.istio.io"
16 | - "rbac.istio.io"
17 | resources: ["*"]
18 | verbs: ["get", "list", "watch"]
19 | - apiGroups: [""]
20 | resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
21 | verbs: ["get", "list", "watch"]
22 | - apiGroups: ["networking.istio.io"]
23 | verbs: [ "get", "watch", "list" ]
24 | resources: [ "workloadentries" ]
25 | - apiGroups: ["apiextensions.k8s.io"]
26 | resources: ["customresourcedefinitions"]
27 | verbs: ["get", "list", "watch"]
28 | - apiGroups: ["discovery.k8s.io"]
29 | resources: ["endpointslices"]
30 | verbs: ["get", "list", "watch"]
31 | - apiGroups: ["multicluster.x-k8s.io"]
32 | resources: ["serviceexports"]
33 | verbs: ["get", "list", "watch", "create", "delete"]
34 | - apiGroups: ["multicluster.x-k8s.io"]
35 | resources: ["serviceimports"]
36 | verbs: ["get", "list", "watch"]
37 | - apiGroups: ["apps"]
38 | resources: ["replicasets"]
39 | verbs: ["get", "list", "watch"]
40 | - apiGroups: ["authentication.k8s.io"]
41 | resources: ["tokenreviews"]
42 | verbs: ["create"]
43 | - apiGroups: ["authorization.k8s.io"]
44 | resources: ["subjectaccessreviews"]
45 | verbs: ["create"]
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.istio-system.istiod
File: /lessons/142/istiod/deployment.yaml:3-163
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.istio-system.istiod
File: /lessons/142/istiod/deployment.yaml:3-163
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.istio-system.istiod
File: /lessons/142/istiod/deployment.yaml:3-163
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.istio-system.istiod
File: /lessons/142/istiod/deployment.yaml:3-163
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.istio-system.istiod
File: /lessons/142/istiod/deployment.yaml:3-163
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.istio-system.istiod
File: /lessons/142/istiod/deployment.yaml:3-163
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.istio-system.istiod
File: /lessons/142/istiod/deployment.yaml:3-163
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.istio-system.istiod
File: /lessons/142/istiod/deployment.yaml:3-163
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.myapp
File: /lessons/171/3-blue-green/native/3-service.yaml:2-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: Service
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | selector:
9 | app: myapp
10 | replica: blue
11 | ports:
12 | - protocol: TCP
13 | port: 8181
14 | targetPort: http
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.green-myapp
File: /lessons/171/3-blue-green/native/2-green-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: green-myapp
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | replica: green
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | replica: green
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.green-myapp
File: /lessons/171/3-blue-green/native/2-green-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: green-myapp
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | replica: green
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | replica: green
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.green-myapp
File: /lessons/171/3-blue-green/native/2-green-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: green-myapp
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | replica: green
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | replica: green
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.green-myapp
File: /lessons/171/3-blue-green/native/2-green-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: green-myapp
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | replica: green
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | replica: green
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.green-myapp
File: /lessons/171/3-blue-green/native/2-green-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: green-myapp
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | replica: green
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | replica: green
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.green-myapp
File: /lessons/171/3-blue-green/native/2-green-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: green-myapp
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | replica: green
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | replica: green
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.green-myapp
File: /lessons/171/3-blue-green/native/2-green-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: green-myapp
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | replica: green
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | replica: green
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.green-myapp
File: /lessons/171/3-blue-green/native/2-green-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: green-myapp
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | replica: green
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | replica: green
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.green-myapp
File: /lessons/171/3-blue-green/native/2-green-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: green-myapp
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | replica: green
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | replica: green
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.green-myapp
File: /lessons/171/3-blue-green/native/2-green-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: green-myapp
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | replica: green
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | replica: green
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.green-myapp
File: /lessons/171/3-blue-green/native/2-green-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: green-myapp
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | replica: green
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | replica: green
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.green-myapp
File: /lessons/171/3-blue-green/native/2-green-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: green-myapp
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | replica: green
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | replica: green
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.green-myapp
File: /lessons/171/3-blue-green/native/2-green-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: green-myapp
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | replica: green
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | replica: green
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.green-myapp
File: /lessons/171/3-blue-green/native/2-green-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: green-myapp
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | replica: green
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | replica: green
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.green-myapp
File: /lessons/171/3-blue-green/native/2-green-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: green-myapp
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | replica: green
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | replica: green
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.green-myapp
File: /lessons/171/3-blue-green/native/2-green-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: green-myapp
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | replica: green
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | replica: green
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.green-myapp
File: /lessons/171/3-blue-green/native/2-green-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: green-myapp
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | replica: green
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | replica: green
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.green-myapp
File: /lessons/171/3-blue-green/native/2-green-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: green-myapp
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | replica: green
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | replica: green
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.green-myapp
File: /lessons/171/3-blue-green/native/2-green-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: green-myapp
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | replica: green
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | replica: green
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.blue-myapp
File: /lessons/171/3-blue-green/native/1-blue-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: blue-myapp
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | replica: blue
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | replica: blue
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.blue-myapp
File: /lessons/171/3-blue-green/native/1-blue-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: blue-myapp
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | replica: blue
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | replica: blue
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.blue-myapp
File: /lessons/171/3-blue-green/native/1-blue-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: blue-myapp
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | replica: blue
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | replica: blue
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.blue-myapp
File: /lessons/171/3-blue-green/native/1-blue-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: blue-myapp
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | replica: blue
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | replica: blue
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.blue-myapp
File: /lessons/171/3-blue-green/native/1-blue-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: blue-myapp
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | replica: blue
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | replica: blue
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.blue-myapp
File: /lessons/171/3-blue-green/native/1-blue-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: blue-myapp
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | replica: blue
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | replica: blue
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.blue-myapp
File: /lessons/171/3-blue-green/native/1-blue-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: blue-myapp
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | replica: blue
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | replica: blue
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.blue-myapp
File: /lessons/171/3-blue-green/native/1-blue-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: blue-myapp
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | replica: blue
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | replica: blue
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.blue-myapp
File: /lessons/171/3-blue-green/native/1-blue-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: blue-myapp
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | replica: blue
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | replica: blue
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.blue-myapp
File: /lessons/171/3-blue-green/native/1-blue-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: blue-myapp
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | replica: blue
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | replica: blue
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.blue-myapp
File: /lessons/171/3-blue-green/native/1-blue-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: blue-myapp
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | replica: blue
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | replica: blue
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.blue-myapp
File: /lessons/171/3-blue-green/native/1-blue-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: blue-myapp
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | replica: blue
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | replica: blue
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.blue-myapp
File: /lessons/171/3-blue-green/native/1-blue-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: blue-myapp
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | replica: blue
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | replica: blue
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.blue-myapp
File: /lessons/171/3-blue-green/native/1-blue-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: blue-myapp
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | replica: blue
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | replica: blue
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.blue-myapp
File: /lessons/171/3-blue-green/native/1-blue-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: blue-myapp
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | replica: blue
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | replica: blue
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.blue-myapp
File: /lessons/171/3-blue-green/native/1-blue-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: blue-myapp
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | replica: blue
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | replica: blue
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.blue-myapp
File: /lessons/171/3-blue-green/native/1-blue-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: blue-myapp
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | replica: blue
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | replica: blue
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.blue-myapp
File: /lessons/171/3-blue-green/native/1-blue-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: blue-myapp
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | replica: blue
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | replica: blue
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.blue-myapp
File: /lessons/171/3-blue-green/native/1-blue-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: blue-myapp
6 | namespace: default
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | replica: blue
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | replica: blue
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/3-blue-green/flagger/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/3-blue-green/flagger/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/3-blue-green/flagger/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/3-blue-green/flagger/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/3-blue-green/flagger/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/3-blue-green/flagger/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/3-blue-green/flagger/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/3-blue-green/flagger/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/3-blue-green/flagger/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/3-blue-green/flagger/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/3-blue-green/flagger/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/3-blue-green/flagger/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/3-blue-green/flagger/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/3-blue-green/flagger/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/3-blue-green/flagger/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/3-blue-green/flagger/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/3-blue-green/flagger/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/3-blue-green/flagger/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/171/monitoring/grafana/deployment.yaml:2-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/171/monitoring/grafana/deployment.yaml:2-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/171/monitoring/grafana/deployment.yaml:2-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/171/monitoring/grafana/deployment.yaml:2-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/171/monitoring/grafana/deployment.yaml:2-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/171/monitoring/grafana/deployment.yaml:2-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/171/monitoring/grafana/deployment.yaml:2-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/171/monitoring/grafana/deployment.yaml:2-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/171/monitoring/grafana/deployment.yaml:2-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/171/monitoring/grafana/deployment.yaml:2-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.grafana
File: /lessons/171/monitoring/grafana/deployment.yaml:2-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: ClusterRole.default.prometheus-operator
File: /lessons/171/monitoring/prometheus-operator/deployment/cluster-role.yaml:2-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/171/monitoring/prometheus-operator/deployment/deployment.yaml:2-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/171/monitoring/prometheus-operator/deployment/deployment.yaml:2-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/171/monitoring/prometheus-operator/deployment/deployment.yaml:2-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/171/monitoring/prometheus-operator/deployment/deployment.yaml:2-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/171/monitoring/prometheus-operator/deployment/deployment.yaml:2-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/2-recreate/2-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: Recreate
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: myapp
14 | template:
15 | metadata:
16 | labels:
17 | app: myapp
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | resources:
23 | requests:
24 | memory: "3Gi"
25 | cpu: "2"
26 | limits:
27 | memory: "3Gi"
28 | cpu: "2"
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/2-recreate/2-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: Recreate
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: myapp
14 | template:
15 | metadata:
16 | labels:
17 | app: myapp
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | resources:
23 | requests:
24 | memory: "3Gi"
25 | cpu: "2"
26 | limits:
27 | memory: "3Gi"
28 | cpu: "2"
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/2-recreate/2-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: Recreate
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: myapp
14 | template:
15 | metadata:
16 | labels:
17 | app: myapp
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | resources:
23 | requests:
24 | memory: "3Gi"
25 | cpu: "2"
26 | limits:
27 | memory: "3Gi"
28 | cpu: "2"
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/2-recreate/2-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: Recreate
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: myapp
14 | template:
15 | metadata:
16 | labels:
17 | app: myapp
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | resources:
23 | requests:
24 | memory: "3Gi"
25 | cpu: "2"
26 | limits:
27 | memory: "3Gi"
28 | cpu: "2"
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/2-recreate/2-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: Recreate
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: myapp
14 | template:
15 | metadata:
16 | labels:
17 | app: myapp
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | resources:
23 | requests:
24 | memory: "3Gi"
25 | cpu: "2"
26 | limits:
27 | memory: "3Gi"
28 | cpu: "2"
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/2-recreate/2-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: Recreate
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: myapp
14 | template:
15 | metadata:
16 | labels:
17 | app: myapp
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | resources:
23 | requests:
24 | memory: "3Gi"
25 | cpu: "2"
26 | limits:
27 | memory: "3Gi"
28 | cpu: "2"
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/2-recreate/2-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: Recreate
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: myapp
14 | template:
15 | metadata:
16 | labels:
17 | app: myapp
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | resources:
23 | requests:
24 | memory: "3Gi"
25 | cpu: "2"
26 | limits:
27 | memory: "3Gi"
28 | cpu: "2"
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/2-recreate/2-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: Recreate
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: myapp
14 | template:
15 | metadata:
16 | labels:
17 | app: myapp
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | resources:
23 | requests:
24 | memory: "3Gi"
25 | cpu: "2"
26 | limits:
27 | memory: "3Gi"
28 | cpu: "2"
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/2-recreate/2-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: Recreate
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: myapp
14 | template:
15 | metadata:
16 | labels:
17 | app: myapp
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | resources:
23 | requests:
24 | memory: "3Gi"
25 | cpu: "2"
26 | limits:
27 | memory: "3Gi"
28 | cpu: "2"
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/2-recreate/2-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: Recreate
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: myapp
14 | template:
15 | metadata:
16 | labels:
17 | app: myapp
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | resources:
23 | requests:
24 | memory: "3Gi"
25 | cpu: "2"
26 | limits:
27 | memory: "3Gi"
28 | cpu: "2"
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/2-recreate/2-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: Recreate
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: myapp
14 | template:
15 | metadata:
16 | labels:
17 | app: myapp
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | resources:
23 | requests:
24 | memory: "3Gi"
25 | cpu: "2"
26 | limits:
27 | memory: "3Gi"
28 | cpu: "2"
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/2-recreate/2-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: Recreate
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: myapp
14 | template:
15 | metadata:
16 | labels:
17 | app: myapp
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | resources:
23 | requests:
24 | memory: "3Gi"
25 | cpu: "2"
26 | limits:
27 | memory: "3Gi"
28 | cpu: "2"
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/2-recreate/2-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: Recreate
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: myapp
14 | template:
15 | metadata:
16 | labels:
17 | app: myapp
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | resources:
23 | requests:
24 | memory: "3Gi"
25 | cpu: "2"
26 | limits:
27 | memory: "3Gi"
28 | cpu: "2"
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/2-recreate/2-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: Recreate
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: myapp
14 | template:
15 | metadata:
16 | labels:
17 | app: myapp
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | resources:
23 | requests:
24 | memory: "3Gi"
25 | cpu: "2"
26 | limits:
27 | memory: "3Gi"
28 | cpu: "2"
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/2-recreate/2-deployment.yaml:2-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: Recreate
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: myapp
14 | template:
15 | metadata:
16 | labels:
17 | app: myapp
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | resources:
23 | requests:
24 | memory: "3Gi"
25 | cpu: "2"
26 | limits:
27 | memory: "3Gi"
28 | cpu: "2"
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/2-recreate/1-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: Recreate
10 | replicas: 4
11 | selector:
12 | matchLabels:
13 | app: myapp
14 | template:
15 | metadata:
16 | labels:
17 | app: myapp
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/2-recreate/1-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: Recreate
10 | replicas: 4
11 | selector:
12 | matchLabels:
13 | app: myapp
14 | template:
15 | metadata:
16 | labels:
17 | app: myapp
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/2-recreate/1-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: Recreate
10 | replicas: 4
11 | selector:
12 | matchLabels:
13 | app: myapp
14 | template:
15 | metadata:
16 | labels:
17 | app: myapp
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/2-recreate/1-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: Recreate
10 | replicas: 4
11 | selector:
12 | matchLabels:
13 | app: myapp
14 | template:
15 | metadata:
16 | labels:
17 | app: myapp
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/2-recreate/1-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: Recreate
10 | replicas: 4
11 | selector:
12 | matchLabels:
13 | app: myapp
14 | template:
15 | metadata:
16 | labels:
17 | app: myapp
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/2-recreate/1-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: Recreate
10 | replicas: 4
11 | selector:
12 | matchLabels:
13 | app: myapp
14 | template:
15 | metadata:
16 | labels:
17 | app: myapp
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/2-recreate/1-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: Recreate
10 | replicas: 4
11 | selector:
12 | matchLabels:
13 | app: myapp
14 | template:
15 | metadata:
16 | labels:
17 | app: myapp
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/2-recreate/1-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: Recreate
10 | replicas: 4
11 | selector:
12 | matchLabels:
13 | app: myapp
14 | template:
15 | metadata:
16 | labels:
17 | app: myapp
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/2-recreate/1-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: Recreate
10 | replicas: 4
11 | selector:
12 | matchLabels:
13 | app: myapp
14 | template:
15 | metadata:
16 | labels:
17 | app: myapp
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/2-recreate/1-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: Recreate
10 | replicas: 4
11 | selector:
12 | matchLabels:
13 | app: myapp
14 | template:
15 | metadata:
16 | labels:
17 | app: myapp
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/2-recreate/1-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: Recreate
10 | replicas: 4
11 | selector:
12 | matchLabels:
13 | app: myapp
14 | template:
15 | metadata:
16 | labels:
17 | app: myapp
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/2-recreate/1-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: Recreate
10 | replicas: 4
11 | selector:
12 | matchLabels:
13 | app: myapp
14 | template:
15 | metadata:
16 | labels:
17 | app: myapp
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/2-recreate/1-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: Recreate
10 | replicas: 4
11 | selector:
12 | matchLabels:
13 | app: myapp
14 | template:
15 | metadata:
16 | labels:
17 | app: myapp
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/2-recreate/1-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: Recreate
10 | replicas: 4
11 | selector:
12 | matchLabels:
13 | app: myapp
14 | template:
15 | metadata:
16 | labels:
17 | app: myapp
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/2-recreate/1-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: Recreate
10 | replicas: 4
11 | selector:
12 | matchLabels:
13 | app: myapp
14 | template:
15 | metadata:
16 | labels:
17 | app: myapp
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/2-recreate/1-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: Recreate
10 | replicas: 4
11 | selector:
12 | matchLabels:
13 | app: myapp
14 | template:
15 | metadata:
16 | labels:
17 | app: myapp
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/2-recreate/1-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: Recreate
10 | replicas: 4
11 | selector:
12 | matchLabels:
13 | app: myapp
14 | template:
15 | metadata:
16 | labels:
17 | app: myapp
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/2-recreate/1-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: Recreate
10 | replicas: 4
11 | selector:
12 | matchLabels:
13 | app: myapp
14 | template:
15 | metadata:
16 | labels:
17 | app: myapp
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/2-recreate/1-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: Recreate
10 | replicas: 4
11 | selector:
12 | matchLabels:
13 | app: myapp
14 | template:
15 | metadata:
16 | labels:
17 | app: myapp
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/6-ab-testing/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/6-ab-testing/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/6-ab-testing/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/6-ab-testing/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/6-ab-testing/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/6-ab-testing/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/6-ab-testing/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/6-ab-testing/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/6-ab-testing/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/6-ab-testing/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/6-ab-testing/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/6-ab-testing/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/6-ab-testing/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/6-ab-testing/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/6-ab-testing/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/6-ab-testing/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/6-ab-testing/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/6-ab-testing/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v1
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.myapp
File: /lessons/171/4-canary/native/3-service.yaml:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: Service
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | selector:
9 | app: myapp
10 | ports:
11 | - protocol: TCP
12 | port: 8181
13 | targetPort: http
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/4-canary/native/1-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | replicas: 0
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-171:v1
20 | ports:
21 | - name: http
22 | containerPort: 8181
23 | startupProbe:
24 | tcpSocket:
25 | port: 8181
26 | initialDelaySeconds: 20
27 | periodSeconds: 5
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/4-canary/native/1-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | replicas: 0
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-171:v1
20 | ports:
21 | - name: http
22 | containerPort: 8181
23 | startupProbe:
24 | tcpSocket:
25 | port: 8181
26 | initialDelaySeconds: 20
27 | periodSeconds: 5
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/4-canary/native/1-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | replicas: 0
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-171:v1
20 | ports:
21 | - name: http
22 | containerPort: 8181
23 | startupProbe:
24 | tcpSocket:
25 | port: 8181
26 | initialDelaySeconds: 20
27 | periodSeconds: 5
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/4-canary/native/1-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | replicas: 0
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-171:v1
20 | ports:
21 | - name: http
22 | containerPort: 8181
23 | startupProbe:
24 | tcpSocket:
25 | port: 8181
26 | initialDelaySeconds: 20
27 | periodSeconds: 5
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/4-canary/native/1-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | replicas: 0
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-171:v1
20 | ports:
21 | - name: http
22 | containerPort: 8181
23 | startupProbe:
24 | tcpSocket:
25 | port: 8181
26 | initialDelaySeconds: 20
27 | periodSeconds: 5
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/4-canary/native/1-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | replicas: 0
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-171:v1
20 | ports:
21 | - name: http
22 | containerPort: 8181
23 | startupProbe:
24 | tcpSocket:
25 | port: 8181
26 | initialDelaySeconds: 20
27 | periodSeconds: 5
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/4-canary/native/1-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | replicas: 0
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-171:v1
20 | ports:
21 | - name: http
22 | containerPort: 8181
23 | startupProbe:
24 | tcpSocket:
25 | port: 8181
26 | initialDelaySeconds: 20
27 | periodSeconds: 5
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/4-canary/native/1-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | replicas: 0
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-171:v1
20 | ports:
21 | - name: http
22 | containerPort: 8181
23 | startupProbe:
24 | tcpSocket:
25 | port: 8181
26 | initialDelaySeconds: 20
27 | periodSeconds: 5
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/4-canary/native/1-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | replicas: 0
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-171:v1
20 | ports:
21 | - name: http
22 | containerPort: 8181
23 | startupProbe:
24 | tcpSocket:
25 | port: 8181
26 | initialDelaySeconds: 20
27 | periodSeconds: 5
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/4-canary/native/1-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | replicas: 0
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-171:v1
20 | ports:
21 | - name: http
22 | containerPort: 8181
23 | startupProbe:
24 | tcpSocket:
25 | port: 8181
26 | initialDelaySeconds: 20
27 | periodSeconds: 5
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/4-canary/native/1-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | replicas: 0
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-171:v1
20 | ports:
21 | - name: http
22 | containerPort: 8181
23 | startupProbe:
24 | tcpSocket:
25 | port: 8181
26 | initialDelaySeconds: 20
27 | periodSeconds: 5
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/4-canary/native/1-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | replicas: 0
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-171:v1
20 | ports:
21 | - name: http
22 | containerPort: 8181
23 | startupProbe:
24 | tcpSocket:
25 | port: 8181
26 | initialDelaySeconds: 20
27 | periodSeconds: 5
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/4-canary/native/1-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | replicas: 0
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-171:v1
20 | ports:
21 | - name: http
22 | containerPort: 8181
23 | startupProbe:
24 | tcpSocket:
25 | port: 8181
26 | initialDelaySeconds: 20
27 | periodSeconds: 5
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/4-canary/native/1-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | replicas: 0
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-171:v1
20 | ports:
21 | - name: http
22 | containerPort: 8181
23 | startupProbe:
24 | tcpSocket:
25 | port: 8181
26 | initialDelaySeconds: 20
27 | periodSeconds: 5
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/4-canary/native/1-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | replicas: 0
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-171:v1
20 | ports:
21 | - name: http
22 | containerPort: 8181
23 | startupProbe:
24 | tcpSocket:
25 | port: 8181
26 | initialDelaySeconds: 20
27 | periodSeconds: 5
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/4-canary/native/1-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | replicas: 0
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-171:v1
20 | ports:
21 | - name: http
22 | containerPort: 8181
23 | startupProbe:
24 | tcpSocket:
25 | port: 8181
26 | initialDelaySeconds: 20
27 | periodSeconds: 5
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/4-canary/native/1-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | replicas: 0
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-171:v1
20 | ports:
21 | - name: http
22 | containerPort: 8181
23 | startupProbe:
24 | tcpSocket:
25 | port: 8181
26 | initialDelaySeconds: 20
27 | periodSeconds: 5
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/4-canary/native/1-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | replicas: 0
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-171:v1
20 | ports:
21 | - name: http
22 | containerPort: 8181
23 | startupProbe:
24 | tcpSocket:
25 | port: 8181
26 | initialDelaySeconds: 20
27 | periodSeconds: 5
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/4-canary/native/1-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | replicas: 0
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-171:v1
20 | ports:
21 | - name: http
22 | containerPort: 8181
23 | startupProbe:
24 | tcpSocket:
25 | port: 8181
26 | initialDelaySeconds: 20
27 | periodSeconds: 5
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.canary-myapp
File: /lessons/171/4-canary/native/2-canary-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: canary-myapp
6 | namespace: default
7 | spec:
8 | replicas: 10
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-171:v2
20 | ports:
21 | - name: http
22 | containerPort: 8181
23 | startupProbe:
24 | tcpSocket:
25 | port: 8181
26 | initialDelaySeconds: 20
27 | periodSeconds: 5
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.canary-myapp
File: /lessons/171/4-canary/native/2-canary-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: canary-myapp
6 | namespace: default
7 | spec:
8 | replicas: 10
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-171:v2
20 | ports:
21 | - name: http
22 | containerPort: 8181
23 | startupProbe:
24 | tcpSocket:
25 | port: 8181
26 | initialDelaySeconds: 20
27 | periodSeconds: 5
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.canary-myapp
File: /lessons/171/4-canary/native/2-canary-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: canary-myapp
6 | namespace: default
7 | spec:
8 | replicas: 10
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-171:v2
20 | ports:
21 | - name: http
22 | containerPort: 8181
23 | startupProbe:
24 | tcpSocket:
25 | port: 8181
26 | initialDelaySeconds: 20
27 | periodSeconds: 5
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.canary-myapp
File: /lessons/171/4-canary/native/2-canary-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: canary-myapp
6 | namespace: default
7 | spec:
8 | replicas: 10
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-171:v2
20 | ports:
21 | - name: http
22 | containerPort: 8181
23 | startupProbe:
24 | tcpSocket:
25 | port: 8181
26 | initialDelaySeconds: 20
27 | periodSeconds: 5
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.canary-myapp
File: /lessons/171/4-canary/native/2-canary-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: canary-myapp
6 | namespace: default
7 | spec:
8 | replicas: 10
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-171:v2
20 | ports:
21 | - name: http
22 | containerPort: 8181
23 | startupProbe:
24 | tcpSocket:
25 | port: 8181
26 | initialDelaySeconds: 20
27 | periodSeconds: 5
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.canary-myapp
File: /lessons/171/4-canary/native/2-canary-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: canary-myapp
6 | namespace: default
7 | spec:
8 | replicas: 10
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-171:v2
20 | ports:
21 | - name: http
22 | containerPort: 8181
23 | startupProbe:
24 | tcpSocket:
25 | port: 8181
26 | initialDelaySeconds: 20
27 | periodSeconds: 5
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.canary-myapp
File: /lessons/171/4-canary/native/2-canary-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: canary-myapp
6 | namespace: default
7 | spec:
8 | replicas: 10
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-171:v2
20 | ports:
21 | - name: http
22 | containerPort: 8181
23 | startupProbe:
24 | tcpSocket:
25 | port: 8181
26 | initialDelaySeconds: 20
27 | periodSeconds: 5
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.canary-myapp
File: /lessons/171/4-canary/native/2-canary-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: canary-myapp
6 | namespace: default
7 | spec:
8 | replicas: 10
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-171:v2
20 | ports:
21 | - name: http
22 | containerPort: 8181
23 | startupProbe:
24 | tcpSocket:
25 | port: 8181
26 | initialDelaySeconds: 20
27 | periodSeconds: 5
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.canary-myapp
File: /lessons/171/4-canary/native/2-canary-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: canary-myapp
6 | namespace: default
7 | spec:
8 | replicas: 10
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-171:v2
20 | ports:
21 | - name: http
22 | containerPort: 8181
23 | startupProbe:
24 | tcpSocket:
25 | port: 8181
26 | initialDelaySeconds: 20
27 | periodSeconds: 5
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.canary-myapp
File: /lessons/171/4-canary/native/2-canary-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: canary-myapp
6 | namespace: default
7 | spec:
8 | replicas: 10
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-171:v2
20 | ports:
21 | - name: http
22 | containerPort: 8181
23 | startupProbe:
24 | tcpSocket:
25 | port: 8181
26 | initialDelaySeconds: 20
27 | periodSeconds: 5
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.canary-myapp
File: /lessons/171/4-canary/native/2-canary-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: canary-myapp
6 | namespace: default
7 | spec:
8 | replicas: 10
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-171:v2
20 | ports:
21 | - name: http
22 | containerPort: 8181
23 | startupProbe:
24 | tcpSocket:
25 | port: 8181
26 | initialDelaySeconds: 20
27 | periodSeconds: 5
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.canary-myapp
File: /lessons/171/4-canary/native/2-canary-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: canary-myapp
6 | namespace: default
7 | spec:
8 | replicas: 10
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-171:v2
20 | ports:
21 | - name: http
22 | containerPort: 8181
23 | startupProbe:
24 | tcpSocket:
25 | port: 8181
26 | initialDelaySeconds: 20
27 | periodSeconds: 5
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.canary-myapp
File: /lessons/171/4-canary/native/2-canary-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: canary-myapp
6 | namespace: default
7 | spec:
8 | replicas: 10
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-171:v2
20 | ports:
21 | - name: http
22 | containerPort: 8181
23 | startupProbe:
24 | tcpSocket:
25 | port: 8181
26 | initialDelaySeconds: 20
27 | periodSeconds: 5
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.canary-myapp
File: /lessons/171/4-canary/native/2-canary-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: canary-myapp
6 | namespace: default
7 | spec:
8 | replicas: 10
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-171:v2
20 | ports:
21 | - name: http
22 | containerPort: 8181
23 | startupProbe:
24 | tcpSocket:
25 | port: 8181
26 | initialDelaySeconds: 20
27 | periodSeconds: 5
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.canary-myapp
File: /lessons/171/4-canary/native/2-canary-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: canary-myapp
6 | namespace: default
7 | spec:
8 | replicas: 10
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-171:v2
20 | ports:
21 | - name: http
22 | containerPort: 8181
23 | startupProbe:
24 | tcpSocket:
25 | port: 8181
26 | initialDelaySeconds: 20
27 | periodSeconds: 5
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.canary-myapp
File: /lessons/171/4-canary/native/2-canary-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: canary-myapp
6 | namespace: default
7 | spec:
8 | replicas: 10
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-171:v2
20 | ports:
21 | - name: http
22 | containerPort: 8181
23 | startupProbe:
24 | tcpSocket:
25 | port: 8181
26 | initialDelaySeconds: 20
27 | periodSeconds: 5
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.canary-myapp
File: /lessons/171/4-canary/native/2-canary-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: canary-myapp
6 | namespace: default
7 | spec:
8 | replicas: 10
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-171:v2
20 | ports:
21 | - name: http
22 | containerPort: 8181
23 | startupProbe:
24 | tcpSocket:
25 | port: 8181
26 | initialDelaySeconds: 20
27 | periodSeconds: 5
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.canary-myapp
File: /lessons/171/4-canary/native/2-canary-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: canary-myapp
6 | namespace: default
7 | spec:
8 | replicas: 10
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-171:v2
20 | ports:
21 | - name: http
22 | containerPort: 8181
23 | startupProbe:
24 | tcpSocket:
25 | port: 8181
26 | initialDelaySeconds: 20
27 | periodSeconds: 5
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.canary-myapp
File: /lessons/171/4-canary/native/2-canary-deployment.yaml:2-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: canary-myapp
6 | namespace: default
7 | spec:
8 | replicas: 10
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | template:
13 | metadata:
14 | labels:
15 | app: myapp
16 | spec:
17 | containers:
18 | - name: myapp
19 | image: aputra/myapp-171:v2
20 | ports:
21 | - name: http
22 | containerPort: 8181
23 | startupProbe:
24 | tcpSocket:
25 | port: 8181
26 | initialDelaySeconds: 20
27 | periodSeconds: 5
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/4-canary/flagger/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/4-canary/flagger/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/4-canary/flagger/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/4-canary/flagger/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/4-canary/flagger/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/4-canary/flagger/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/4-canary/flagger/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/4-canary/flagger/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/4-canary/flagger/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/4-canary/flagger/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/4-canary/flagger/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/4-canary/flagger/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/4-canary/flagger/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/4-canary/flagger/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/4-canary/flagger/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/4-canary/flagger/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/4-canary/flagger/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/4-canary/flagger/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/5-shadowing/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/5-shadowing/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/5-shadowing/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/5-shadowing/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/5-shadowing/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/5-shadowing/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/5-shadowing/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/5-shadowing/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/5-shadowing/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/5-shadowing/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/5-shadowing/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/5-shadowing/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/5-shadowing/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/5-shadowing/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/5-shadowing/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/5-shadowing/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/5-shadowing/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.myapp
File: /lessons/171/5-shadowing/2-deployment.yaml:2-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: staging
7 | spec:
8 | replicas: 2
9 | selector:
10 | matchLabels:
11 | app: myapp
12 | istio: monitor
13 | template:
14 | metadata:
15 | labels:
16 | app: myapp
17 | istio: monitor
18 | spec:
19 | containers:
20 | - name: myapp
21 | image: aputra/myapp-171:v2
22 | ports:
23 | - name: http
24 | containerPort: 8181
25 | startupProbe:
26 | tcpSocket:
27 | port: 8181
28 | initialDelaySeconds: 20
29 | periodSeconds: 5
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.myapp
File: /lessons/171/1-rolling-update/3-service.yaml:2-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: Service
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | selector:
9 | app: myapp
10 | ports:
11 | - protocol: TCP
12 | port: 8181
13 | targetPort: http
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/1-rolling-update/2-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | # Max number of Pods that can be unavailable during the update process
12 | maxUnavailable: 1
13 | # Max number of Pods that can be created over the desired number of Pods
14 | maxSurge: 1
15 | replicas: 10
16 | selector:
17 | matchLabels:
18 | app: myapp
19 | template:
20 | metadata:
21 | labels:
22 | app: myapp
23 | spec:
24 | containers:
25 | - name: myapp
26 | image: aputra/myapp-171:v2
27 | ports:
28 | - name: http
29 | containerPort: 8181
30 | startupProbe:
31 | tcpSocket:
32 | port: 8181
33 | initialDelaySeconds: 20
34 | periodSeconds: 5
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/1-rolling-update/2-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | # Max number of Pods that can be unavailable during the update process
12 | maxUnavailable: 1
13 | # Max number of Pods that can be created over the desired number of Pods
14 | maxSurge: 1
15 | replicas: 10
16 | selector:
17 | matchLabels:
18 | app: myapp
19 | template:
20 | metadata:
21 | labels:
22 | app: myapp
23 | spec:
24 | containers:
25 | - name: myapp
26 | image: aputra/myapp-171:v2
27 | ports:
28 | - name: http
29 | containerPort: 8181
30 | startupProbe:
31 | tcpSocket:
32 | port: 8181
33 | initialDelaySeconds: 20
34 | periodSeconds: 5
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/1-rolling-update/2-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | # Max number of Pods that can be unavailable during the update process
12 | maxUnavailable: 1
13 | # Max number of Pods that can be created over the desired number of Pods
14 | maxSurge: 1
15 | replicas: 10
16 | selector:
17 | matchLabels:
18 | app: myapp
19 | template:
20 | metadata:
21 | labels:
22 | app: myapp
23 | spec:
24 | containers:
25 | - name: myapp
26 | image: aputra/myapp-171:v2
27 | ports:
28 | - name: http
29 | containerPort: 8181
30 | startupProbe:
31 | tcpSocket:
32 | port: 8181
33 | initialDelaySeconds: 20
34 | periodSeconds: 5
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/1-rolling-update/2-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | # Max number of Pods that can be unavailable during the update process
12 | maxUnavailable: 1
13 | # Max number of Pods that can be created over the desired number of Pods
14 | maxSurge: 1
15 | replicas: 10
16 | selector:
17 | matchLabels:
18 | app: myapp
19 | template:
20 | metadata:
21 | labels:
22 | app: myapp
23 | spec:
24 | containers:
25 | - name: myapp
26 | image: aputra/myapp-171:v2
27 | ports:
28 | - name: http
29 | containerPort: 8181
30 | startupProbe:
31 | tcpSocket:
32 | port: 8181
33 | initialDelaySeconds: 20
34 | periodSeconds: 5
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/1-rolling-update/2-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | # Max number of Pods that can be unavailable during the update process
12 | maxUnavailable: 1
13 | # Max number of Pods that can be created over the desired number of Pods
14 | maxSurge: 1
15 | replicas: 10
16 | selector:
17 | matchLabels:
18 | app: myapp
19 | template:
20 | metadata:
21 | labels:
22 | app: myapp
23 | spec:
24 | containers:
25 | - name: myapp
26 | image: aputra/myapp-171:v2
27 | ports:
28 | - name: http
29 | containerPort: 8181
30 | startupProbe:
31 | tcpSocket:
32 | port: 8181
33 | initialDelaySeconds: 20
34 | periodSeconds: 5
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/1-rolling-update/2-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | # Max number of Pods that can be unavailable during the update process
12 | maxUnavailable: 1
13 | # Max number of Pods that can be created over the desired number of Pods
14 | maxSurge: 1
15 | replicas: 10
16 | selector:
17 | matchLabels:
18 | app: myapp
19 | template:
20 | metadata:
21 | labels:
22 | app: myapp
23 | spec:
24 | containers:
25 | - name: myapp
26 | image: aputra/myapp-171:v2
27 | ports:
28 | - name: http
29 | containerPort: 8181
30 | startupProbe:
31 | tcpSocket:
32 | port: 8181
33 | initialDelaySeconds: 20
34 | periodSeconds: 5
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/1-rolling-update/2-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | # Max number of Pods that can be unavailable during the update process
12 | maxUnavailable: 1
13 | # Max number of Pods that can be created over the desired number of Pods
14 | maxSurge: 1
15 | replicas: 10
16 | selector:
17 | matchLabels:
18 | app: myapp
19 | template:
20 | metadata:
21 | labels:
22 | app: myapp
23 | spec:
24 | containers:
25 | - name: myapp
26 | image: aputra/myapp-171:v2
27 | ports:
28 | - name: http
29 | containerPort: 8181
30 | startupProbe:
31 | tcpSocket:
32 | port: 8181
33 | initialDelaySeconds: 20
34 | periodSeconds: 5
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/1-rolling-update/2-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | # Max number of Pods that can be unavailable during the update process
12 | maxUnavailable: 1
13 | # Max number of Pods that can be created over the desired number of Pods
14 | maxSurge: 1
15 | replicas: 10
16 | selector:
17 | matchLabels:
18 | app: myapp
19 | template:
20 | metadata:
21 | labels:
22 | app: myapp
23 | spec:
24 | containers:
25 | - name: myapp
26 | image: aputra/myapp-171:v2
27 | ports:
28 | - name: http
29 | containerPort: 8181
30 | startupProbe:
31 | tcpSocket:
32 | port: 8181
33 | initialDelaySeconds: 20
34 | periodSeconds: 5
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/1-rolling-update/2-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | # Max number of Pods that can be unavailable during the update process
12 | maxUnavailable: 1
13 | # Max number of Pods that can be created over the desired number of Pods
14 | maxSurge: 1
15 | replicas: 10
16 | selector:
17 | matchLabels:
18 | app: myapp
19 | template:
20 | metadata:
21 | labels:
22 | app: myapp
23 | spec:
24 | containers:
25 | - name: myapp
26 | image: aputra/myapp-171:v2
27 | ports:
28 | - name: http
29 | containerPort: 8181
30 | startupProbe:
31 | tcpSocket:
32 | port: 8181
33 | initialDelaySeconds: 20
34 | periodSeconds: 5
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/1-rolling-update/2-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | # Max number of Pods that can be unavailable during the update process
12 | maxUnavailable: 1
13 | # Max number of Pods that can be created over the desired number of Pods
14 | maxSurge: 1
15 | replicas: 10
16 | selector:
17 | matchLabels:
18 | app: myapp
19 | template:
20 | metadata:
21 | labels:
22 | app: myapp
23 | spec:
24 | containers:
25 | - name: myapp
26 | image: aputra/myapp-171:v2
27 | ports:
28 | - name: http
29 | containerPort: 8181
30 | startupProbe:
31 | tcpSocket:
32 | port: 8181
33 | initialDelaySeconds: 20
34 | periodSeconds: 5
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/1-rolling-update/2-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | # Max number of Pods that can be unavailable during the update process
12 | maxUnavailable: 1
13 | # Max number of Pods that can be created over the desired number of Pods
14 | maxSurge: 1
15 | replicas: 10
16 | selector:
17 | matchLabels:
18 | app: myapp
19 | template:
20 | metadata:
21 | labels:
22 | app: myapp
23 | spec:
24 | containers:
25 | - name: myapp
26 | image: aputra/myapp-171:v2
27 | ports:
28 | - name: http
29 | containerPort: 8181
30 | startupProbe:
31 | tcpSocket:
32 | port: 8181
33 | initialDelaySeconds: 20
34 | periodSeconds: 5
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/1-rolling-update/2-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | # Max number of Pods that can be unavailable during the update process
12 | maxUnavailable: 1
13 | # Max number of Pods that can be created over the desired number of Pods
14 | maxSurge: 1
15 | replicas: 10
16 | selector:
17 | matchLabels:
18 | app: myapp
19 | template:
20 | metadata:
21 | labels:
22 | app: myapp
23 | spec:
24 | containers:
25 | - name: myapp
26 | image: aputra/myapp-171:v2
27 | ports:
28 | - name: http
29 | containerPort: 8181
30 | startupProbe:
31 | tcpSocket:
32 | port: 8181
33 | initialDelaySeconds: 20
34 | periodSeconds: 5
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/1-rolling-update/2-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | # Max number of Pods that can be unavailable during the update process
12 | maxUnavailable: 1
13 | # Max number of Pods that can be created over the desired number of Pods
14 | maxSurge: 1
15 | replicas: 10
16 | selector:
17 | matchLabels:
18 | app: myapp
19 | template:
20 | metadata:
21 | labels:
22 | app: myapp
23 | spec:
24 | containers:
25 | - name: myapp
26 | image: aputra/myapp-171:v2
27 | ports:
28 | - name: http
29 | containerPort: 8181
30 | startupProbe:
31 | tcpSocket:
32 | port: 8181
33 | initialDelaySeconds: 20
34 | periodSeconds: 5
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/1-rolling-update/2-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | # Max number of Pods that can be unavailable during the update process
12 | maxUnavailable: 1
13 | # Max number of Pods that can be created over the desired number of Pods
14 | maxSurge: 1
15 | replicas: 10
16 | selector:
17 | matchLabels:
18 | app: myapp
19 | template:
20 | metadata:
21 | labels:
22 | app: myapp
23 | spec:
24 | containers:
25 | - name: myapp
26 | image: aputra/myapp-171:v2
27 | ports:
28 | - name: http
29 | containerPort: 8181
30 | startupProbe:
31 | tcpSocket:
32 | port: 8181
33 | initialDelaySeconds: 20
34 | periodSeconds: 5
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/1-rolling-update/2-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | # Max number of Pods that can be unavailable during the update process
12 | maxUnavailable: 1
13 | # Max number of Pods that can be created over the desired number of Pods
14 | maxSurge: 1
15 | replicas: 10
16 | selector:
17 | matchLabels:
18 | app: myapp
19 | template:
20 | metadata:
21 | labels:
22 | app: myapp
23 | spec:
24 | containers:
25 | - name: myapp
26 | image: aputra/myapp-171:v2
27 | ports:
28 | - name: http
29 | containerPort: 8181
30 | startupProbe:
31 | tcpSocket:
32 | port: 8181
33 | initialDelaySeconds: 20
34 | periodSeconds: 5
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/1-rolling-update/2-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | # Max number of Pods that can be unavailable during the update process
12 | maxUnavailable: 1
13 | # Max number of Pods that can be created over the desired number of Pods
14 | maxSurge: 1
15 | replicas: 10
16 | selector:
17 | matchLabels:
18 | app: myapp
19 | template:
20 | metadata:
21 | labels:
22 | app: myapp
23 | spec:
24 | containers:
25 | - name: myapp
26 | image: aputra/myapp-171:v2
27 | ports:
28 | - name: http
29 | containerPort: 8181
30 | startupProbe:
31 | tcpSocket:
32 | port: 8181
33 | initialDelaySeconds: 20
34 | periodSeconds: 5
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/1-rolling-update/2-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | # Max number of Pods that can be unavailable during the update process
12 | maxUnavailable: 1
13 | # Max number of Pods that can be created over the desired number of Pods
14 | maxSurge: 1
15 | replicas: 10
16 | selector:
17 | matchLabels:
18 | app: myapp
19 | template:
20 | metadata:
21 | labels:
22 | app: myapp
23 | spec:
24 | containers:
25 | - name: myapp
26 | image: aputra/myapp-171:v2
27 | ports:
28 | - name: http
29 | containerPort: 8181
30 | startupProbe:
31 | tcpSocket:
32 | port: 8181
33 | initialDelaySeconds: 20
34 | periodSeconds: 5
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/1-rolling-update/2-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | # Max number of Pods that can be unavailable during the update process
12 | maxUnavailable: 1
13 | # Max number of Pods that can be created over the desired number of Pods
14 | maxSurge: 1
15 | replicas: 10
16 | selector:
17 | matchLabels:
18 | app: myapp
19 | template:
20 | metadata:
21 | labels:
22 | app: myapp
23 | spec:
24 | containers:
25 | - name: myapp
26 | image: aputra/myapp-171:v2
27 | ports:
28 | - name: http
29 | containerPort: 8181
30 | startupProbe:
31 | tcpSocket:
32 | port: 8181
33 | initialDelaySeconds: 20
34 | periodSeconds: 5
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/1-rolling-update/2-deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | # Max number of Pods that can be unavailable during the update process
12 | maxUnavailable: 1
13 | # Max number of Pods that can be created over the desired number of Pods
14 | maxSurge: 1
15 | replicas: 10
16 | selector:
17 | matchLabels:
18 | app: myapp
19 | template:
20 | metadata:
21 | labels:
22 | app: myapp
23 | spec:
24 | containers:
25 | - name: myapp
26 | image: aputra/myapp-171:v2
27 | ports:
28 | - name: http
29 | containerPort: 8181
30 | startupProbe:
31 | tcpSocket:
32 | port: 8181
33 | initialDelaySeconds: 20
34 | periodSeconds: 5
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/1-rolling-update/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | maxUnavailable: 25%
12 | maxSurge: 25%
13 | replicas: 4
14 | selector:
15 | matchLabels:
16 | app: myapp
17 | template:
18 | metadata:
19 | labels:
20 | app: myapp
21 | spec:
22 | containers:
23 | - name: myapp
24 | image: aputra/myapp-171:v2
25 | ports:
26 | - name: http
27 | containerPort: 8181
28 | startupProbe:
29 | tcpSocket:
30 | port: 8181
31 | initialDelaySeconds: 20
32 | periodSeconds: 5
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/1-rolling-update/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | maxUnavailable: 25%
12 | maxSurge: 25%
13 | replicas: 4
14 | selector:
15 | matchLabels:
16 | app: myapp
17 | template:
18 | metadata:
19 | labels:
20 | app: myapp
21 | spec:
22 | containers:
23 | - name: myapp
24 | image: aputra/myapp-171:v2
25 | ports:
26 | - name: http
27 | containerPort: 8181
28 | startupProbe:
29 | tcpSocket:
30 | port: 8181
31 | initialDelaySeconds: 20
32 | periodSeconds: 5
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/1-rolling-update/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | maxUnavailable: 25%
12 | maxSurge: 25%
13 | replicas: 4
14 | selector:
15 | matchLabels:
16 | app: myapp
17 | template:
18 | metadata:
19 | labels:
20 | app: myapp
21 | spec:
22 | containers:
23 | - name: myapp
24 | image: aputra/myapp-171:v2
25 | ports:
26 | - name: http
27 | containerPort: 8181
28 | startupProbe:
29 | tcpSocket:
30 | port: 8181
31 | initialDelaySeconds: 20
32 | periodSeconds: 5
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/1-rolling-update/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | maxUnavailable: 25%
12 | maxSurge: 25%
13 | replicas: 4
14 | selector:
15 | matchLabels:
16 | app: myapp
17 | template:
18 | metadata:
19 | labels:
20 | app: myapp
21 | spec:
22 | containers:
23 | - name: myapp
24 | image: aputra/myapp-171:v2
25 | ports:
26 | - name: http
27 | containerPort: 8181
28 | startupProbe:
29 | tcpSocket:
30 | port: 8181
31 | initialDelaySeconds: 20
32 | periodSeconds: 5
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/1-rolling-update/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | maxUnavailable: 25%
12 | maxSurge: 25%
13 | replicas: 4
14 | selector:
15 | matchLabels:
16 | app: myapp
17 | template:
18 | metadata:
19 | labels:
20 | app: myapp
21 | spec:
22 | containers:
23 | - name: myapp
24 | image: aputra/myapp-171:v2
25 | ports:
26 | - name: http
27 | containerPort: 8181
28 | startupProbe:
29 | tcpSocket:
30 | port: 8181
31 | initialDelaySeconds: 20
32 | periodSeconds: 5
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/1-rolling-update/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | maxUnavailable: 25%
12 | maxSurge: 25%
13 | replicas: 4
14 | selector:
15 | matchLabels:
16 | app: myapp
17 | template:
18 | metadata:
19 | labels:
20 | app: myapp
21 | spec:
22 | containers:
23 | - name: myapp
24 | image: aputra/myapp-171:v2
25 | ports:
26 | - name: http
27 | containerPort: 8181
28 | startupProbe:
29 | tcpSocket:
30 | port: 8181
31 | initialDelaySeconds: 20
32 | periodSeconds: 5
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/1-rolling-update/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | maxUnavailable: 25%
12 | maxSurge: 25%
13 | replicas: 4
14 | selector:
15 | matchLabels:
16 | app: myapp
17 | template:
18 | metadata:
19 | labels:
20 | app: myapp
21 | spec:
22 | containers:
23 | - name: myapp
24 | image: aputra/myapp-171:v2
25 | ports:
26 | - name: http
27 | containerPort: 8181
28 | startupProbe:
29 | tcpSocket:
30 | port: 8181
31 | initialDelaySeconds: 20
32 | periodSeconds: 5
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/1-rolling-update/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | maxUnavailable: 25%
12 | maxSurge: 25%
13 | replicas: 4
14 | selector:
15 | matchLabels:
16 | app: myapp
17 | template:
18 | metadata:
19 | labels:
20 | app: myapp
21 | spec:
22 | containers:
23 | - name: myapp
24 | image: aputra/myapp-171:v2
25 | ports:
26 | - name: http
27 | containerPort: 8181
28 | startupProbe:
29 | tcpSocket:
30 | port: 8181
31 | initialDelaySeconds: 20
32 | periodSeconds: 5
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/1-rolling-update/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | maxUnavailable: 25%
12 | maxSurge: 25%
13 | replicas: 4
14 | selector:
15 | matchLabels:
16 | app: myapp
17 | template:
18 | metadata:
19 | labels:
20 | app: myapp
21 | spec:
22 | containers:
23 | - name: myapp
24 | image: aputra/myapp-171:v2
25 | ports:
26 | - name: http
27 | containerPort: 8181
28 | startupProbe:
29 | tcpSocket:
30 | port: 8181
31 | initialDelaySeconds: 20
32 | periodSeconds: 5
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/1-rolling-update/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | maxUnavailable: 25%
12 | maxSurge: 25%
13 | replicas: 4
14 | selector:
15 | matchLabels:
16 | app: myapp
17 | template:
18 | metadata:
19 | labels:
20 | app: myapp
21 | spec:
22 | containers:
23 | - name: myapp
24 | image: aputra/myapp-171:v2
25 | ports:
26 | - name: http
27 | containerPort: 8181
28 | startupProbe:
29 | tcpSocket:
30 | port: 8181
31 | initialDelaySeconds: 20
32 | periodSeconds: 5
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/1-rolling-update/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | maxUnavailable: 25%
12 | maxSurge: 25%
13 | replicas: 4
14 | selector:
15 | matchLabels:
16 | app: myapp
17 | template:
18 | metadata:
19 | labels:
20 | app: myapp
21 | spec:
22 | containers:
23 | - name: myapp
24 | image: aputra/myapp-171:v2
25 | ports:
26 | - name: http
27 | containerPort: 8181
28 | startupProbe:
29 | tcpSocket:
30 | port: 8181
31 | initialDelaySeconds: 20
32 | periodSeconds: 5
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/1-rolling-update/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | maxUnavailable: 25%
12 | maxSurge: 25%
13 | replicas: 4
14 | selector:
15 | matchLabels:
16 | app: myapp
17 | template:
18 | metadata:
19 | labels:
20 | app: myapp
21 | spec:
22 | containers:
23 | - name: myapp
24 | image: aputra/myapp-171:v2
25 | ports:
26 | - name: http
27 | containerPort: 8181
28 | startupProbe:
29 | tcpSocket:
30 | port: 8181
31 | initialDelaySeconds: 20
32 | periodSeconds: 5
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/1-rolling-update/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | maxUnavailable: 25%
12 | maxSurge: 25%
13 | replicas: 4
14 | selector:
15 | matchLabels:
16 | app: myapp
17 | template:
18 | metadata:
19 | labels:
20 | app: myapp
21 | spec:
22 | containers:
23 | - name: myapp
24 | image: aputra/myapp-171:v2
25 | ports:
26 | - name: http
27 | containerPort: 8181
28 | startupProbe:
29 | tcpSocket:
30 | port: 8181
31 | initialDelaySeconds: 20
32 | periodSeconds: 5
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/1-rolling-update/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | maxUnavailable: 25%
12 | maxSurge: 25%
13 | replicas: 4
14 | selector:
15 | matchLabels:
16 | app: myapp
17 | template:
18 | metadata:
19 | labels:
20 | app: myapp
21 | spec:
22 | containers:
23 | - name: myapp
24 | image: aputra/myapp-171:v2
25 | ports:
26 | - name: http
27 | containerPort: 8181
28 | startupProbe:
29 | tcpSocket:
30 | port: 8181
31 | initialDelaySeconds: 20
32 | periodSeconds: 5
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/1-rolling-update/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | maxUnavailable: 25%
12 | maxSurge: 25%
13 | replicas: 4
14 | selector:
15 | matchLabels:
16 | app: myapp
17 | template:
18 | metadata:
19 | labels:
20 | app: myapp
21 | spec:
22 | containers:
23 | - name: myapp
24 | image: aputra/myapp-171:v2
25 | ports:
26 | - name: http
27 | containerPort: 8181
28 | startupProbe:
29 | tcpSocket:
30 | port: 8181
31 | initialDelaySeconds: 20
32 | periodSeconds: 5
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/1-rolling-update/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | maxUnavailable: 25%
12 | maxSurge: 25%
13 | replicas: 4
14 | selector:
15 | matchLabels:
16 | app: myapp
17 | template:
18 | metadata:
19 | labels:
20 | app: myapp
21 | spec:
22 | containers:
23 | - name: myapp
24 | image: aputra/myapp-171:v2
25 | ports:
26 | - name: http
27 | containerPort: 8181
28 | startupProbe:
29 | tcpSocket:
30 | port: 8181
31 | initialDelaySeconds: 20
32 | periodSeconds: 5
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/1-rolling-update/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | maxUnavailable: 25%
12 | maxSurge: 25%
13 | replicas: 4
14 | selector:
15 | matchLabels:
16 | app: myapp
17 | template:
18 | metadata:
19 | labels:
20 | app: myapp
21 | spec:
22 | containers:
23 | - name: myapp
24 | image: aputra/myapp-171:v2
25 | ports:
26 | - name: http
27 | containerPort: 8181
28 | startupProbe:
29 | tcpSocket:
30 | port: 8181
31 | initialDelaySeconds: 20
32 | periodSeconds: 5
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/1-rolling-update/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | maxUnavailable: 25%
12 | maxSurge: 25%
13 | replicas: 4
14 | selector:
15 | matchLabels:
16 | app: myapp
17 | template:
18 | metadata:
19 | labels:
20 | app: myapp
21 | spec:
22 | containers:
23 | - name: myapp
24 | image: aputra/myapp-171:v2
25 | ports:
26 | - name: http
27 | containerPort: 8181
28 | startupProbe:
29 | tcpSocket:
30 | port: 8181
31 | initialDelaySeconds: 20
32 | periodSeconds: 5
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.myapp
File: /lessons/171/1-rolling-update/1-deployment.yaml:2-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | namespace: default
7 | spec:
8 | strategy:
9 | type: RollingUpdate
10 | rollingUpdate:
11 | maxUnavailable: 25%
12 | maxSurge: 25%
13 | replicas: 4
14 | selector:
15 | matchLabels:
16 | app: myapp
17 | template:
18 | metadata:
19 | labels:
20 | app: myapp
21 | spec:
22 | containers:
23 | - name: myapp
24 | image: aputra/myapp-171:v2
25 | ports:
26 | - name: http
27 | containerPort: 8181
28 | startupProbe:
29 | tcpSocket:
30 | port: 8181
31 | initialDelaySeconds: 20
32 | periodSeconds: 5
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/064/0-deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | namespace: default
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/064/0-deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | namespace: default
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/064/0-deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | namespace: default
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/064/0-deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | namespace: default
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/064/0-deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | namespace: default
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/064/0-deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | namespace: default
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/064/0-deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | namespace: default
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/064/0-deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | namespace: default
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/064/0-deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | namespace: default
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/064/0-deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | namespace: default
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/064/0-deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | namespace: default
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/064/0-deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | namespace: default
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/064/0-deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | namespace: default
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/064/0-deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | namespace: default
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/064/0-deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | namespace: default
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/064/0-deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | namespace: default
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/064/0-deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | namespace: default
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/064/0-deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | namespace: default
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx-deployment
File: /lessons/064/0-deployment.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | namespace: default
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14.2
19 | ports:
20 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.nginx
File: /lessons/064/1-service.yaml:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: nginx
5 | namespace: default
6 | spec:
7 | type: LoadBalancer
8 | ports:
9 | - protocol: TCP
10 | port: 80
11 | targetPort: 80
12 | selector:
13 | app: nginx
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.nginx
File: /lessons/174/example/3-ingress.yaml:2-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: networking.k8s.io/v1
3 | kind: Ingress
4 | metadata:
5 | name: nginx
6 | spec:
7 | rules:
8 | - host: www.example.com
9 | http:
10 | paths:
11 | - path: /
12 | pathType: Prefix
13 | backend:
14 | service:
15 | name: nginx
16 | port:
17 | number: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.nginx
File: /lessons/174/example/2-service.yaml:2-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: Service
4 | metadata:
5 | name: nginx
6 | spec:
7 | selector:
8 | app: nginx
9 | ports:
10 | - port: 80
11 | targetPort: http
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/174/example/1-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.25.2
19 | ports:
20 | - name: http
21 | containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx
File: /lessons/174/example/1-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.25.2
19 | ports:
20 | - name: http
21 | containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/174/example/1-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.25.2
19 | ports:
20 | - name: http
21 | containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx
File: /lessons/174/example/1-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.25.2
19 | ports:
20 | - name: http
21 | containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/174/example/1-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.25.2
19 | ports:
20 | - name: http
21 | containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/174/example/1-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.25.2
19 | ports:
20 | - name: http
21 | containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /lessons/174/example/1-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.25.2
19 | ports:
20 | - name: http
21 | containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx
File: /lessons/174/example/1-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.25.2
19 | ports:
20 | - name: http
21 | containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx
File: /lessons/174/example/1-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.25.2
19 | ports:
20 | - name: http
21 | containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx
File: /lessons/174/example/1-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.25.2
19 | ports:
20 | - name: http
21 | containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /lessons/174/example/1-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.25.2
19 | ports:
20 | - name: http
21 | containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx
File: /lessons/174/example/1-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.25.2
19 | ports:
20 | - name: http
21 | containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/174/example/1-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.25.2
19 | ports:
20 | - name: http
21 | containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx
File: /lessons/174/example/1-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.25.2
19 | ports:
20 | - name: http
21 | containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx
File: /lessons/174/example/1-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.25.2
19 | ports:
20 | - name: http
21 | containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx
File: /lessons/174/example/1-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.25.2
19 | ports:
20 | - name: http
21 | containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.nginx
File: /lessons/174/example/1-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.25.2
19 | ports:
20 | - name: http
21 | containerPort: 80
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.nginx
File: /lessons/174/example/1-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.25.2
19 | ports:
20 | - name: http
21 | containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx
File: /lessons/174/example/1-deployment.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: nginx
6 | spec:
7 | replicas: 1
8 | selector:
9 | matchLabels:
10 | app: nginx
11 | template:
12 | metadata:
13 | labels:
14 | app: nginx
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.25.2
19 | ports:
20 | - name: http
21 | containerPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.staging.kafka-client
File: /lessons/152/kafka-client.yaml:2-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: kafka-client
6 | namespace: staging
7 | spec:
8 | containers:
9 | - name: kafka
10 | image: ubuntu/kafka
11 | command: ["/bin/bash", "-c", "--"]
12 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.staging.kafka-client
File: /lessons/152/kafka-client.yaml:2-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: kafka-client
6 | namespace: staging
7 | spec:
8 | containers:
9 | - name: kafka
10 | image: ubuntu/kafka
11 | command: ["/bin/bash", "-c", "--"]
12 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Pod.staging.kafka-client
File: /lessons/152/kafka-client.yaml:2-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: kafka-client
6 | namespace: staging
7 | spec:
8 | containers:
9 | - name: kafka
10 | image: ubuntu/kafka
11 | command: ["/bin/bash", "-c", "--"]
12 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.staging.kafka-client
File: /lessons/152/kafka-client.yaml:2-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: kafka-client
6 | namespace: staging
7 | spec:
8 | containers:
9 | - name: kafka
10 | image: ubuntu/kafka
11 | command: ["/bin/bash", "-c", "--"]
12 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.staging.kafka-client
File: /lessons/152/kafka-client.yaml:2-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: kafka-client
6 | namespace: staging
7 | spec:
8 | containers:
9 | - name: kafka
10 | image: ubuntu/kafka
11 | command: ["/bin/bash", "-c", "--"]
12 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.staging.kafka-client
File: /lessons/152/kafka-client.yaml:2-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: kafka-client
6 | namespace: staging
7 | spec:
8 | containers:
9 | - name: kafka
10 | image: ubuntu/kafka
11 | command: ["/bin/bash", "-c", "--"]
12 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.staging.kafka-client
File: /lessons/152/kafka-client.yaml:2-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: kafka-client
6 | namespace: staging
7 | spec:
8 | containers:
9 | - name: kafka
10 | image: ubuntu/kafka
11 | command: ["/bin/bash", "-c", "--"]
12 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.staging.kafka-client
File: /lessons/152/kafka-client.yaml:2-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: kafka-client
6 | namespace: staging
7 | spec:
8 | containers:
9 | - name: kafka
10 | image: ubuntu/kafka
11 | command: ["/bin/bash", "-c", "--"]
12 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.staging.kafka-client
File: /lessons/152/kafka-client.yaml:2-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: kafka-client
6 | namespace: staging
7 | spec:
8 | containers:
9 | - name: kafka
10 | image: ubuntu/kafka
11 | command: ["/bin/bash", "-c", "--"]
12 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.staging.kafka-client
File: /lessons/152/kafka-client.yaml:2-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: kafka-client
6 | namespace: staging
7 | spec:
8 | containers:
9 | - name: kafka
10 | image: ubuntu/kafka
11 | command: ["/bin/bash", "-c", "--"]
12 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.staging.kafka-client
File: /lessons/152/kafka-client.yaml:2-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: kafka-client
6 | namespace: staging
7 | spec:
8 | containers:
9 | - name: kafka
10 | image: ubuntu/kafka
11 | command: ["/bin/bash", "-c", "--"]
12 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.staging.kafka-client
File: /lessons/152/kafka-client.yaml:2-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: kafka-client
6 | namespace: staging
7 | spec:
8 | containers:
9 | - name: kafka
10 | image: ubuntu/kafka
11 | command: ["/bin/bash", "-c", "--"]
12 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.staging.kafka-client
File: /lessons/152/kafka-client.yaml:2-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: kafka-client
6 | namespace: staging
7 | spec:
8 | containers:
9 | - name: kafka
10 | image: ubuntu/kafka
11 | command: ["/bin/bash", "-c", "--"]
12 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.staging.kafka-client
File: /lessons/152/kafka-client.yaml:2-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: kafka-client
6 | namespace: staging
7 | spec:
8 | containers:
9 | - name: kafka
10 | image: ubuntu/kafka
11 | command: ["/bin/bash", "-c", "--"]
12 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.staging.kafka-client
File: /lessons/152/kafka-client.yaml:2-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: kafka-client
6 | namespace: staging
7 | spec:
8 | containers:
9 | - name: kafka
10 | image: ubuntu/kafka
11 | command: ["/bin/bash", "-c", "--"]
12 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Pod.staging.kafka-client
File: /lessons/152/kafka-client.yaml:2-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: kafka-client
6 | namespace: staging
7 | spec:
8 | containers:
9 | - name: kafka
10 | image: ubuntu/kafka
11 | command: ["/bin/bash", "-c", "--"]
12 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.staging.kafka-client
File: /lessons/152/kafka-client.yaml:2-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: kafka-client
6 | namespace: staging
7 | spec:
8 | containers:
9 | - name: kafka
10 | image: ubuntu/kafka
11 | command: ["/bin/bash", "-c", "--"]
12 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.staging.kafka-client
File: /lessons/152/kafka-client.yaml:2-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: v1
3 | kind: Pod
4 | metadata:
5 | name: kafka-client
6 | namespace: staging
7 | spec:
8 | containers:
9 | - name: kafka
10 | image: ubuntu/kafka
11 | command: ["/bin/bash", "-c", "--"]
12 | args: ["while true; do sleep 30; done;"]
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/152/monitoring/cadvison/daemonset.yaml:2-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/152/monitoring/cadvison/daemonset.yaml:2-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/152/monitoring/cadvison/daemonset.yaml:2-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/152/monitoring/cadvison/daemonset.yaml:2-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/152/monitoring/cadvison/daemonset.yaml:2-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/152/monitoring/cadvison/daemonset.yaml:2-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/152/monitoring/cadvison/daemonset.yaml:2-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/152/monitoring/cadvison/daemonset.yaml:2-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/152/monitoring/cadvison/daemonset.yaml:2-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/152/monitoring/cadvison/daemonset.yaml:2-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/152/monitoring/cadvison/daemonset.yaml:2-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/152/monitoring/cadvison/daemonset.yaml:2-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: DaemonSet.monitoring.cadvisor
File: /lessons/152/monitoring/cadvison/daemonset.yaml:2-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: ClusterRole.default.prometheus-operator
File: /lessons/152/monitoring/prometheus-operator/rbac.yaml:19-98
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/152/monitoring/prometheus-operator/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/152/monitoring/prometheus-operator/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/152/monitoring/prometheus-operator/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/152/monitoring/prometheus-operator/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/152/monitoring/prometheus-operator/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/152/monitoring/prometheus-operator/deployment.yaml:2-54
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: StatefulSet.kafka.kafka
File: /lessons/152/kafka/3-statefulset.yaml:2-209
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: StatefulSet.kafka.kafka
File: /lessons/152/kafka/3-statefulset.yaml:2-209
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: StatefulSet.kafka.kafka
File: /lessons/152/kafka/3-statefulset.yaml:2-209
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: StatefulSet.kafka.kafka
File: /lessons/152/kafka/3-statefulset.yaml:2-209
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: StatefulSet.kafka.kafka
File: /lessons/152/kafka/3-statefulset.yaml:2-209
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: StatefulSet.kafka.kafka
File: /lessons/152/kafka/3-statefulset.yaml:2-209
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: StatefulSet.kafka.kafka
File: /lessons/152/kafka/3-statefulset.yaml:2-209
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: StatefulSet.kafka.kafka
File: /lessons/152/kafka/3-statefulset.yaml:2-209
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: StatefulSet.kafka.kafka
File: /lessons/152/kafka/3-statefulset.yaml:2-209
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: StatefulSet.kafka.kafka
File: /lessons/152/kafka/3-statefulset.yaml:2-209
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: StatefulSet.kafka.kafka
File: /lessons/152/kafka/3-statefulset.yaml:2-209
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.grpc-client
File: /lessons/152/app/deploy/grpc-client/deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: grpc-client
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grpc-client
12 | template:
13 | metadata:
14 | labels:
15 | app: grpc-client
16 | spec:
17 | containers:
18 | - name: grpc-client
19 | image: aputra/grpc-client-lesson152:latest
20 | args:
21 | - -addr
22 | - grpc-server:8082
23 | - -sleep
24 | - "yes"
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
28 | resources:
29 | requests:
30 | memory: 256Mi
31 | cpu: 200m
32 | limits:
33 | memory: 256Mi
34 | cpu: 200m
35 | affinity:
36 | podAntiAffinity:
37 | requiredDuringSchedulingIgnoredDuringExecution:
38 | - labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - grpc-client
44 | - grpc-server
45 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.grpc-client
File: /lessons/152/app/deploy/grpc-client/deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: grpc-client
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grpc-client
12 | template:
13 | metadata:
14 | labels:
15 | app: grpc-client
16 | spec:
17 | containers:
18 | - name: grpc-client
19 | image: aputra/grpc-client-lesson152:latest
20 | args:
21 | - -addr
22 | - grpc-server:8082
23 | - -sleep
24 | - "yes"
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
28 | resources:
29 | requests:
30 | memory: 256Mi
31 | cpu: 200m
32 | limits:
33 | memory: 256Mi
34 | cpu: 200m
35 | affinity:
36 | podAntiAffinity:
37 | requiredDuringSchedulingIgnoredDuringExecution:
38 | - labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - grpc-client
44 | - grpc-server
45 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.grpc-client
File: /lessons/152/app/deploy/grpc-client/deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: grpc-client
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grpc-client
12 | template:
13 | metadata:
14 | labels:
15 | app: grpc-client
16 | spec:
17 | containers:
18 | - name: grpc-client
19 | image: aputra/grpc-client-lesson152:latest
20 | args:
21 | - -addr
22 | - grpc-server:8082
23 | - -sleep
24 | - "yes"
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
28 | resources:
29 | requests:
30 | memory: 256Mi
31 | cpu: 200m
32 | limits:
33 | memory: 256Mi
34 | cpu: 200m
35 | affinity:
36 | podAntiAffinity:
37 | requiredDuringSchedulingIgnoredDuringExecution:
38 | - labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - grpc-client
44 | - grpc-server
45 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.staging.grpc-client
File: /lessons/152/app/deploy/grpc-client/deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: grpc-client
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grpc-client
12 | template:
13 | metadata:
14 | labels:
15 | app: grpc-client
16 | spec:
17 | containers:
18 | - name: grpc-client
19 | image: aputra/grpc-client-lesson152:latest
20 | args:
21 | - -addr
22 | - grpc-server:8082
23 | - -sleep
24 | - "yes"
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
28 | resources:
29 | requests:
30 | memory: 256Mi
31 | cpu: 200m
32 | limits:
33 | memory: 256Mi
34 | cpu: 200m
35 | affinity:
36 | podAntiAffinity:
37 | requiredDuringSchedulingIgnoredDuringExecution:
38 | - labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - grpc-client
44 | - grpc-server
45 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.grpc-client
File: /lessons/152/app/deploy/grpc-client/deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: grpc-client
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grpc-client
12 | template:
13 | metadata:
14 | labels:
15 | app: grpc-client
16 | spec:
17 | containers:
18 | - name: grpc-client
19 | image: aputra/grpc-client-lesson152:latest
20 | args:
21 | - -addr
22 | - grpc-server:8082
23 | - -sleep
24 | - "yes"
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
28 | resources:
29 | requests:
30 | memory: 256Mi
31 | cpu: 200m
32 | limits:
33 | memory: 256Mi
34 | cpu: 200m
35 | affinity:
36 | podAntiAffinity:
37 | requiredDuringSchedulingIgnoredDuringExecution:
38 | - labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - grpc-client
44 | - grpc-server
45 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.grpc-client
File: /lessons/152/app/deploy/grpc-client/deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: grpc-client
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grpc-client
12 | template:
13 | metadata:
14 | labels:
15 | app: grpc-client
16 | spec:
17 | containers:
18 | - name: grpc-client
19 | image: aputra/grpc-client-lesson152:latest
20 | args:
21 | - -addr
22 | - grpc-server:8082
23 | - -sleep
24 | - "yes"
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
28 | resources:
29 | requests:
30 | memory: 256Mi
31 | cpu: 200m
32 | limits:
33 | memory: 256Mi
34 | cpu: 200m
35 | affinity:
36 | podAntiAffinity:
37 | requiredDuringSchedulingIgnoredDuringExecution:
38 | - labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - grpc-client
44 | - grpc-server
45 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.grpc-client
File: /lessons/152/app/deploy/grpc-client/deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: grpc-client
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grpc-client
12 | template:
13 | metadata:
14 | labels:
15 | app: grpc-client
16 | spec:
17 | containers:
18 | - name: grpc-client
19 | image: aputra/grpc-client-lesson152:latest
20 | args:
21 | - -addr
22 | - grpc-server:8082
23 | - -sleep
24 | - "yes"
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
28 | resources:
29 | requests:
30 | memory: 256Mi
31 | cpu: 200m
32 | limits:
33 | memory: 256Mi
34 | cpu: 200m
35 | affinity:
36 | podAntiAffinity:
37 | requiredDuringSchedulingIgnoredDuringExecution:
38 | - labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - grpc-client
44 | - grpc-server
45 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.staging.grpc-client
File: /lessons/152/app/deploy/grpc-client/deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: grpc-client
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grpc-client
12 | template:
13 | metadata:
14 | labels:
15 | app: grpc-client
16 | spec:
17 | containers:
18 | - name: grpc-client
19 | image: aputra/grpc-client-lesson152:latest
20 | args:
21 | - -addr
22 | - grpc-server:8082
23 | - -sleep
24 | - "yes"
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
28 | resources:
29 | requests:
30 | memory: 256Mi
31 | cpu: 200m
32 | limits:
33 | memory: 256Mi
34 | cpu: 200m
35 | affinity:
36 | podAntiAffinity:
37 | requiredDuringSchedulingIgnoredDuringExecution:
38 | - labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - grpc-client
44 | - grpc-server
45 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.grpc-client
File: /lessons/152/app/deploy/grpc-client/deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: grpc-client
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grpc-client
12 | template:
13 | metadata:
14 | labels:
15 | app: grpc-client
16 | spec:
17 | containers:
18 | - name: grpc-client
19 | image: aputra/grpc-client-lesson152:latest
20 | args:
21 | - -addr
22 | - grpc-server:8082
23 | - -sleep
24 | - "yes"
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
28 | resources:
29 | requests:
30 | memory: 256Mi
31 | cpu: 200m
32 | limits:
33 | memory: 256Mi
34 | cpu: 200m
35 | affinity:
36 | podAntiAffinity:
37 | requiredDuringSchedulingIgnoredDuringExecution:
38 | - labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - grpc-client
44 | - grpc-server
45 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.grpc-client
File: /lessons/152/app/deploy/grpc-client/deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: grpc-client
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grpc-client
12 | template:
13 | metadata:
14 | labels:
15 | app: grpc-client
16 | spec:
17 | containers:
18 | - name: grpc-client
19 | image: aputra/grpc-client-lesson152:latest
20 | args:
21 | - -addr
22 | - grpc-server:8082
23 | - -sleep
24 | - "yes"
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
28 | resources:
29 | requests:
30 | memory: 256Mi
31 | cpu: 200m
32 | limits:
33 | memory: 256Mi
34 | cpu: 200m
35 | affinity:
36 | podAntiAffinity:
37 | requiredDuringSchedulingIgnoredDuringExecution:
38 | - labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - grpc-client
44 | - grpc-server
45 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.grpc-client
File: /lessons/152/app/deploy/grpc-client/deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: grpc-client
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grpc-client
12 | template:
13 | metadata:
14 | labels:
15 | app: grpc-client
16 | spec:
17 | containers:
18 | - name: grpc-client
19 | image: aputra/grpc-client-lesson152:latest
20 | args:
21 | - -addr
22 | - grpc-server:8082
23 | - -sleep
24 | - "yes"
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
28 | resources:
29 | requests:
30 | memory: 256Mi
31 | cpu: 200m
32 | limits:
33 | memory: 256Mi
34 | cpu: 200m
35 | affinity:
36 | podAntiAffinity:
37 | requiredDuringSchedulingIgnoredDuringExecution:
38 | - labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - grpc-client
44 | - grpc-server
45 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.grpc-client
File: /lessons/152/app/deploy/grpc-client/deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: grpc-client
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grpc-client
12 | template:
13 | metadata:
14 | labels:
15 | app: grpc-client
16 | spec:
17 | containers:
18 | - name: grpc-client
19 | image: aputra/grpc-client-lesson152:latest
20 | args:
21 | - -addr
22 | - grpc-server:8082
23 | - -sleep
24 | - "yes"
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
28 | resources:
29 | requests:
30 | memory: 256Mi
31 | cpu: 200m
32 | limits:
33 | memory: 256Mi
34 | cpu: 200m
35 | affinity:
36 | podAntiAffinity:
37 | requiredDuringSchedulingIgnoredDuringExecution:
38 | - labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - grpc-client
44 | - grpc-server
45 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.staging.grpc-client
File: /lessons/152/app/deploy/grpc-client/deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: grpc-client
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grpc-client
12 | template:
13 | metadata:
14 | labels:
15 | app: grpc-client
16 | spec:
17 | containers:
18 | - name: grpc-client
19 | image: aputra/grpc-client-lesson152:latest
20 | args:
21 | - -addr
22 | - grpc-server:8082
23 | - -sleep
24 | - "yes"
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
28 | resources:
29 | requests:
30 | memory: 256Mi
31 | cpu: 200m
32 | limits:
33 | memory: 256Mi
34 | cpu: 200m
35 | affinity:
36 | podAntiAffinity:
37 | requiredDuringSchedulingIgnoredDuringExecution:
38 | - labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - grpc-client
44 | - grpc-server
45 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.grpc-client
File: /lessons/152/app/deploy/grpc-client/deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: grpc-client
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grpc-client
12 | template:
13 | metadata:
14 | labels:
15 | app: grpc-client
16 | spec:
17 | containers:
18 | - name: grpc-client
19 | image: aputra/grpc-client-lesson152:latest
20 | args:
21 | - -addr
22 | - grpc-server:8082
23 | - -sleep
24 | - "yes"
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
28 | resources:
29 | requests:
30 | memory: 256Mi
31 | cpu: 200m
32 | limits:
33 | memory: 256Mi
34 | cpu: 200m
35 | affinity:
36 | podAntiAffinity:
37 | requiredDuringSchedulingIgnoredDuringExecution:
38 | - labelSelector:
39 | matchExpressions:
40 | - key: app
41 | operator: In
42 | values:
43 | - grpc-client
44 | - grpc-server
45 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.kafka-agent
File: /lessons/152/app/deploy/kafka-agent/deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: kafka-agent
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: kafka-agent
12 | template:
13 | metadata:
14 | labels:
15 | app: kafka-agent
16 | spec:
17 | containers:
18 | - name: kafka-agent
19 | image: aputra/kafka-agent-lesson152:latest
20 | args:
21 | - -kafka-brokers
22 | - kafka-headless.kafka
23 | - -sleep
24 | - "yes"
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
28 | resources:
29 | requests:
30 | memory: 512Mi
31 | cpu: 400m
32 | limits:
33 | memory: 512Mi
34 | cpu: 400m
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.kafka-agent
File: /lessons/152/app/deploy/kafka-agent/deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: kafka-agent
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: kafka-agent
12 | template:
13 | metadata:
14 | labels:
15 | app: kafka-agent
16 | spec:
17 | containers:
18 | - name: kafka-agent
19 | image: aputra/kafka-agent-lesson152:latest
20 | args:
21 | - -kafka-brokers
22 | - kafka-headless.kafka
23 | - -sleep
24 | - "yes"
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
28 | resources:
29 | requests:
30 | memory: 512Mi
31 | cpu: 400m
32 | limits:
33 | memory: 512Mi
34 | cpu: 400m
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.kafka-agent
File: /lessons/152/app/deploy/kafka-agent/deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: kafka-agent
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: kafka-agent
12 | template:
13 | metadata:
14 | labels:
15 | app: kafka-agent
16 | spec:
17 | containers:
18 | - name: kafka-agent
19 | image: aputra/kafka-agent-lesson152:latest
20 | args:
21 | - -kafka-brokers
22 | - kafka-headless.kafka
23 | - -sleep
24 | - "yes"
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
28 | resources:
29 | requests:
30 | memory: 512Mi
31 | cpu: 400m
32 | limits:
33 | memory: 512Mi
34 | cpu: 400m
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.staging.kafka-agent
File: /lessons/152/app/deploy/kafka-agent/deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: kafka-agent
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: kafka-agent
12 | template:
13 | metadata:
14 | labels:
15 | app: kafka-agent
16 | spec:
17 | containers:
18 | - name: kafka-agent
19 | image: aputra/kafka-agent-lesson152:latest
20 | args:
21 | - -kafka-brokers
22 | - kafka-headless.kafka
23 | - -sleep
24 | - "yes"
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
28 | resources:
29 | requests:
30 | memory: 512Mi
31 | cpu: 400m
32 | limits:
33 | memory: 512Mi
34 | cpu: 400m
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.kafka-agent
File: /lessons/152/app/deploy/kafka-agent/deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: kafka-agent
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: kafka-agent
12 | template:
13 | metadata:
14 | labels:
15 | app: kafka-agent
16 | spec:
17 | containers:
18 | - name: kafka-agent
19 | image: aputra/kafka-agent-lesson152:latest
20 | args:
21 | - -kafka-brokers
22 | - kafka-headless.kafka
23 | - -sleep
24 | - "yes"
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
28 | resources:
29 | requests:
30 | memory: 512Mi
31 | cpu: 400m
32 | limits:
33 | memory: 512Mi
34 | cpu: 400m
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.kafka-agent
File: /lessons/152/app/deploy/kafka-agent/deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: kafka-agent
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: kafka-agent
12 | template:
13 | metadata:
14 | labels:
15 | app: kafka-agent
16 | spec:
17 | containers:
18 | - name: kafka-agent
19 | image: aputra/kafka-agent-lesson152:latest
20 | args:
21 | - -kafka-brokers
22 | - kafka-headless.kafka
23 | - -sleep
24 | - "yes"
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
28 | resources:
29 | requests:
30 | memory: 512Mi
31 | cpu: 400m
32 | limits:
33 | memory: 512Mi
34 | cpu: 400m
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.kafka-agent
File: /lessons/152/app/deploy/kafka-agent/deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: kafka-agent
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: kafka-agent
12 | template:
13 | metadata:
14 | labels:
15 | app: kafka-agent
16 | spec:
17 | containers:
18 | - name: kafka-agent
19 | image: aputra/kafka-agent-lesson152:latest
20 | args:
21 | - -kafka-brokers
22 | - kafka-headless.kafka
23 | - -sleep
24 | - "yes"
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
28 | resources:
29 | requests:
30 | memory: 512Mi
31 | cpu: 400m
32 | limits:
33 | memory: 512Mi
34 | cpu: 400m
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.staging.kafka-agent
File: /lessons/152/app/deploy/kafka-agent/deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: kafka-agent
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: kafka-agent
12 | template:
13 | metadata:
14 | labels:
15 | app: kafka-agent
16 | spec:
17 | containers:
18 | - name: kafka-agent
19 | image: aputra/kafka-agent-lesson152:latest
20 | args:
21 | - -kafka-brokers
22 | - kafka-headless.kafka
23 | - -sleep
24 | - "yes"
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
28 | resources:
29 | requests:
30 | memory: 512Mi
31 | cpu: 400m
32 | limits:
33 | memory: 512Mi
34 | cpu: 400m
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.kafka-agent
File: /lessons/152/app/deploy/kafka-agent/deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: kafka-agent
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: kafka-agent
12 | template:
13 | metadata:
14 | labels:
15 | app: kafka-agent
16 | spec:
17 | containers:
18 | - name: kafka-agent
19 | image: aputra/kafka-agent-lesson152:latest
20 | args:
21 | - -kafka-brokers
22 | - kafka-headless.kafka
23 | - -sleep
24 | - "yes"
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
28 | resources:
29 | requests:
30 | memory: 512Mi
31 | cpu: 400m
32 | limits:
33 | memory: 512Mi
34 | cpu: 400m
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.kafka-agent
File: /lessons/152/app/deploy/kafka-agent/deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: kafka-agent
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: kafka-agent
12 | template:
13 | metadata:
14 | labels:
15 | app: kafka-agent
16 | spec:
17 | containers:
18 | - name: kafka-agent
19 | image: aputra/kafka-agent-lesson152:latest
20 | args:
21 | - -kafka-brokers
22 | - kafka-headless.kafka
23 | - -sleep
24 | - "yes"
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
28 | resources:
29 | requests:
30 | memory: 512Mi
31 | cpu: 400m
32 | limits:
33 | memory: 512Mi
34 | cpu: 400m
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.kafka-agent
File: /lessons/152/app/deploy/kafka-agent/deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: kafka-agent
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: kafka-agent
12 | template:
13 | metadata:
14 | labels:
15 | app: kafka-agent
16 | spec:
17 | containers:
18 | - name: kafka-agent
19 | image: aputra/kafka-agent-lesson152:latest
20 | args:
21 | - -kafka-brokers
22 | - kafka-headless.kafka
23 | - -sleep
24 | - "yes"
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
28 | resources:
29 | requests:
30 | memory: 512Mi
31 | cpu: 400m
32 | limits:
33 | memory: 512Mi
34 | cpu: 400m
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.kafka-agent
File: /lessons/152/app/deploy/kafka-agent/deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: kafka-agent
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: kafka-agent
12 | template:
13 | metadata:
14 | labels:
15 | app: kafka-agent
16 | spec:
17 | containers:
18 | - name: kafka-agent
19 | image: aputra/kafka-agent-lesson152:latest
20 | args:
21 | - -kafka-brokers
22 | - kafka-headless.kafka
23 | - -sleep
24 | - "yes"
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
28 | resources:
29 | requests:
30 | memory: 512Mi
31 | cpu: 400m
32 | limits:
33 | memory: 512Mi
34 | cpu: 400m
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.staging.kafka-agent
File: /lessons/152/app/deploy/kafka-agent/deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: kafka-agent
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: kafka-agent
12 | template:
13 | metadata:
14 | labels:
15 | app: kafka-agent
16 | spec:
17 | containers:
18 | - name: kafka-agent
19 | image: aputra/kafka-agent-lesson152:latest
20 | args:
21 | - -kafka-brokers
22 | - kafka-headless.kafka
23 | - -sleep
24 | - "yes"
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
28 | resources:
29 | requests:
30 | memory: 512Mi
31 | cpu: 400m
32 | limits:
33 | memory: 512Mi
34 | cpu: 400m
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.kafka-agent
File: /lessons/152/app/deploy/kafka-agent/deployment.yaml:2-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: kafka-agent
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: kafka-agent
12 | template:
13 | metadata:
14 | labels:
15 | app: kafka-agent
16 | spec:
17 | containers:
18 | - name: kafka-agent
19 | image: aputra/kafka-agent-lesson152:latest
20 | args:
21 | - -kafka-brokers
22 | - kafka-headless.kafka
23 | - -sleep
24 | - "yes"
25 | ports:
26 | - name: metrics
27 | containerPort: 8081
28 | resources:
29 | requests:
30 | memory: 512Mi
31 | cpu: 400m
32 | limits:
33 | memory: 512Mi
34 | cpu: 400m
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.staging.grpc-server
File: /lessons/152/app/deploy/grpc-server/deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: grpc-server
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grpc-server
12 | template:
13 | metadata:
14 | labels:
15 | app: grpc-server
16 | spec:
17 | containers:
18 | - name: grpc-server
19 | image: aputra/grpc-server-lesson152:latest
20 | ports:
21 | - name: grpc-server
22 | containerPort: 8082
23 | resources:
24 | requests:
25 | memory: 256Mi
26 | cpu: 200m
27 | limits:
28 | memory: 256Mi
29 | cpu: 200m
30 | affinity:
31 | podAntiAffinity:
32 | requiredDuringSchedulingIgnoredDuringExecution:
33 | - labelSelector:
34 | matchExpressions:
35 | - key: app
36 | operator: In
37 | values:
38 | - grpc-server
39 | - grpc-client
40 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.staging.grpc-server
File: /lessons/152/app/deploy/grpc-server/deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: grpc-server
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grpc-server
12 | template:
13 | metadata:
14 | labels:
15 | app: grpc-server
16 | spec:
17 | containers:
18 | - name: grpc-server
19 | image: aputra/grpc-server-lesson152:latest
20 | ports:
21 | - name: grpc-server
22 | containerPort: 8082
23 | resources:
24 | requests:
25 | memory: 256Mi
26 | cpu: 200m
27 | limits:
28 | memory: 256Mi
29 | cpu: 200m
30 | affinity:
31 | podAntiAffinity:
32 | requiredDuringSchedulingIgnoredDuringExecution:
33 | - labelSelector:
34 | matchExpressions:
35 | - key: app
36 | operator: In
37 | values:
38 | - grpc-server
39 | - grpc-client
40 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.staging.grpc-server
File: /lessons/152/app/deploy/grpc-server/deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: grpc-server
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grpc-server
12 | template:
13 | metadata:
14 | labels:
15 | app: grpc-server
16 | spec:
17 | containers:
18 | - name: grpc-server
19 | image: aputra/grpc-server-lesson152:latest
20 | ports:
21 | - name: grpc-server
22 | containerPort: 8082
23 | resources:
24 | requests:
25 | memory: 256Mi
26 | cpu: 200m
27 | limits:
28 | memory: 256Mi
29 | cpu: 200m
30 | affinity:
31 | podAntiAffinity:
32 | requiredDuringSchedulingIgnoredDuringExecution:
33 | - labelSelector:
34 | matchExpressions:
35 | - key: app
36 | operator: In
37 | values:
38 | - grpc-server
39 | - grpc-client
40 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.staging.grpc-server
File: /lessons/152/app/deploy/grpc-server/deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: grpc-server
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grpc-server
12 | template:
13 | metadata:
14 | labels:
15 | app: grpc-server
16 | spec:
17 | containers:
18 | - name: grpc-server
19 | image: aputra/grpc-server-lesson152:latest
20 | ports:
21 | - name: grpc-server
22 | containerPort: 8082
23 | resources:
24 | requests:
25 | memory: 256Mi
26 | cpu: 200m
27 | limits:
28 | memory: 256Mi
29 | cpu: 200m
30 | affinity:
31 | podAntiAffinity:
32 | requiredDuringSchedulingIgnoredDuringExecution:
33 | - labelSelector:
34 | matchExpressions:
35 | - key: app
36 | operator: In
37 | values:
38 | - grpc-server
39 | - grpc-client
40 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.staging.grpc-server
File: /lessons/152/app/deploy/grpc-server/deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: grpc-server
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grpc-server
12 | template:
13 | metadata:
14 | labels:
15 | app: grpc-server
16 | spec:
17 | containers:
18 | - name: grpc-server
19 | image: aputra/grpc-server-lesson152:latest
20 | ports:
21 | - name: grpc-server
22 | containerPort: 8082
23 | resources:
24 | requests:
25 | memory: 256Mi
26 | cpu: 200m
27 | limits:
28 | memory: 256Mi
29 | cpu: 200m
30 | affinity:
31 | podAntiAffinity:
32 | requiredDuringSchedulingIgnoredDuringExecution:
33 | - labelSelector:
34 | matchExpressions:
35 | - key: app
36 | operator: In
37 | values:
38 | - grpc-server
39 | - grpc-client
40 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.staging.grpc-server
File: /lessons/152/app/deploy/grpc-server/deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: grpc-server
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grpc-server
12 | template:
13 | metadata:
14 | labels:
15 | app: grpc-server
16 | spec:
17 | containers:
18 | - name: grpc-server
19 | image: aputra/grpc-server-lesson152:latest
20 | ports:
21 | - name: grpc-server
22 | containerPort: 8082
23 | resources:
24 | requests:
25 | memory: 256Mi
26 | cpu: 200m
27 | limits:
28 | memory: 256Mi
29 | cpu: 200m
30 | affinity:
31 | podAntiAffinity:
32 | requiredDuringSchedulingIgnoredDuringExecution:
33 | - labelSelector:
34 | matchExpressions:
35 | - key: app
36 | operator: In
37 | values:
38 | - grpc-server
39 | - grpc-client
40 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.staging.grpc-server
File: /lessons/152/app/deploy/grpc-server/deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: grpc-server
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grpc-server
12 | template:
13 | metadata:
14 | labels:
15 | app: grpc-server
16 | spec:
17 | containers:
18 | - name: grpc-server
19 | image: aputra/grpc-server-lesson152:latest
20 | ports:
21 | - name: grpc-server
22 | containerPort: 8082
23 | resources:
24 | requests:
25 | memory: 256Mi
26 | cpu: 200m
27 | limits:
28 | memory: 256Mi
29 | cpu: 200m
30 | affinity:
31 | podAntiAffinity:
32 | requiredDuringSchedulingIgnoredDuringExecution:
33 | - labelSelector:
34 | matchExpressions:
35 | - key: app
36 | operator: In
37 | values:
38 | - grpc-server
39 | - grpc-client
40 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.staging.grpc-server
File: /lessons/152/app/deploy/grpc-server/deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: grpc-server
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grpc-server
12 | template:
13 | metadata:
14 | labels:
15 | app: grpc-server
16 | spec:
17 | containers:
18 | - name: grpc-server
19 | image: aputra/grpc-server-lesson152:latest
20 | ports:
21 | - name: grpc-server
22 | containerPort: 8082
23 | resources:
24 | requests:
25 | memory: 256Mi
26 | cpu: 200m
27 | limits:
28 | memory: 256Mi
29 | cpu: 200m
30 | affinity:
31 | podAntiAffinity:
32 | requiredDuringSchedulingIgnoredDuringExecution:
33 | - labelSelector:
34 | matchExpressions:
35 | - key: app
36 | operator: In
37 | values:
38 | - grpc-server
39 | - grpc-client
40 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.staging.grpc-server
File: /lessons/152/app/deploy/grpc-server/deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: grpc-server
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grpc-server
12 | template:
13 | metadata:
14 | labels:
15 | app: grpc-server
16 | spec:
17 | containers:
18 | - name: grpc-server
19 | image: aputra/grpc-server-lesson152:latest
20 | ports:
21 | - name: grpc-server
22 | containerPort: 8082
23 | resources:
24 | requests:
25 | memory: 256Mi
26 | cpu: 200m
27 | limits:
28 | memory: 256Mi
29 | cpu: 200m
30 | affinity:
31 | podAntiAffinity:
32 | requiredDuringSchedulingIgnoredDuringExecution:
33 | - labelSelector:
34 | matchExpressions:
35 | - key: app
36 | operator: In
37 | values:
38 | - grpc-server
39 | - grpc-client
40 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.staging.grpc-server
File: /lessons/152/app/deploy/grpc-server/deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: grpc-server
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grpc-server
12 | template:
13 | metadata:
14 | labels:
15 | app: grpc-server
16 | spec:
17 | containers:
18 | - name: grpc-server
19 | image: aputra/grpc-server-lesson152:latest
20 | ports:
21 | - name: grpc-server
22 | containerPort: 8082
23 | resources:
24 | requests:
25 | memory: 256Mi
26 | cpu: 200m
27 | limits:
28 | memory: 256Mi
29 | cpu: 200m
30 | affinity:
31 | podAntiAffinity:
32 | requiredDuringSchedulingIgnoredDuringExecution:
33 | - labelSelector:
34 | matchExpressions:
35 | - key: app
36 | operator: In
37 | values:
38 | - grpc-server
39 | - grpc-client
40 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.staging.grpc-server
File: /lessons/152/app/deploy/grpc-server/deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: grpc-server
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grpc-server
12 | template:
13 | metadata:
14 | labels:
15 | app: grpc-server
16 | spec:
17 | containers:
18 | - name: grpc-server
19 | image: aputra/grpc-server-lesson152:latest
20 | ports:
21 | - name: grpc-server
22 | containerPort: 8082
23 | resources:
24 | requests:
25 | memory: 256Mi
26 | cpu: 200m
27 | limits:
28 | memory: 256Mi
29 | cpu: 200m
30 | affinity:
31 | podAntiAffinity:
32 | requiredDuringSchedulingIgnoredDuringExecution:
33 | - labelSelector:
34 | matchExpressions:
35 | - key: app
36 | operator: In
37 | values:
38 | - grpc-server
39 | - grpc-client
40 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.staging.grpc-server
File: /lessons/152/app/deploy/grpc-server/deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: grpc-server
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grpc-server
12 | template:
13 | metadata:
14 | labels:
15 | app: grpc-server
16 | spec:
17 | containers:
18 | - name: grpc-server
19 | image: aputra/grpc-server-lesson152:latest
20 | ports:
21 | - name: grpc-server
22 | containerPort: 8082
23 | resources:
24 | requests:
25 | memory: 256Mi
26 | cpu: 200m
27 | limits:
28 | memory: 256Mi
29 | cpu: 200m
30 | affinity:
31 | podAntiAffinity:
32 | requiredDuringSchedulingIgnoredDuringExecution:
33 | - labelSelector:
34 | matchExpressions:
35 | - key: app
36 | operator: In
37 | values:
38 | - grpc-server
39 | - grpc-client
40 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.staging.grpc-server
File: /lessons/152/app/deploy/grpc-server/deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: grpc-server
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grpc-server
12 | template:
13 | metadata:
14 | labels:
15 | app: grpc-server
16 | spec:
17 | containers:
18 | - name: grpc-server
19 | image: aputra/grpc-server-lesson152:latest
20 | ports:
21 | - name: grpc-server
22 | containerPort: 8082
23 | resources:
24 | requests:
25 | memory: 256Mi
26 | cpu: 200m
27 | limits:
28 | memory: 256Mi
29 | cpu: 200m
30 | affinity:
31 | podAntiAffinity:
32 | requiredDuringSchedulingIgnoredDuringExecution:
33 | - labelSelector:
34 | matchExpressions:
35 | - key: app
36 | operator: In
37 | values:
38 | - grpc-server
39 | - grpc-client
40 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.staging.grpc-server
File: /lessons/152/app/deploy/grpc-server/deployment.yaml:2-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: grpc-server
6 | namespace: staging
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: grpc-server
12 | template:
13 | metadata:
14 | labels:
15 | app: grpc-server
16 | spec:
17 | containers:
18 | - name: grpc-server
19 | image: aputra/grpc-server-lesson152:latest
20 | ports:
21 | - name: grpc-server
22 | containerPort: 8082
23 | resources:
24 | requests:
25 | memory: 256Mi
26 | cpu: 200m
27 | limits:
28 | memory: 256Mi
29 | cpu: 200m
30 | affinity:
31 | podAntiAffinity:
32 | requiredDuringSchedulingIgnoredDuringExecution:
33 | - labelSelector:
34 | matchExpressions:
35 | - key: app
36 | operator: In
37 | values:
38 | - grpc-server
39 | - grpc-client
40 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: StatefulSet.zookeeper.zookeeper
File: /lessons/152/zookeeper/2-statefulset.yaml:2-147
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: StatefulSet.zookeeper.zookeeper
File: /lessons/152/zookeeper/2-statefulset.yaml:2-147
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: StatefulSet.zookeeper.zookeeper
File: /lessons/152/zookeeper/2-statefulset.yaml:2-147
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: StatefulSet.zookeeper.zookeeper
File: /lessons/152/zookeeper/2-statefulset.yaml:2-147
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: StatefulSet.zookeeper.zookeeper
File: /lessons/152/zookeeper/2-statefulset.yaml:2-147
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: StatefulSet.zookeeper.zookeeper
File: /lessons/152/zookeeper/2-statefulset.yaml:2-147
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: StatefulSet.zookeeper.zookeeper
File: /lessons/152/zookeeper/2-statefulset.yaml:2-147
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: StatefulSet.zookeeper.zookeeper
File: /lessons/152/zookeeper/2-statefulset.yaml:2-147
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.myapp
File: /lessons/168/k8s/deployment.yaml:2-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: myapp
11 | template:
12 | metadata:
13 | labels:
14 | app: myapp
15 | spec:
16 | containers:
17 | - image: 424432388155.dkr.ecr.us-east-2.amazonaws.com/myapp:v1
18 | imagePullPolicy: Always
19 | name: myapp
20 | ports:
21 | - name: http
22 | containerPort: 8080
23 | env:
24 | - name: VERSION
25 | value: v1
26 | affinity:
27 | podAntiAffinity:
28 | requiredDuringSchedulingIgnoredDuringExecution:
29 | - labelSelector:
30 | matchExpressions:
31 | - key: app
32 | operator: In
33 | values:
34 | - myapp
35 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.myapp
File: /lessons/168/k8s/deployment.yaml:2-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: myapp
11 | template:
12 | metadata:
13 | labels:
14 | app: myapp
15 | spec:
16 | containers:
17 | - image: 424432388155.dkr.ecr.us-east-2.amazonaws.com/myapp:v1
18 | imagePullPolicy: Always
19 | name: myapp
20 | ports:
21 | - name: http
22 | containerPort: 8080
23 | env:
24 | - name: VERSION
25 | value: v1
26 | affinity:
27 | podAntiAffinity:
28 | requiredDuringSchedulingIgnoredDuringExecution:
29 | - labelSelector:
30 | matchExpressions:
31 | - key: app
32 | operator: In
33 | values:
34 | - myapp
35 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.myapp
File: /lessons/168/k8s/deployment.yaml:2-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: myapp
11 | template:
12 | metadata:
13 | labels:
14 | app: myapp
15 | spec:
16 | containers:
17 | - image: 424432388155.dkr.ecr.us-east-2.amazonaws.com/myapp:v1
18 | imagePullPolicy: Always
19 | name: myapp
20 | ports:
21 | - name: http
22 | containerPort: 8080
23 | env:
24 | - name: VERSION
25 | value: v1
26 | affinity:
27 | podAntiAffinity:
28 | requiredDuringSchedulingIgnoredDuringExecution:
29 | - labelSelector:
30 | matchExpressions:
31 | - key: app
32 | operator: In
33 | values:
34 | - myapp
35 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.myapp
File: /lessons/168/k8s/deployment.yaml:2-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: myapp
11 | template:
12 | metadata:
13 | labels:
14 | app: myapp
15 | spec:
16 | containers:
17 | - image: 424432388155.dkr.ecr.us-east-2.amazonaws.com/myapp:v1
18 | imagePullPolicy: Always
19 | name: myapp
20 | ports:
21 | - name: http
22 | containerPort: 8080
23 | env:
24 | - name: VERSION
25 | value: v1
26 | affinity:
27 | podAntiAffinity:
28 | requiredDuringSchedulingIgnoredDuringExecution:
29 | - labelSelector:
30 | matchExpressions:
31 | - key: app
32 | operator: In
33 | values:
34 | - myapp
35 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.myapp
File: /lessons/168/k8s/deployment.yaml:2-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: myapp
11 | template:
12 | metadata:
13 | labels:
14 | app: myapp
15 | spec:
16 | containers:
17 | - image: 424432388155.dkr.ecr.us-east-2.amazonaws.com/myapp:v1
18 | imagePullPolicy: Always
19 | name: myapp
20 | ports:
21 | - name: http
22 | containerPort: 8080
23 | env:
24 | - name: VERSION
25 | value: v1
26 | affinity:
27 | podAntiAffinity:
28 | requiredDuringSchedulingIgnoredDuringExecution:
29 | - labelSelector:
30 | matchExpressions:
31 | - key: app
32 | operator: In
33 | values:
34 | - myapp
35 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.myapp
File: /lessons/168/k8s/deployment.yaml:2-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: myapp
11 | template:
12 | metadata:
13 | labels:
14 | app: myapp
15 | spec:
16 | containers:
17 | - image: 424432388155.dkr.ecr.us-east-2.amazonaws.com/myapp:v1
18 | imagePullPolicy: Always
19 | name: myapp
20 | ports:
21 | - name: http
22 | containerPort: 8080
23 | env:
24 | - name: VERSION
25 | value: v1
26 | affinity:
27 | podAntiAffinity:
28 | requiredDuringSchedulingIgnoredDuringExecution:
29 | - labelSelector:
30 | matchExpressions:
31 | - key: app
32 | operator: In
33 | values:
34 | - myapp
35 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.myapp
File: /lessons/168/k8s/deployment.yaml:2-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: myapp
11 | template:
12 | metadata:
13 | labels:
14 | app: myapp
15 | spec:
16 | containers:
17 | - image: 424432388155.dkr.ecr.us-east-2.amazonaws.com/myapp:v1
18 | imagePullPolicy: Always
19 | name: myapp
20 | ports:
21 | - name: http
22 | containerPort: 8080
23 | env:
24 | - name: VERSION
25 | value: v1
26 | affinity:
27 | podAntiAffinity:
28 | requiredDuringSchedulingIgnoredDuringExecution:
29 | - labelSelector:
30 | matchExpressions:
31 | - key: app
32 | operator: In
33 | values:
34 | - myapp
35 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.myapp
File: /lessons/168/k8s/deployment.yaml:2-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: myapp
11 | template:
12 | metadata:
13 | labels:
14 | app: myapp
15 | spec:
16 | containers:
17 | - image: 424432388155.dkr.ecr.us-east-2.amazonaws.com/myapp:v1
18 | imagePullPolicy: Always
19 | name: myapp
20 | ports:
21 | - name: http
22 | containerPort: 8080
23 | env:
24 | - name: VERSION
25 | value: v1
26 | affinity:
27 | podAntiAffinity:
28 | requiredDuringSchedulingIgnoredDuringExecution:
29 | - labelSelector:
30 | matchExpressions:
31 | - key: app
32 | operator: In
33 | values:
34 | - myapp
35 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.myapp
File: /lessons/168/k8s/deployment.yaml:2-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: myapp
11 | template:
12 | metadata:
13 | labels:
14 | app: myapp
15 | spec:
16 | containers:
17 | - image: 424432388155.dkr.ecr.us-east-2.amazonaws.com/myapp:v1
18 | imagePullPolicy: Always
19 | name: myapp
20 | ports:
21 | - name: http
22 | containerPort: 8080
23 | env:
24 | - name: VERSION
25 | value: v1
26 | affinity:
27 | podAntiAffinity:
28 | requiredDuringSchedulingIgnoredDuringExecution:
29 | - labelSelector:
30 | matchExpressions:
31 | - key: app
32 | operator: In
33 | values:
34 | - myapp
35 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.myapp
File: /lessons/168/k8s/deployment.yaml:2-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: myapp
11 | template:
12 | metadata:
13 | labels:
14 | app: myapp
15 | spec:
16 | containers:
17 | - image: 424432388155.dkr.ecr.us-east-2.amazonaws.com/myapp:v1
18 | imagePullPolicy: Always
19 | name: myapp
20 | ports:
21 | - name: http
22 | containerPort: 8080
23 | env:
24 | - name: VERSION
25 | value: v1
26 | affinity:
27 | podAntiAffinity:
28 | requiredDuringSchedulingIgnoredDuringExecution:
29 | - labelSelector:
30 | matchExpressions:
31 | - key: app
32 | operator: In
33 | values:
34 | - myapp
35 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.myapp
File: /lessons/168/k8s/deployment.yaml:2-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: myapp
11 | template:
12 | metadata:
13 | labels:
14 | app: myapp
15 | spec:
16 | containers:
17 | - image: 424432388155.dkr.ecr.us-east-2.amazonaws.com/myapp:v1
18 | imagePullPolicy: Always
19 | name: myapp
20 | ports:
21 | - name: http
22 | containerPort: 8080
23 | env:
24 | - name: VERSION
25 | value: v1
26 | affinity:
27 | podAntiAffinity:
28 | requiredDuringSchedulingIgnoredDuringExecution:
29 | - labelSelector:
30 | matchExpressions:
31 | - key: app
32 | operator: In
33 | values:
34 | - myapp
35 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.myapp
File: /lessons/168/k8s/deployment.yaml:2-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: myapp
11 | template:
12 | metadata:
13 | labels:
14 | app: myapp
15 | spec:
16 | containers:
17 | - image: 424432388155.dkr.ecr.us-east-2.amazonaws.com/myapp:v1
18 | imagePullPolicy: Always
19 | name: myapp
20 | ports:
21 | - name: http
22 | containerPort: 8080
23 | env:
24 | - name: VERSION
25 | value: v1
26 | affinity:
27 | podAntiAffinity:
28 | requiredDuringSchedulingIgnoredDuringExecution:
29 | - labelSelector:
30 | matchExpressions:
31 | - key: app
32 | operator: In
33 | values:
34 | - myapp
35 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.myapp
File: /lessons/168/k8s/deployment.yaml:2-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: myapp
11 | template:
12 | metadata:
13 | labels:
14 | app: myapp
15 | spec:
16 | containers:
17 | - image: 424432388155.dkr.ecr.us-east-2.amazonaws.com/myapp:v1
18 | imagePullPolicy: Always
19 | name: myapp
20 | ports:
21 | - name: http
22 | containerPort: 8080
23 | env:
24 | - name: VERSION
25 | value: v1
26 | affinity:
27 | podAntiAffinity:
28 | requiredDuringSchedulingIgnoredDuringExecution:
29 | - labelSelector:
30 | matchExpressions:
31 | - key: app
32 | operator: In
33 | values:
34 | - myapp
35 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.myapp
File: /lessons/168/k8s/deployment.yaml:2-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: myapp
11 | template:
12 | metadata:
13 | labels:
14 | app: myapp
15 | spec:
16 | containers:
17 | - image: 424432388155.dkr.ecr.us-east-2.amazonaws.com/myapp:v1
18 | imagePullPolicy: Always
19 | name: myapp
20 | ports:
21 | - name: http
22 | containerPort: 8080
23 | env:
24 | - name: VERSION
25 | value: v1
26 | affinity:
27 | podAntiAffinity:
28 | requiredDuringSchedulingIgnoredDuringExecution:
29 | - labelSelector:
30 | matchExpressions:
31 | - key: app
32 | operator: In
33 | values:
34 | - myapp
35 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.myapp
File: /lessons/168/k8s/deployment.yaml:2-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: myapp
11 | template:
12 | metadata:
13 | labels:
14 | app: myapp
15 | spec:
16 | containers:
17 | - image: 424432388155.dkr.ecr.us-east-2.amazonaws.com/myapp:v1
18 | imagePullPolicy: Always
19 | name: myapp
20 | ports:
21 | - name: http
22 | containerPort: 8080
23 | env:
24 | - name: VERSION
25 | value: v1
26 | affinity:
27 | podAntiAffinity:
28 | requiredDuringSchedulingIgnoredDuringExecution:
29 | - labelSelector:
30 | matchExpressions:
31 | - key: app
32 | operator: In
33 | values:
34 | - myapp
35 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.myapp
File: /lessons/168/k8s/deployment.yaml:2-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: myapp
11 | template:
12 | metadata:
13 | labels:
14 | app: myapp
15 | spec:
16 | containers:
17 | - image: 424432388155.dkr.ecr.us-east-2.amazonaws.com/myapp:v1
18 | imagePullPolicy: Always
19 | name: myapp
20 | ports:
21 | - name: http
22 | containerPort: 8080
23 | env:
24 | - name: VERSION
25 | value: v1
26 | affinity:
27 | podAntiAffinity:
28 | requiredDuringSchedulingIgnoredDuringExecution:
29 | - labelSelector:
30 | matchExpressions:
31 | - key: app
32 | operator: In
33 | values:
34 | - myapp
35 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.myapp
File: /lessons/168/k8s/deployment.yaml:2-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: myapp
11 | template:
12 | metadata:
13 | labels:
14 | app: myapp
15 | spec:
16 | containers:
17 | - image: 424432388155.dkr.ecr.us-east-2.amazonaws.com/myapp:v1
18 | imagePullPolicy: Always
19 | name: myapp
20 | ports:
21 | - name: http
22 | containerPort: 8080
23 | env:
24 | - name: VERSION
25 | value: v1
26 | affinity:
27 | podAntiAffinity:
28 | requiredDuringSchedulingIgnoredDuringExecution:
29 | - labelSelector:
30 | matchExpressions:
31 | - key: app
32 | operator: In
33 | values:
34 | - myapp
35 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.myapp
File: /lessons/168/k8s/deployment.yaml:2-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: myapp
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: myapp
11 | template:
12 | metadata:
13 | labels:
14 | app: myapp
15 | spec:
16 | containers:
17 | - image: 424432388155.dkr.ecr.us-east-2.amazonaws.com/myapp:v1
18 | imagePullPolicy: Always
19 | name: myapp
20 | ports:
21 | - name: http
22 | containerPort: 8080
23 | env:
24 | - name: VERSION
25 | value: v1
26 | affinity:
27 | podAntiAffinity:
28 | requiredDuringSchedulingIgnoredDuringExecution:
29 | - labelSelector:
30 | matchExpressions:
31 | - key: app
32 | operator: In
33 | values:
34 | - myapp
35 | topologyKey: "kubernetes.io/hostname"
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: StatefulSet.monitoring.storegateway
File: /lessons/163/thanos-2/3-storegateway-sts.yaml:2-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: StatefulSet.monitoring.storegateway
File: /lessons/163/thanos-2/3-storegateway-sts.yaml:2-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: StatefulSet.monitoring.storegateway
File: /lessons/163/thanos-2/3-storegateway-sts.yaml:2-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: StatefulSet.monitoring.storegateway
File: /lessons/163/thanos-2/3-storegateway-sts.yaml:2-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: StatefulSet.monitoring.storegateway
File: /lessons/163/thanos-2/3-storegateway-sts.yaml:2-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: StatefulSet.monitoring.storegateway
File: /lessons/163/thanos-2/3-storegateway-sts.yaml:2-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: StatefulSet.monitoring.storegateway
File: /lessons/163/thanos-2/3-storegateway-sts.yaml:2-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: StatefulSet.monitoring.storegateway
File: /lessons/163/thanos-2/3-storegateway-sts.yaml:2-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: StatefulSet.monitoring.storegateway
File: /lessons/163/thanos-2/3-storegateway-sts.yaml:2-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: StatefulSet.monitoring.storegateway
File: /lessons/163/thanos-2/3-storegateway-sts.yaml:2-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: StatefulSet.monitoring.storegateway
File: /lessons/163/thanos-2/3-storegateway-sts.yaml:2-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: StatefulSet.monitoring.storegateway
File: /lessons/163/thanos-2/3-storegateway-sts.yaml:2-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: StatefulSet.monitoring.storegateway
File: /lessons/163/thanos-2/3-storegateway-sts.yaml:2-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.monitoring.compactor
File: /lessons/163/thanos-2/6-compactor-deployment.yaml:2-94
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.compactor
File: /lessons/163/thanos-2/6-compactor-deployment.yaml:2-94
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.monitoring.compactor
File: /lessons/163/thanos-2/6-compactor-deployment.yaml:2-94
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.monitoring.compactor
File: /lessons/163/thanos-2/6-compactor-deployment.yaml:2-94
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.compactor
File: /lessons/163/thanos-2/6-compactor-deployment.yaml:2-94
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.monitoring.compactor
File: /lessons/163/thanos-2/6-compactor-deployment.yaml:2-94
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.monitoring.compactor
File: /lessons/163/thanos-2/6-compactor-deployment.yaml:2-94
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.monitoring.compactor
File: /lessons/163/thanos-2/6-compactor-deployment.yaml:2-94
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.monitoring.compactor
File: /lessons/163/thanos-2/6-compactor-deployment.yaml:2-94
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.monitoring.compactor
File: /lessons/163/thanos-2/6-compactor-deployment.yaml:2-94
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.monitoring.compactor
File: /lessons/163/thanos-2/6-compactor-deployment.yaml:2-94
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.compactor
File: /lessons/163/thanos-2/6-compactor-deployment.yaml:2-94
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.compactor
File: /lessons/163/thanos-2/6-compactor-deployment.yaml:2-94
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.querier
File: /lessons/163/thanos-2/1-querier-deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.monitoring.querier
File: /lessons/163/thanos-2/1-querier-deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.monitoring.querier
File: /lessons/163/thanos-2/1-querier-deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.querier
File: /lessons/163/thanos-2/1-querier-deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.monitoring.querier
File: /lessons/163/thanos-2/1-querier-deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.monitoring.querier
File: /lessons/163/thanos-2/1-querier-deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.monitoring.querier
File: /lessons/163/thanos-2/1-querier-deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.monitoring.querier
File: /lessons/163/thanos-2/1-querier-deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.querier
File: /lessons/163/thanos-2/1-querier-deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.querier
File: /lessons/163/thanos-2/1-querier-deployment.yaml:2-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/163/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: ["/bin/sh", "/config/add-user"]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/163/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: ["/bin/sh", "/config/add-user"]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/163/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: ["/bin/sh", "/config/add-user"]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/163/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: ["/bin/sh", "/config/add-user"]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/163/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: ["/bin/sh", "/config/add-user"]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/163/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: ["/bin/sh", "/config/add-user"]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/163/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: ["/bin/sh", "/config/add-user"]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/163/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: ["/bin/sh", "/config/add-user"]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/163/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: ["/bin/sh", "/config/add-user"]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/163/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: ["/bin/sh", "/config/add-user"]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/163/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: ["/bin/sh", "/config/add-user"]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/163/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: ["/bin/sh", "/config/add-user"]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/163/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: ["/bin/sh", "/config/add-user"]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/163/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: ["/bin/sh", "/config/add-user"]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Job.minio.minio-post-job
File: /lessons/163/minio/minio-post-job.yaml:2-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: batch/v1
3 | kind: Job
4 | metadata:
5 | name: minio-post-job
6 | namespace: minio
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: minio-job
12 | annotations:
13 | sidecar.istio.io/inject: "false"
14 | spec:
15 | restartPolicy: OnFailure
16 | volumes:
17 | - name: minio-configuration
18 | projected:
19 | sources:
20 | - configMap:
21 | name: minio
22 | - secret:
23 | name: minio
24 | containers:
25 | - name: minio-make-user
26 | image: "quay.io/minio/mc:RELEASE.2022-12-13T00-23-28Z"
27 | imagePullPolicy: IfNotPresent
28 | command: ["/bin/sh", "/config/add-user"]
29 | env:
30 | - name: MINIO_ENDPOINT
31 | value: minio
32 | - name: MINIO_PORT
33 | value: "9000"
34 | volumeMounts:
35 | - name: minio-configuration
36 | mountPath: /config
37 | resources:
38 | requests:
39 | memory: 128Mi
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.minio.minio
File: /lessons/163/minio/deployment.yaml:2-88
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.minio.minio
File: /lessons/163/minio/deployment.yaml:2-88
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.minio.minio
File: /lessons/163/minio/deployment.yaml:2-88
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.minio.minio
File: /lessons/163/minio/deployment.yaml:2-88
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.minio.minio
File: /lessons/163/minio/deployment.yaml:2-88
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.minio.minio
File: /lessons/163/minio/deployment.yaml:2-88
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.minio.minio
File: /lessons/163/minio/deployment.yaml:2-88
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: Deployment.minio.minio
File: /lessons/163/minio/deployment.yaml:2-88
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.minio.minio
File: /lessons/163/minio/deployment.yaml:2-88
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.minio.minio
File: /lessons/163/minio/deployment.yaml:2-88
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.minio.minio
File: /lessons/163/minio/deployment.yaml:2-88
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.minio.minio
File: /lessons/163/minio/deployment.yaml:2-88
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.minio.minio
File: /lessons/163/minio/deployment.yaml:2-88
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: StatefulSet.monitoring.storegateway
File: /lessons/163/thanos/3-storegateway-sts.yaml:2-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: StatefulSet.monitoring.storegateway
File: /lessons/163/thanos/3-storegateway-sts.yaml:2-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: StatefulSet.monitoring.storegateway
File: /lessons/163/thanos/3-storegateway-sts.yaml:2-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: StatefulSet.monitoring.storegateway
File: /lessons/163/thanos/3-storegateway-sts.yaml:2-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: StatefulSet.monitoring.storegateway
File: /lessons/163/thanos/3-storegateway-sts.yaml:2-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: StatefulSet.monitoring.storegateway
File: /lessons/163/thanos/3-storegateway-sts.yaml:2-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: StatefulSet.monitoring.storegateway
File: /lessons/163/thanos/3-storegateway-sts.yaml:2-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: StatefulSet.monitoring.storegateway
File: /lessons/163/thanos/3-storegateway-sts.yaml:2-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: StatefulSet.monitoring.storegateway
File: /lessons/163/thanos/3-storegateway-sts.yaml:2-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: StatefulSet.monitoring.storegateway
File: /lessons/163/thanos/3-storegateway-sts.yaml:2-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: StatefulSet.monitoring.storegateway
File: /lessons/163/thanos/3-storegateway-sts.yaml:2-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: StatefulSet.monitoring.storegateway
File: /lessons/163/thanos/3-storegateway-sts.yaml:2-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: StatefulSet.monitoring.storegateway
File: /lessons/163/thanos/3-storegateway-sts.yaml:2-113
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.monitoring.compactor
File: /lessons/163/thanos/6-compactor-deployment.yaml:2-94
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.compactor
File: /lessons/163/thanos/6-compactor-deployment.yaml:2-94
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.monitoring.compactor
File: /lessons/163/thanos/6-compactor-deployment.yaml:2-94
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.monitoring.compactor
File: /lessons/163/thanos/6-compactor-deployment.yaml:2-94
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.compactor
File: /lessons/163/thanos/6-compactor-deployment.yaml:2-94
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.monitoring.compactor
File: /lessons/163/thanos/6-compactor-deployment.yaml:2-94
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.monitoring.compactor
File: /lessons/163/thanos/6-compactor-deployment.yaml:2-94
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.monitoring.compactor
File: /lessons/163/thanos/6-compactor-deployment.yaml:2-94
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.monitoring.compactor
File: /lessons/163/thanos/6-compactor-deployment.yaml:2-94
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.monitoring.compactor
File: /lessons/163/thanos/6-compactor-deployment.yaml:2-94
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.monitoring.compactor
File: /lessons/163/thanos/6-compactor-deployment.yaml:2-94
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.compactor
File: /lessons/163/thanos/6-compactor-deployment.yaml:2-94
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.compactor
File: /lessons/163/thanos/6-compactor-deployment.yaml:2-94
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.querier
File: /lessons/163/thanos/1-querier-deployment.yaml:2-82
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.monitoring.querier
File: /lessons/163/thanos/1-querier-deployment.yaml:2-82
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.monitoring.querier
File: /lessons/163/thanos/1-querier-deployment.yaml:2-82
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.querier
File: /lessons/163/thanos/1-querier-deployment.yaml:2-82
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.monitoring.querier
File: /lessons/163/thanos/1-querier-deployment.yaml:2-82
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.monitoring.querier
File: /lessons/163/thanos/1-querier-deployment.yaml:2-82
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.monitoring.querier
File: /lessons/163/thanos/1-querier-deployment.yaml:2-82
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.monitoring.querier
File: /lessons/163/thanos/1-querier-deployment.yaml:2-82
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.querier
File: /lessons/163/thanos/1-querier-deployment.yaml:2-82
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.querier
File: /lessons/163/thanos/1-querier-deployment.yaml:2-82
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/163/prometheus-operator/deployment/3-deployment.yaml:1-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/163/prometheus-operator/deployment/3-deployment.yaml:1-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/163/prometheus-operator/deployment/3-deployment.yaml:1-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/163/prometheus-operator/deployment/3-deployment.yaml:1-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/163/prometheus-operator/deployment/3-deployment.yaml:1-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/163/prometheus-operator/deployment/3-deployment.yaml:1-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: ClusterRole.default.prometheus-operator
File: /lessons/163/prometheus-operator/deployment/1-cluster-role.yaml:2-87
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: StatefulSet.monitoring.receiver-2
File: /lessons/163/receiver-2/statefulset.yaml:2-131
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: StatefulSet.monitoring.receiver-2
File: /lessons/163/receiver-2/statefulset.yaml:2-131
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: StatefulSet.monitoring.receiver-2
File: /lessons/163/receiver-2/statefulset.yaml:2-131
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: StatefulSet.monitoring.receiver-2
File: /lessons/163/receiver-2/statefulset.yaml:2-131
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: StatefulSet.monitoring.receiver-2
File: /lessons/163/receiver-2/statefulset.yaml:2-131
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: StatefulSet.monitoring.receiver-2
File: /lessons/163/receiver-2/statefulset.yaml:2-131
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: StatefulSet.monitoring.receiver-2
File: /lessons/163/receiver-2/statefulset.yaml:2-131
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: StatefulSet.monitoring.receiver-2
File: /lessons/163/receiver-2/statefulset.yaml:2-131
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: StatefulSet.monitoring.receiver-2
File: /lessons/163/receiver-2/statefulset.yaml:2-131
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: StatefulSet.monitoring.receiver-2
File: /lessons/163/receiver-2/statefulset.yaml:2-131
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: StatefulSet.monitoring.receiver-2
File: /lessons/163/receiver-2/statefulset.yaml:2-131
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: StatefulSet.monitoring.receiver-2
File: /lessons/163/receiver-2/statefulset.yaml:2-131
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: StatefulSet.monitoring.receiver-2
File: /lessons/163/receiver-2/statefulset.yaml:2-131
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: StatefulSet.monitoring.receiver-1
File: /lessons/163/receiver-1/statefulset.yaml:2-131
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: StatefulSet.monitoring.receiver-1
File: /lessons/163/receiver-1/statefulset.yaml:2-131
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: StatefulSet.monitoring.receiver-1
File: /lessons/163/receiver-1/statefulset.yaml:2-131
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: StatefulSet.monitoring.receiver-1
File: /lessons/163/receiver-1/statefulset.yaml:2-131
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: StatefulSet.monitoring.receiver-1
File: /lessons/163/receiver-1/statefulset.yaml:2-131
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: StatefulSet.monitoring.receiver-1
File: /lessons/163/receiver-1/statefulset.yaml:2-131
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: StatefulSet.monitoring.receiver-1
File: /lessons/163/receiver-1/statefulset.yaml:2-131
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: StatefulSet.monitoring.receiver-1
File: /lessons/163/receiver-1/statefulset.yaml:2-131
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: StatefulSet.monitoring.receiver-1
File: /lessons/163/receiver-1/statefulset.yaml:2-131
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: StatefulSet.monitoring.receiver-1
File: /lessons/163/receiver-1/statefulset.yaml:2-131
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: StatefulSet.monitoring.receiver-1
File: /lessons/163/receiver-1/statefulset.yaml:2-131
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: StatefulSet.monitoring.receiver-1
File: /lessons/163/receiver-1/statefulset.yaml:2-131
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: StatefulSet.monitoring.receiver-1
File: /lessons/163/receiver-1/statefulset.yaml:2-131
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/134/grafana/6-deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/134/grafana/6-deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/134/grafana/6-deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/134/grafana/6-deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/134/grafana/6-deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/134/grafana/6-deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/134/grafana/6-deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/134/grafana/6-deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/134/grafana/6-deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/134/grafana/6-deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.grafana.grafana
File: /lessons/134/grafana/6-deployment.yaml:2-89
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/134/kube-state-metrics/3-deployment.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: kube-state-metrics
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: kube-state-metrics
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: kube-state-metrics
16 | spec:
17 | automountServiceAccountToken: true
18 | containers:
19 | - image: registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.6.0
20 | livenessProbe:
21 | httpGet:
22 | path: /healthz
23 | port: 8080
24 | initialDelaySeconds: 5
25 | timeoutSeconds: 5
26 | name: kube-state-metrics
27 | ports:
28 | - containerPort: 8080
29 | name: http-metrics
30 | - containerPort: 8081
31 | name: telemetry
32 | readinessProbe:
33 | httpGet:
34 | path: /
35 | port: 8081
36 | initialDelaySeconds: 5
37 | timeoutSeconds: 5
38 | securityContext:
39 | allowPrivilegeEscalation: false
40 | capabilities:
41 | drop:
42 | - ALL
43 | readOnlyRootFilesystem: true
44 | runAsUser: 65534
45 | nodeSelector:
46 | kubernetes.io/os: linux
47 | serviceAccountName: kube-state-metrics
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/134/kube-state-metrics/3-deployment.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: kube-state-metrics
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: kube-state-metrics
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: kube-state-metrics
16 | spec:
17 | automountServiceAccountToken: true
18 | containers:
19 | - image: registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.6.0
20 | livenessProbe:
21 | httpGet:
22 | path: /healthz
23 | port: 8080
24 | initialDelaySeconds: 5
25 | timeoutSeconds: 5
26 | name: kube-state-metrics
27 | ports:
28 | - containerPort: 8080
29 | name: http-metrics
30 | - containerPort: 8081
31 | name: telemetry
32 | readinessProbe:
33 | httpGet:
34 | path: /
35 | port: 8081
36 | initialDelaySeconds: 5
37 | timeoutSeconds: 5
38 | securityContext:
39 | allowPrivilegeEscalation: false
40 | capabilities:
41 | drop:
42 | - ALL
43 | readOnlyRootFilesystem: true
44 | runAsUser: 65534
45 | nodeSelector:
46 | kubernetes.io/os: linux
47 | serviceAccountName: kube-state-metrics
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/134/kube-state-metrics/3-deployment.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: kube-state-metrics
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: kube-state-metrics
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: kube-state-metrics
16 | spec:
17 | automountServiceAccountToken: true
18 | containers:
19 | - image: registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.6.0
20 | livenessProbe:
21 | httpGet:
22 | path: /healthz
23 | port: 8080
24 | initialDelaySeconds: 5
25 | timeoutSeconds: 5
26 | name: kube-state-metrics
27 | ports:
28 | - containerPort: 8080
29 | name: http-metrics
30 | - containerPort: 8081
31 | name: telemetry
32 | readinessProbe:
33 | httpGet:
34 | path: /
35 | port: 8081
36 | initialDelaySeconds: 5
37 | timeoutSeconds: 5
38 | securityContext:
39 | allowPrivilegeEscalation: false
40 | capabilities:
41 | drop:
42 | - ALL
43 | readOnlyRootFilesystem: true
44 | runAsUser: 65534
45 | nodeSelector:
46 | kubernetes.io/os: linux
47 | serviceAccountName: kube-state-metrics
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/134/kube-state-metrics/3-deployment.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: kube-state-metrics
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: kube-state-metrics
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: kube-state-metrics
16 | spec:
17 | automountServiceAccountToken: true
18 | containers:
19 | - image: registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.6.0
20 | livenessProbe:
21 | httpGet:
22 | path: /healthz
23 | port: 8080
24 | initialDelaySeconds: 5
25 | timeoutSeconds: 5
26 | name: kube-state-metrics
27 | ports:
28 | - containerPort: 8080
29 | name: http-metrics
30 | - containerPort: 8081
31 | name: telemetry
32 | readinessProbe:
33 | httpGet:
34 | path: /
35 | port: 8081
36 | initialDelaySeconds: 5
37 | timeoutSeconds: 5
38 | securityContext:
39 | allowPrivilegeEscalation: false
40 | capabilities:
41 | drop:
42 | - ALL
43 | readOnlyRootFilesystem: true
44 | runAsUser: 65534
45 | nodeSelector:
46 | kubernetes.io/os: linux
47 | serviceAccountName: kube-state-metrics
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/134/kube-state-metrics/3-deployment.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: kube-state-metrics
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: kube-state-metrics
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: kube-state-metrics
16 | spec:
17 | automountServiceAccountToken: true
18 | containers:
19 | - image: registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.6.0
20 | livenessProbe:
21 | httpGet:
22 | path: /healthz
23 | port: 8080
24 | initialDelaySeconds: 5
25 | timeoutSeconds: 5
26 | name: kube-state-metrics
27 | ports:
28 | - containerPort: 8080
29 | name: http-metrics
30 | - containerPort: 8081
31 | name: telemetry
32 | readinessProbe:
33 | httpGet:
34 | path: /
35 | port: 8081
36 | initialDelaySeconds: 5
37 | timeoutSeconds: 5
38 | securityContext:
39 | allowPrivilegeEscalation: false
40 | capabilities:
41 | drop:
42 | - ALL
43 | readOnlyRootFilesystem: true
44 | runAsUser: 65534
45 | nodeSelector:
46 | kubernetes.io/os: linux
47 | serviceAccountName: kube-state-metrics
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/134/kube-state-metrics/3-deployment.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: kube-state-metrics
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: kube-state-metrics
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: kube-state-metrics
16 | spec:
17 | automountServiceAccountToken: true
18 | containers:
19 | - image: registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.6.0
20 | livenessProbe:
21 | httpGet:
22 | path: /healthz
23 | port: 8080
24 | initialDelaySeconds: 5
25 | timeoutSeconds: 5
26 | name: kube-state-metrics
27 | ports:
28 | - containerPort: 8080
29 | name: http-metrics
30 | - containerPort: 8081
31 | name: telemetry
32 | readinessProbe:
33 | httpGet:
34 | path: /
35 | port: 8081
36 | initialDelaySeconds: 5
37 | timeoutSeconds: 5
38 | securityContext:
39 | allowPrivilegeEscalation: false
40 | capabilities:
41 | drop:
42 | - ALL
43 | readOnlyRootFilesystem: true
44 | runAsUser: 65534
45 | nodeSelector:
46 | kubernetes.io/os: linux
47 | serviceAccountName: kube-state-metrics
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/134/kube-state-metrics/3-deployment.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: kube-state-metrics
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: kube-state-metrics
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: kube-state-metrics
16 | spec:
17 | automountServiceAccountToken: true
18 | containers:
19 | - image: registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.6.0
20 | livenessProbe:
21 | httpGet:
22 | path: /healthz
23 | port: 8080
24 | initialDelaySeconds: 5
25 | timeoutSeconds: 5
26 | name: kube-state-metrics
27 | ports:
28 | - containerPort: 8080
29 | name: http-metrics
30 | - containerPort: 8081
31 | name: telemetry
32 | readinessProbe:
33 | httpGet:
34 | path: /
35 | port: 8081
36 | initialDelaySeconds: 5
37 | timeoutSeconds: 5
38 | securityContext:
39 | allowPrivilegeEscalation: false
40 | capabilities:
41 | drop:
42 | - ALL
43 | readOnlyRootFilesystem: true
44 | runAsUser: 65534
45 | nodeSelector:
46 | kubernetes.io/os: linux
47 | serviceAccountName: kube-state-metrics
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/134/kube-state-metrics/3-deployment.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: kube-state-metrics
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: kube-state-metrics
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: kube-state-metrics
16 | spec:
17 | automountServiceAccountToken: true
18 | containers:
19 | - image: registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.6.0
20 | livenessProbe:
21 | httpGet:
22 | path: /healthz
23 | port: 8080
24 | initialDelaySeconds: 5
25 | timeoutSeconds: 5
26 | name: kube-state-metrics
27 | ports:
28 | - containerPort: 8080
29 | name: http-metrics
30 | - containerPort: 8081
31 | name: telemetry
32 | readinessProbe:
33 | httpGet:
34 | path: /
35 | port: 8081
36 | initialDelaySeconds: 5
37 | timeoutSeconds: 5
38 | securityContext:
39 | allowPrivilegeEscalation: false
40 | capabilities:
41 | drop:
42 | - ALL
43 | readOnlyRootFilesystem: true
44 | runAsUser: 65534
45 | nodeSelector:
46 | kubernetes.io/os: linux
47 | serviceAccountName: kube-state-metrics
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /lessons/134/kube-state-metrics/3-deployment.yaml:2-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: kube-state-metrics
6 | namespace: monitoring
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: kube-state-metrics
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: kube-state-metrics
16 | spec:
17 | automountServiceAccountToken: true
18 | containers:
19 | - image: registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.6.0
20 | livenessProbe:
21 | httpGet:
22 | path: /healthz
23 | port: 8080
24 | initialDelaySeconds: 5
25 | timeoutSeconds: 5
26 | name: kube-state-metrics
27 | ports:
28 | - containerPort: 8080
29 | name: http-metrics
30 | - containerPort: 8081
31 | name: telemetry
32 | readinessProbe:
33 | httpGet:
34 | path: /
35 | port: 8081
36 | initialDelaySeconds: 5
37 | timeoutSeconds: 5
38 | securityContext:
39 | allowPrivilegeEscalation: false
40 | capabilities:
41 | drop:
42 | - ALL
43 | readOnlyRootFilesystem: true
44 | runAsUser: 65534
45 | nodeSelector:
46 | kubernetes.io/os: linux
47 | serviceAccountName: kube-state-metrics
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/134/prometheus/prometheus-operator/3-deployment.yaml:1-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/134/prometheus/prometheus-operator/3-deployment.yaml:1-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/134/prometheus/prometheus-operator/3-deployment.yaml:1-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/134/prometheus/prometheus-operator/3-deployment.yaml:1-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/134/prometheus/prometheus-operator/3-deployment.yaml:1-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /lessons/134/prometheus/prometheus-operator/3-deployment.yaml:1-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: ClusterRole.default.prometheus-operator
File: /lessons/134/prometheus/prometheus-operator/1-cluster-role.yaml:2-81
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_1: "RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding"
FAILED for resource: ClusterRoleBinding.default.prometheus-adapter-hpa-controller
File: /lessons/073/6-prometheus-adapter/1-custom-metrics/0-rbac.yaml:14-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/rolebinding-should-not-allow-privilege-escalation-to-a-serviceaccount-or-node-on-other-rolebinding.html
14 | apiVersion: rbac.authorization.k8s.io/v1
15 | kind: ClusterRoleBinding
16 | metadata:
17 | labels:
18 | app: prometheus-adapter
19 | name: prometheus-adapter-hpa-controller
20 | roleRef:
21 | apiGroup: rbac.authorization.k8s.io
22 | kind: ClusterRole
23 | name: prometheus-adapter-server-resources
24 | subjects:
25 | - kind: ServiceAccount
26 | name: custom-metrics-prometheus-adapter
27 | namespace: monitoring
Check: CKV2_K8S_5: "No ServiceAccount/Node should be able to read all secrets"
FAILED for resource: RoleBinding.ingress.my-ing-ingress-nginx-admission
File: /lessons/082/my-ing/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml:3-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/no-serviceaccountnode-should-be-able-to-read-all-secrets.html
3 | apiVersion: rbac.authorization.k8s.io/v1
4 | kind: RoleBinding
5 | metadata:
6 | name: my-ing-ingress-nginx-admission
7 | namespace: ingress
8 | annotations:
9 | "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
10 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
11 | labels:
12 | helm.sh/chart: ingress-nginx-3.35.0
13 | app.kubernetes.io/name: ingress-nginx
14 | app.kubernetes.io/instance: my-ing
15 | app.kubernetes.io/version: "0.48.1"
16 | app.kubernetes.io/managed-by: Helm
17 | app.kubernetes.io/component: admission-webhook
18 | roleRef:
19 | apiGroup: rbac.authorization.k8s.io
20 | kind: Role
21 | name: my-ing-ingress-nginx-admission
22 | subjects:
23 | - kind: ServiceAccount
24 | name: my-ing-ingress-nginx-admission
25 | namespace: "ingress"
Check: CKV2_K8S_5: "No ServiceAccount/Node should be able to read all secrets"
FAILED for resource: ClusterRoleBinding.default.prometheus-adapter-hpa-controller
File: /lessons/073/6-prometheus-adapter/1-custom-metrics/0-rbac.yaml:14-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/no-serviceaccountnode-should-be-able-to-read-all-secrets.html
14 | apiVersion: rbac.authorization.k8s.io/v1
15 | kind: ClusterRoleBinding
16 | metadata:
17 | labels:
18 | app: prometheus-adapter
19 | name: prometheus-adapter-hpa-controller
20 | roleRef:
21 | apiGroup: rbac.authorization.k8s.io
22 | kind: ClusterRole
23 | name: prometheus-adapter-server-resources
24 | subjects:
25 | - kind: ServiceAccount
26 | name: custom-metrics-prometheus-adapter
27 | namespace: monitoring
Check: CKV2_K8S_5: "No ServiceAccount/Node should be able to read all secrets"
FAILED for resource: RoleBinding.kube-system.sealed-secrets-controller
File: /lessons/044/k8s/01-kubeseal.yaml:48-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/no-serviceaccountnode-should-be-able-to-read-all-secrets.html
48 | apiVersion: rbac.authorization.k8s.io/v1beta1
49 | kind: RoleBinding
50 | metadata:
51 | annotations: {}
52 | labels:
53 | name: sealed-secrets-controller
54 | name: sealed-secrets-controller
55 | namespace: kube-system
56 | roleRef:
57 | apiGroup: rbac.authorization.k8s.io
58 | kind: Role
59 | name: sealed-secrets-key-admin
60 | subjects:
61 | - kind: ServiceAccount
62 | name: sealed-secrets-controller
63 | namespace: kube-system
64 | ---
Check: CKV2_K8S_3: "No ServiceAccount/Node should have `impersonate` permissions for groups/users/service-accounts"
FAILED for resource: ClusterRoleBinding.default.prometheus-adapter-hpa-controller
File: /lessons/073/6-prometheus-adapter/1-custom-metrics/0-rbac.yaml:14-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/no-serviceaccountnode-should-have-impersonate-permissions-for-groupsusersservice-accounts.html
14 | apiVersion: rbac.authorization.k8s.io/v1
15 | kind: ClusterRoleBinding
16 | metadata:
17 | labels:
18 | app: prometheus-adapter
19 | name: prometheus-adapter-hpa-controller
20 | roleRef:
21 | apiGroup: rbac.authorization.k8s.io
22 | kind: ClusterRole
23 | name: prometheus-adapter-server-resources
24 | subjects:
25 | - kind: ServiceAccount
26 | name: custom-metrics-prometheus-adapter
27 | namespace: monitoring
Check: CKV2_K8S_4: "ServiceAccounts and nodes that can modify services/status may set the `status.loadBalancer.ingress.ip` field to exploit the unfixed CVE-2020-8554 and launch MiTM attacks against the cluster."
FAILED for resource: ClusterRoleBinding.default.prometheus-adapter-hpa-controller
File: /lessons/073/6-prometheus-adapter/1-custom-metrics/0-rbac.yaml:14-27
Guide: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/serviceaccounts-and-nodes-potentially-exposed-to-cve-2020-8554
14 | apiVersion: rbac.authorization.k8s.io/v1
15 | kind: ClusterRoleBinding
16 | metadata:
17 | labels:
18 | app: prometheus-adapter
19 | name: prometheus-adapter-hpa-controller
20 | roleRef:
21 | apiGroup: rbac.authorization.k8s.io
22 | kind: ClusterRole
23 | name: prometheus-adapter-server-resources
24 | subjects:
25 | - kind: ServiceAccount
26 | name: custom-metrics-prometheus-adapter
27 | namespace: monitoring
Check: CKV2_K8S_2: "Granting `create` permissions to `nodes/proxy` or `pods/exec` sub resources allows potential privilege escalation"
FAILED for resource: ClusterRoleBinding.default.prometheus-adapter-hpa-controller
File: /lessons/073/6-prometheus-adapter/1-custom-metrics/0-rbac.yaml:14-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/granting-create-permissions-to-nodesproxy-or-podsexec-sub-resources-allows-potential-privilege-escalation.html
14 | apiVersion: rbac.authorization.k8s.io/v1
15 | kind: ClusterRoleBinding
16 | metadata:
17 | labels:
18 | app: prometheus-adapter
19 | name: prometheus-adapter-hpa-controller
20 | roleRef:
21 | apiGroup: rbac.authorization.k8s.io
22 | kind: ClusterRole
23 | name: prometheus-adapter-server-resources
24 | subjects:
25 | - kind: ServiceAccount
26 | name: custom-metrics-prometheus-adapter
27 | namespace: monitoring
dockerfile scan results:
Passed checks: 1486, Failed checks: 128, Skipped checks: 0
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/075/sam/sns/Dockerfile.
File: /lessons/075/sam/sns/Dockerfile:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM public.ecr.aws/lambda/python:3.8
2 |
3 | COPY function.py requirements.txt ./
4 |
5 | RUN python3.8 -m pip install -r requirements.txt -t .
6 |
7 | CMD ["function.lambda_handler"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/075/sam/sns/Dockerfile.
File: /lessons/075/sam/sns/Dockerfile:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM public.ecr.aws/lambda/python:3.8
2 |
3 | COPY function.py requirements.txt ./
4 |
5 | RUN python3.8 -m pip install -r requirements.txt -t .
6 |
7 | CMD ["function.lambda_handler"]
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
FAILED for resource: /lessons/143/go-app/service-b.Dockerfile.FROM
File: /lessons/143/go-app/service-b.Dockerfile:14-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-the-base-image-uses-a-non-latest-version-tag.html
14 | FROM gcr.io/distroless/base-debian11
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/143/go-app/service-b.Dockerfile.
File: /lessons/143/go-app/service-b.Dockerfile:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM golang:1.19.4-buster AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY go.mod ./
6 | COPY go.sum ./
7 |
8 | RUN go mod download && go mod verify
9 |
10 | COPY cmd/service-b/main.go ./cmd/service-b/
11 |
12 | RUN go build -o /myapp cmd/service-b/main.go
13 |
14 | FROM gcr.io/distroless/base-debian11
15 |
16 | COPY --from=build /myapp /myapp
17 |
18 | ENTRYPOINT ["/myapp"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/143/go-app/service-b.Dockerfile.
File: /lessons/143/go-app/service-b.Dockerfile:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM golang:1.19.4-buster AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY go.mod ./
6 | COPY go.sum ./
7 |
8 | RUN go mod download && go mod verify
9 |
10 | COPY cmd/service-b/main.go ./cmd/service-b/
11 |
12 | RUN go build -o /myapp cmd/service-b/main.go
13 |
14 | FROM gcr.io/distroless/base-debian11
15 |
16 | COPY --from=build /myapp /myapp
17 |
18 | ENTRYPOINT ["/myapp"]
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
FAILED for resource: /lessons/145/go-app/Dockerfile.FROM
File: /lessons/145/go-app/Dockerfile:14-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-the-base-image-uses-a-non-latest-version-tag.html
14 | FROM gcr.io/distroless/base-debian11
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/145/go-app/Dockerfile.
File: /lessons/145/go-app/Dockerfile:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM golang:1.19.4-buster AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY go.mod ./
6 | COPY go.sum ./
7 |
8 | RUN go mod download && go mod verify
9 |
10 | COPY main.go .
11 |
12 | RUN go build -o /myapp main.go
13 |
14 | FROM gcr.io/distroless/base-debian11
15 |
16 | COPY --from=build /myapp /myapp
17 |
18 | ENTRYPOINT ["/myapp"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/145/go-app/Dockerfile.
File: /lessons/145/go-app/Dockerfile:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM golang:1.19.4-buster AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY go.mod ./
6 | COPY go.sum ./
7 |
8 | RUN go mod download && go mod verify
9 |
10 | COPY main.go .
11 |
12 | RUN go build -o /myapp main.go
13 |
14 | FROM gcr.io/distroless/base-debian11
15 |
16 | COPY --from=build /myapp /myapp
17 |
18 | ENTRYPOINT ["/myapp"]
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
FAILED for resource: /lessons/143/go-app/service-a.Dockerfile.FROM
File: /lessons/143/go-app/service-a.Dockerfile:14-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-the-base-image-uses-a-non-latest-version-tag.html
14 | FROM gcr.io/distroless/base-debian11
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/143/go-app/service-a.Dockerfile.
File: /lessons/143/go-app/service-a.Dockerfile:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM golang:1.19.4-buster AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY go.mod ./
6 | COPY go.sum ./
7 |
8 | RUN go mod download && go mod verify
9 |
10 | COPY cmd/service-a/main.go ./cmd/service-a/
11 |
12 | RUN go build -o /myapp cmd/service-a/main.go
13 |
14 | FROM gcr.io/distroless/base-debian11
15 |
16 | COPY --from=build /myapp /myapp
17 |
18 | ENTRYPOINT ["/myapp"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/143/go-app/service-a.Dockerfile.
File: /lessons/143/go-app/service-a.Dockerfile:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM golang:1.19.4-buster AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY go.mod ./
6 | COPY go.sum ./
7 |
8 | RUN go mod download && go mod verify
9 |
10 | COPY cmd/service-a/main.go ./cmd/service-a/
11 |
12 | RUN go build -o /myapp cmd/service-a/main.go
13 |
14 | FROM gcr.io/distroless/base-debian11
15 |
16 | COPY --from=build /myapp /myapp
17 |
18 | ENTRYPOINT ["/myapp"]
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
FAILED for resource: /lessons/143/node-app/service-b.Dockerfile.FROM
File: /lessons/143/node-app/service-b.Dockerfile:9-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-the-base-image-uses-a-non-latest-version-tag.html
9 | FROM gcr.io/distroless/nodejs18-debian11
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/143/node-app/service-b.Dockerfile.
File: /lessons/143/node-app/service-b.Dockerfile:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM node:18 AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY service-b.js package*.json .
6 |
7 | RUN npm ci --only=production
8 |
9 | FROM gcr.io/distroless/nodejs18-debian11
10 |
11 | COPY --from=build /app /app
12 |
13 | WORKDIR /app
14 |
15 | CMD ["service-b.js"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/143/node-app/service-b.Dockerfile.
File: /lessons/143/node-app/service-b.Dockerfile:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM node:18 AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY service-b.js package*.json .
6 |
7 | RUN npm ci --only=production
8 |
9 | FROM gcr.io/distroless/nodejs18-debian11
10 |
11 | COPY --from=build /app /app
12 |
13 | WORKDIR /app
14 |
15 | CMD ["service-b.js"]
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
FAILED for resource: /lessons/172/client/Dockerfile.FROM
File: /lessons/172/client/Dockerfile:14-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-the-base-image-uses-a-non-latest-version-tag.html
14 | FROM gcr.io/distroless/base-debian11
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/172/client/Dockerfile.
File: /lessons/172/client/Dockerfile:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM golang:1.20.6-bullseye AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY go.mod ./
6 | COPY go.sum ./
7 |
8 | RUN go mod download && go mod verify
9 |
10 | COPY main.go .
11 |
12 | RUN go build -o /main main.go
13 |
14 | FROM gcr.io/distroless/base-debian11
15 |
16 | COPY --from=build /main /main
17 |
18 | ENTRYPOINT ["/main"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/172/client/Dockerfile.
File: /lessons/172/client/Dockerfile:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM golang:1.20.6-bullseye AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY go.mod ./
6 | COPY go.sum ./
7 |
8 | RUN go mod download && go mod verify
9 |
10 | COPY main.go .
11 |
12 | RUN go build -o /main main.go
13 |
14 | FROM gcr.io/distroless/base-debian11
15 |
16 | COPY --from=build /main /main
17 |
18 | ENTRYPOINT ["/main"]
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
FAILED for resource: /lessons/157/myapp/4-example.Dockerfile.FROM
File: /lessons/157/myapp/4-example.Dockerfile:14-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-the-base-image-uses-a-non-latest-version-tag.html
14 | FROM gcr.io/distroless/python3-debian11
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/157/myapp/4-example.Dockerfile.
File: /lessons/157/myapp/4-example.Dockerfile:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM debian:11-slim AS build
2 |
3 | RUN apt-get update && \
4 | apt-get install --no-install-suggests --no-install-recommends --yes python3-venv gcc libpython3-dev && \
5 | python3 -m venv /venv && \
6 | /venv/bin/pip install --upgrade pip setuptools wheel
7 |
8 | FROM build AS build-venv
9 |
10 | COPY requirements.txt /requirements.txt
11 |
12 | RUN /venv/bin/pip install --disable-pip-version-check -r /requirements.txt
13 |
14 | FROM gcr.io/distroless/python3-debian11
15 |
16 | COPY --from=build-venv /venv /venv
17 |
18 | COPY main.py .
19 |
20 | ENTRYPOINT ["/venv/bin/python3", "main.py"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/157/myapp/4-example.Dockerfile.
File: /lessons/157/myapp/4-example.Dockerfile:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM debian:11-slim AS build
2 |
3 | RUN apt-get update && \
4 | apt-get install --no-install-suggests --no-install-recommends --yes python3-venv gcc libpython3-dev && \
5 | python3 -m venv /venv && \
6 | /venv/bin/pip install --upgrade pip setuptools wheel
7 |
8 | FROM build AS build-venv
9 |
10 | COPY requirements.txt /requirements.txt
11 |
12 | RUN /venv/bin/pip install --disable-pip-version-check -r /requirements.txt
13 |
14 | FROM gcr.io/distroless/python3-debian11
15 |
16 | COPY --from=build-venv /venv /venv
17 |
18 | COPY main.py .
19 |
20 | ENTRYPOINT ["/venv/bin/python3", "main.py"]
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
FAILED for resource: /lessons/150/go-app/Dockerfile.FROM
File: /lessons/150/go-app/Dockerfile:14-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-the-base-image-uses-a-non-latest-version-tag.html
14 | FROM gcr.io/distroless/base-debian11
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/150/go-app/Dockerfile.
File: /lessons/150/go-app/Dockerfile:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM golang:1.19.5-buster AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY go.mod ./
6 | COPY go.sum ./
7 |
8 | RUN go mod download && go mod verify
9 |
10 | COPY main.go .
11 |
12 | RUN go build -o /go-app main.go
13 |
14 | FROM gcr.io/distroless/base-debian11
15 |
16 | COPY --from=build /go-app /go-app
17 |
18 | ENTRYPOINT ["/go-app"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/150/go-app/Dockerfile.
File: /lessons/150/go-app/Dockerfile:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM golang:1.19.5-buster AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY go.mod ./
6 | COPY go.sum ./
7 |
8 | RUN go mod download && go mod verify
9 |
10 | COPY main.go .
11 |
12 | RUN go build -o /go-app main.go
13 |
14 | FROM gcr.io/distroless/base-debian11
15 |
16 | COPY --from=build /go-app /go-app
17 |
18 | ENTRYPOINT ["/go-app"]
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
FAILED for resource: /lessons/137/my-app/Dockerfile.FROM
File: /lessons/137/my-app/Dockerfile:14-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-the-base-image-uses-a-non-latest-version-tag.html
14 | FROM gcr.io/distroless/base-debian11
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/137/my-app/Dockerfile.
File: /lessons/137/my-app/Dockerfile:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM golang:1.19.3-buster AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY go.mod ./
6 | COPY go.sum ./
7 |
8 | RUN go mod download && go mod verify
9 |
10 | COPY main.go ./
11 |
12 | RUN go build -o /my-app
13 |
14 | FROM gcr.io/distroless/base-debian11
15 |
16 | COPY --from=build /my-app /my-app
17 |
18 | ENTRYPOINT ["/my-app"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/137/my-app/Dockerfile.
File: /lessons/137/my-app/Dockerfile:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM golang:1.19.3-buster AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY go.mod ./
6 | COPY go.sum ./
7 |
8 | RUN go mod download && go mod verify
9 |
10 | COPY main.go ./
11 |
12 | RUN go build -o /my-app
13 |
14 | FROM gcr.io/distroless/base-debian11
15 |
16 | COPY --from=build /my-app /my-app
17 |
18 | ENTRYPOINT ["/my-app"]
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/169/Dockerfile.
File: /lessons/169/Dockerfile:1-3
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM postgres:15.3
2 |
3 | COPY ./sql/*.sql /docker-entrypoint-initdb.d/
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/169/Dockerfile.
File: /lessons/169/Dockerfile:1-3
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM postgres:15.3
2 |
3 | COPY ./sql/*.sql /docker-entrypoint-initdb.d/
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
FAILED for resource: /lessons/138/go-app/Dockerfile.FROM
File: /lessons/138/go-app/Dockerfile:14-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-the-base-image-uses-a-non-latest-version-tag.html
14 | FROM gcr.io/distroless/base-debian11
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/138/go-app/Dockerfile.
File: /lessons/138/go-app/Dockerfile:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM golang:1.19.3-buster AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY go.mod ./
6 | COPY go.sum ./
7 |
8 | RUN go mod download && go mod verify
9 |
10 | COPY main.go ./
11 |
12 | RUN go build -o /my-app
13 |
14 | FROM gcr.io/distroless/base-debian11
15 |
16 | COPY --from=build /my-app /my-app
17 |
18 | ENTRYPOINT ["/my-app"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/138/go-app/Dockerfile.
File: /lessons/138/go-app/Dockerfile:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM golang:1.19.3-buster AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY go.mod ./
6 | COPY go.sum ./
7 |
8 | RUN go mod download && go mod verify
9 |
10 | COPY main.go ./
11 |
12 | RUN go build -o /my-app
13 |
14 | FROM gcr.io/distroless/base-debian11
15 |
16 | COPY --from=build /my-app /my-app
17 |
18 | ENTRYPOINT ["/my-app"]
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
FAILED for resource: /lessons/155/myapp/Dockerfile.FROM
File: /lessons/155/myapp/Dockerfile:14-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-the-base-image-uses-a-non-latest-version-tag.html
14 | FROM gcr.io/distroless/base-debian11
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/155/myapp/Dockerfile.
File: /lessons/155/myapp/Dockerfile:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM golang:1.19.6-buster AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY go.mod ./
6 | COPY go.sum ./
7 |
8 | RUN go mod download && go mod verify
9 |
10 | COPY cmd/main.go ./cmd/main.go
11 |
12 | RUN go build -o /myapp cmd/main.go
13 |
14 | FROM gcr.io/distroless/base-debian11
15 |
16 | COPY --from=build /myapp /myapp
17 |
18 | ENTRYPOINT ["/myapp"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/155/myapp/Dockerfile.
File: /lessons/155/myapp/Dockerfile:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM golang:1.19.6-buster AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY go.mod ./
6 | COPY go.sum ./
7 |
8 | RUN go mod download && go mod verify
9 |
10 | COPY cmd/main.go ./cmd/main.go
11 |
12 | RUN go build -o /myapp cmd/main.go
13 |
14 | FROM gcr.io/distroless/base-debian11
15 |
16 | COPY --from=build /myapp /myapp
17 |
18 | ENTRYPOINT ["/myapp"]
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/058/function/Dockerfile.
File: /lessons/058/function/Dockerfile:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM public.ecr.aws/lambda/python:3.8
2 |
3 | COPY app.py requirements.txt ${LAMBDA_TASK_ROOT}/
4 |
5 | RUN pip3 install --target ${LAMBDA_TASK_ROOT}/ -r requirements.txt
6 |
7 | CMD ["app.lambda_handler"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/058/function/Dockerfile.
File: /lessons/058/function/Dockerfile:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM public.ecr.aws/lambda/python:3.8
2 |
3 | COPY app.py requirements.txt ${LAMBDA_TASK_ROOT}/
4 |
5 | RUN pip3 install --target ${LAMBDA_TASK_ROOT}/ -r requirements.txt
6 |
7 | CMD ["app.lambda_handler"]
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/175/myapp/Dockerfile.
File: /lessons/175/myapp/Dockerfile:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM python:3.11.4-alpine3.17
2 |
3 | WORKDIR /app
4 |
5 | COPY app.py requirements.txt .
6 |
7 | RUN pip install -r requirements.txt
8 |
9 | CMD ["gunicorn" , "--bind", "0.0.0.0:8080", "app:app"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/175/myapp/Dockerfile.
File: /lessons/175/myapp/Dockerfile:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM python:3.11.4-alpine3.17
2 |
3 | WORKDIR /app
4 |
5 | COPY app.py requirements.txt .
6 |
7 | RUN pip install -r requirements.txt
8 |
9 | CMD ["gunicorn" , "--bind", "0.0.0.0:8080", "app:app"]
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/073/0-express/Dockerfile.
File: /lessons/073/0-express/Dockerfile:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM amd64/node:16-alpine3.11
2 |
3 | WORKDIR /usr/src/app
4 |
5 | COPY package*.json ./
6 |
7 | RUN npm ci --only=production
8 |
9 | COPY server.js .
10 |
11 | CMD [ "node", "server.js" ]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/073/0-express/Dockerfile.
File: /lessons/073/0-express/Dockerfile:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM amd64/node:16-alpine3.11
2 |
3 | WORKDIR /usr/src/app
4 |
5 | COPY package*.json ./
6 |
7 | RUN npm ci --only=production
8 |
9 | COPY server.js .
10 |
11 | CMD [ "node", "server.js" ]
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
FAILED for resource: /lessons/153/go-app/rest-server.Dockerfile.FROM
File: /lessons/153/go-app/rest-server.Dockerfile:15-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-the-base-image-uses-a-non-latest-version-tag.html
15 | FROM gcr.io/distroless/base-debian11
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/153/go-app/rest-server.Dockerfile.
File: /lessons/153/go-app/rest-server.Dockerfile:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM golang:1.19.5-buster AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY go.mod ./
6 | COPY go.sum ./
7 |
8 | RUN go mod download && go mod verify
9 |
10 | COPY device device
11 | COPY cmd/rest-server cmd/rest-server
12 |
13 | RUN go build -o /myapp cmd/rest-server/main.go
14 |
15 | FROM gcr.io/distroless/base-debian11
16 |
17 | COPY --from=build /myapp /myapp
18 |
19 | ENTRYPOINT ["/myapp"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/153/go-app/rest-server.Dockerfile.
File: /lessons/153/go-app/rest-server.Dockerfile:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM golang:1.19.5-buster AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY go.mod ./
6 | COPY go.sum ./
7 |
8 | RUN go mod download && go mod verify
9 |
10 | COPY device device
11 | COPY cmd/rest-server cmd/rest-server
12 |
13 | RUN go build -o /myapp cmd/rest-server/main.go
14 |
15 | FROM gcr.io/distroless/base-debian11
16 |
17 | COPY --from=build /myapp /myapp
18 |
19 | ENTRYPOINT ["/myapp"]
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/077/secret-access/Dockerfile.
File: /lessons/077/secret-access/Dockerfile:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM public.ecr.aws/lambda/nodejs:14
2 |
3 | COPY app.js package*.json /var/task/
4 |
5 | RUN npm ci --production
6 |
7 | CMD [ "app.handler" ]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/077/secret-access/Dockerfile.
File: /lessons/077/secret-access/Dockerfile:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM public.ecr.aws/lambda/nodejs:14
2 |
3 | COPY app.js package*.json /var/task/
4 |
5 | RUN npm ci --production
6 |
7 | CMD [ "app.handler" ]
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
FAILED for resource: /lessons/152/app/grpc-client.Dockerfile.FROM
File: /lessons/152/app/grpc-client.Dockerfile:16-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-the-base-image-uses-a-non-latest-version-tag.html
16 | FROM gcr.io/distroless/base-debian11
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/152/app/grpc-client.Dockerfile.
File: /lessons/152/app/grpc-client.Dockerfile:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | # FROM golang:1.19.5-buster AS build
2 | FROM golang:1.19.5 AS build
3 |
4 | WORKDIR /app
5 |
6 | COPY go.mod ./
7 | COPY go.sum ./
8 |
9 | RUN go mod download && go mod verify
10 |
11 | COPY proto proto
12 | COPY cmd/grpc-client cmd/grpc-client
13 |
14 | RUN go build -o /grpc-client cmd/grpc-client/main.go
15 |
16 | FROM gcr.io/distroless/base-debian11
17 |
18 | COPY --from=build /grpc-client /grpc-client
19 |
20 | ENTRYPOINT ["/grpc-client"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/152/app/grpc-client.Dockerfile.
File: /lessons/152/app/grpc-client.Dockerfile:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | # FROM golang:1.19.5-buster AS build
2 | FROM golang:1.19.5 AS build
3 |
4 | WORKDIR /app
5 |
6 | COPY go.mod ./
7 | COPY go.sum ./
8 |
9 | RUN go mod download && go mod verify
10 |
11 | COPY proto proto
12 | COPY cmd/grpc-client cmd/grpc-client
13 |
14 | RUN go build -o /grpc-client cmd/grpc-client/main.go
15 |
16 | FROM gcr.io/distroless/base-debian11
17 |
18 | COPY --from=build /grpc-client /grpc-client
19 |
20 | ENTRYPOINT ["/grpc-client"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/044/app/Dockerfile.
File: /lessons/044/app/Dockerfile:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM python:3.9.1-alpine3.12
2 |
3 | WORKDIR /app
4 |
5 | COPY requirements.txt .
6 |
7 | RUN addgroup -S flask && \
8 | adduser -S flask -G flask && \
9 | pip install -r requirements.txt
10 |
11 | COPY src/ .
12 |
13 | USER flask
14 |
15 | ENTRYPOINT [ "python3", "./server.py" ]
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/157/myapp/1-example.Dockerfile.
File: /lessons/157/myapp/1-example.Dockerfile:1-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM python:3.11.2
2 |
3 | COPY main.py .
4 |
5 | ENTRYPOINT [ "python3", "main.py"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/157/myapp/1-example.Dockerfile.
File: /lessons/157/myapp/1-example.Dockerfile:1-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM python:3.11.2
2 |
3 | COPY main.py .
4 |
5 | ENTRYPOINT [ "python3", "main.py"]
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/157/myapp/2-example.Dockerfile.
File: /lessons/157/myapp/2-example.Dockerfile:1-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM python:3.11.2-slim-buster
2 |
3 | COPY main.py .
4 |
5 | ENTRYPOINT [ "python3", "main.py"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/157/myapp/2-example.Dockerfile.
File: /lessons/157/myapp/2-example.Dockerfile:1-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM python:3.11.2-slim-buster
2 |
3 | COPY main.py .
4 |
5 | ENTRYPOINT [ "python3", "main.py"]
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/043/app/Dockerfile.
File: /lessons/043/app/Dockerfile:1-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM golang:1.15.6-alpine3.12
2 |
3 | WORKDIR /app
4 |
5 | COPY go.mod .
6 | COPY go.sum .
7 |
8 | RUN go mod download
9 |
10 | COPY main.go main.go
11 |
12 | RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o main main.go
13 |
14 | ENTRYPOINT ["/app/main"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/043/app/Dockerfile.
File: /lessons/043/app/Dockerfile:1-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM golang:1.15.6-alpine3.12
2 |
3 | WORKDIR /app
4 |
5 | COPY go.mod .
6 | COPY go.sum .
7 |
8 | RUN go mod download
9 |
10 | COPY main.go main.go
11 |
12 | RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o main main.go
13 |
14 | ENTRYPOINT ["/app/main"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/046/app/Dockerfile.
File: /lessons/046/app/Dockerfile:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM node:15.8.0
2 |
3 | WORKDIR /usr/src/app
4 |
5 | COPY package*.json ./
6 |
7 | RUN npm ci --only=production
8 |
9 | COPY . .
10 |
11 | USER node
12 |
13 | CMD [ "node", "server.js" ]
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/141/myapp/Dockerfile.
File: /lessons/141/myapp/Dockerfile:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM python:3.12.0a3-alpine3.17
2 |
3 | WORKDIR /app
4 |
5 | COPY app.py requirements.txt .
6 |
7 | RUN pip install -r requirements.txt
8 |
9 | EXPOSE 8282
10 |
11 | CMD ["gunicorn" , "--bind", "0.0.0.0:8282", "app:app"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/141/myapp/Dockerfile.
File: /lessons/141/myapp/Dockerfile:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM python:3.12.0a3-alpine3.17
2 |
3 | WORKDIR /app
4 |
5 | COPY app.py requirements.txt .
6 |
7 | RUN pip install -r requirements.txt
8 |
9 | EXPOSE 8282
10 |
11 | CMD ["gunicorn" , "--bind", "0.0.0.0:8282", "app:app"]
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
FAILED for resource: /lessons/147/go-app/Dockerfile.FROM
File: /lessons/147/go-app/Dockerfile:15-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-the-base-image-uses-a-non-latest-version-tag.html
15 | FROM gcr.io/distroless/base-debian11
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/147/go-app/Dockerfile.
File: /lessons/147/go-app/Dockerfile:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM golang:1.19.5-buster AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY go.mod ./
6 | COPY go.sum ./
7 |
8 | RUN go mod download && go mod verify
9 |
10 | COPY proto proto
11 | COPY main.go .
12 |
13 | RUN go build -o /myapp main.go
14 |
15 | FROM gcr.io/distroless/base-debian11
16 |
17 | COPY --from=build /myapp /myapp
18 |
19 | ENTRYPOINT ["/myapp"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/147/go-app/Dockerfile.
File: /lessons/147/go-app/Dockerfile:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM golang:1.19.5-buster AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY go.mod ./
6 | COPY go.sum ./
7 |
8 | RUN go mod download && go mod verify
9 |
10 | COPY proto proto
11 | COPY main.go .
12 |
13 | RUN go build -o /myapp main.go
14 |
15 | FROM gcr.io/distroless/base-debian11
16 |
17 | COPY --from=build /myapp /myapp
18 |
19 | ENTRYPOINT ["/myapp"]
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/047/hello-app/Dockerfile.
File: /lessons/047/hello-app/Dockerfile:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM public.ecr.aws/lambda/nodejs:14
2 |
3 | COPY app.js package*.json /var/task/
4 |
5 | RUN npm ci --only=production
6 |
7 | CMD [ "app.hello" ]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/047/hello-app/Dockerfile.
File: /lessons/047/hello-app/Dockerfile:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM public.ecr.aws/lambda/nodejs:14
2 |
3 | COPY app.js package*.json /var/task/
4 |
5 | RUN npm ci --only=production
6 |
7 | CMD [ "app.hello" ]
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
FAILED for resource: /lessons/082/app/Dockerfile.FROM
File: /lessons/082/app/Dockerfile:13-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-the-base-image-uses-a-non-latest-version-tag.html
13 | FROM gcr.io/distroless/static
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/082/app/Dockerfile.
File: /lessons/082/app/Dockerfile:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM golang:1.17.0-alpine3.14 AS build
2 |
3 | WORKDIR /src
4 |
5 | COPY ./go.mod ./
6 |
7 | RUN go mod download
8 |
9 | COPY main.go .
10 |
11 | RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -installsuffix 'static' -o /app .
12 |
13 | FROM gcr.io/distroless/static
14 |
15 | USER nonroot:nonroot
16 |
17 | COPY --from=build --chown=nonroot:nonroot /app /app
18 |
19 | ENTRYPOINT ["/app"]
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/048/hello-app/Dockerfile.
File: /lessons/048/hello-app/Dockerfile:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM public.ecr.aws/lambda/nodejs:14
2 |
3 | COPY app.js package*.json /var/task/
4 |
5 | RUN npm ci --only=production
6 |
7 | CMD [ "app.hello" ]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/048/hello-app/Dockerfile.
File: /lessons/048/hello-app/Dockerfile:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM public.ecr.aws/lambda/nodejs:14
2 |
3 | COPY app.js package*.json /var/task/
4 |
5 | RUN npm ci --only=production
6 |
7 | CMD [ "app.hello" ]
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/138/rust-app/Dockerfile.
File: /lessons/138/rust-app/Dockerfile:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM amd64/rust:1.65.0-bullseye as build
2 |
3 | WORKDIR /app
4 |
5 | COPY . .
6 |
7 | RUN cargo build --release
8 |
9 | FROM debian:11.5-slim
10 |
11 | COPY --from=build /app/target/release/rust-app /rust-app
12 |
13 | CMD ["/rust-app"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/138/rust-app/Dockerfile.
File: /lessons/138/rust-app/Dockerfile:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM amd64/rust:1.65.0-bullseye as build
2 |
3 | WORKDIR /app
4 |
5 | COPY . .
6 |
7 | RUN cargo build --release
8 |
9 | FROM debian:11.5-slim
10 |
11 | COPY --from=build /app/target/release/rust-app /rust-app
12 |
13 | CMD ["/rust-app"]
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/173/myapp/Dockerfile.
File: /lessons/173/myapp/Dockerfile:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM python:3.11.4-alpine3.17
2 |
3 | WORKDIR /app
4 |
5 | COPY app.py requirements.txt .
6 |
7 | RUN pip install -r requirements.txt
8 |
9 | CMD ["gunicorn" , "--bind", "0.0.0.0:8080", "app:app"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/173/myapp/Dockerfile.
File: /lessons/173/myapp/Dockerfile:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM python:3.11.4-alpine3.17
2 |
3 | WORKDIR /app
4 |
5 | COPY app.py requirements.txt .
6 |
7 | RUN pip install -r requirements.txt
8 |
9 | CMD ["gunicorn" , "--bind", "0.0.0.0:8080", "app:app"]
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
FAILED for resource: /lessons/149/app/grpc.Dockerfile.FROM
File: /lessons/149/app/grpc.Dockerfile:16-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-the-base-image-uses-a-non-latest-version-tag.html
16 | FROM gcr.io/distroless/base-debian11
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/149/app/grpc.Dockerfile.
File: /lessons/149/app/grpc.Dockerfile:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM golang:1.19.5-buster AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY go.mod ./
6 | COPY go.sum ./
7 |
8 | RUN go mod download && go mod verify
9 |
10 | COPY serializer serializer
11 | COPY event event
12 | COPY cmd/grpc-server cmd/grpc-server
13 |
14 | RUN go build -o /myapp cmd/grpc-server/main.go
15 |
16 | FROM gcr.io/distroless/base-debian11
17 |
18 | COPY --from=build /myapp /myapp
19 |
20 | ENTRYPOINT ["/myapp"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/149/app/grpc.Dockerfile.
File: /lessons/149/app/grpc.Dockerfile:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM golang:1.19.5-buster AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY go.mod ./
6 | COPY go.sum ./
7 |
8 | RUN go mod download && go mod verify
9 |
10 | COPY serializer serializer
11 | COPY event event
12 | COPY cmd/grpc-server cmd/grpc-server
13 |
14 | RUN go build -o /myapp cmd/grpc-server/main.go
15 |
16 | FROM gcr.io/distroless/base-debian11
17 |
18 | COPY --from=build /myapp /myapp
19 |
20 | ENTRYPOINT ["/myapp"]
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
FAILED for resource: /lessons/152/app/kafka-agent.Dockerfile.FROM
File: /lessons/152/app/kafka-agent.Dockerfile:16-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-the-base-image-uses-a-non-latest-version-tag.html
16 | FROM gcr.io/distroless/base-debian11
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/152/app/kafka-agent.Dockerfile.
File: /lessons/152/app/kafka-agent.Dockerfile:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | # FROM golang:1.19.5-buster AS build
2 | FROM golang:1.19.5 AS build
3 |
4 | WORKDIR /app
5 |
6 | COPY go.mod ./
7 | COPY go.sum ./
8 |
9 | RUN go mod download && go mod verify
10 |
11 | COPY proto proto
12 | COPY cmd/kafka-agent cmd/kafka-agent
13 |
14 | RUN go build -o /kafka-agent cmd/kafka-agent/main.go
15 |
16 | FROM gcr.io/distroless/base-debian11
17 |
18 | COPY --from=build /kafka-agent /kafka-agent
19 |
20 | ENTRYPOINT ["/kafka-agent"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/152/app/kafka-agent.Dockerfile.
File: /lessons/152/app/kafka-agent.Dockerfile:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | # FROM golang:1.19.5-buster AS build
2 | FROM golang:1.19.5 AS build
3 |
4 | WORKDIR /app
5 |
6 | COPY go.mod ./
7 | COPY go.sum ./
8 |
9 | RUN go mod download && go mod verify
10 |
11 | COPY proto proto
12 | COPY cmd/kafka-agent cmd/kafka-agent
13 |
14 | RUN go build -o /kafka-agent cmd/kafka-agent/main.go
15 |
16 | FROM gcr.io/distroless/base-debian11
17 |
18 | COPY --from=build /kafka-agent /kafka-agent
19 |
20 | ENTRYPOINT ["/kafka-agent"]
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
FAILED for resource: /lessons/168/myapp/Dockerfile.FROM
File: /lessons/168/myapp/Dockerfile:14-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-the-base-image-uses-a-non-latest-version-tag.html
14 | FROM gcr.io/distroless/base-debian11
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/168/myapp/Dockerfile.
File: /lessons/168/myapp/Dockerfile:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM golang:1.20.5-buster AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY go.mod ./
6 | COPY go.sum ./
7 |
8 | RUN go mod download && go mod verify
9 |
10 | COPY main.go main.go
11 |
12 | RUN go build -o /myapp main.go
13 |
14 | FROM gcr.io/distroless/base-debian11
15 |
16 | COPY --from=build /myapp /myapp
17 |
18 | ENTRYPOINT ["/myapp"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/168/myapp/Dockerfile.
File: /lessons/168/myapp/Dockerfile:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM golang:1.20.5-buster AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY go.mod ./
6 | COPY go.sum ./
7 |
8 | RUN go mod download && go mod verify
9 |
10 | COPY main.go main.go
11 |
12 | RUN go build -o /myapp main.go
13 |
14 | FROM gcr.io/distroless/base-debian11
15 |
16 | COPY --from=build /myapp /myapp
17 |
18 | ENTRYPOINT ["/myapp"]
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/145/java-app/Dockerfile.
File: /lessons/145/java-app/Dockerfile:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM maven:3.8.7-amazoncorretto-19 as builder
2 |
3 | WORKDIR /app
4 |
5 | COPY pom.xml .
6 |
7 | COPY src src
8 |
9 | RUN mvn clean package
10 |
11 | FROM amazoncorretto:19.0.1-alpine3.16
12 |
13 | COPY --from=builder /app/target/*.jar /app/java-app.jar
14 |
15 | ENTRYPOINT ["java","-jar","/app/java-app.jar"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/145/java-app/Dockerfile.
File: /lessons/145/java-app/Dockerfile:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM maven:3.8.7-amazoncorretto-19 as builder
2 |
3 | WORKDIR /app
4 |
5 | COPY pom.xml .
6 |
7 | COPY src src
8 |
9 | RUN mvn clean package
10 |
11 | FROM amazoncorretto:19.0.1-alpine3.16
12 |
13 | COPY --from=builder /app/target/*.jar /app/java-app.jar
14 |
15 | ENTRYPOINT ["java","-jar","/app/java-app.jar"]
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
FAILED for resource: /lessons/157/myapp/3-example.Dockerfile.FROM
File: /lessons/157/myapp/3-example.Dockerfile:1-1
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-the-base-image-uses-a-non-latest-version-tag.html
1 | FROM gcr.io/distroless/python3-debian11
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/157/myapp/3-example.Dockerfile.
File: /lessons/157/myapp/3-example.Dockerfile:1-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM gcr.io/distroless/python3-debian11
2 |
3 | COPY main.py .
4 |
5 | ENTRYPOINT ["python3", "-u", "main.py"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/157/myapp/3-example.Dockerfile.
File: /lessons/157/myapp/3-example.Dockerfile:1-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM gcr.io/distroless/python3-debian11
2 |
3 | COPY main.py .
4 |
5 | ENTRYPOINT ["python3", "-u", "main.py"]
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/055/nginx/Dockerfile.
File: /lessons/055/nginx/Dockerfile:1-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM nginx:1.19.8
2 |
3 | COPY index.html /data/www/
4 | COPY devopsbyexample.conf /etc/nginx/conf.d/devopsbyexample.conf
5 | COPY nginx.conf /etc/nginx/nginx.conf
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/055/nginx/Dockerfile.
File: /lessons/055/nginx/Dockerfile:1-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM nginx:1.19.8
2 |
3 | COPY index.html /data/www/
4 | COPY devopsbyexample.conf /etc/nginx/conf.d/devopsbyexample.conf
5 | COPY nginx.conf /etc/nginx/nginx.conf
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
FAILED for resource: /lessons/152/app/grpc-server.Dockerfile.FROM
File: /lessons/152/app/grpc-server.Dockerfile:16-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-the-base-image-uses-a-non-latest-version-tag.html
16 | FROM gcr.io/distroless/base-debian11
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/152/app/grpc-server.Dockerfile.
File: /lessons/152/app/grpc-server.Dockerfile:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | # FROM golang:1.19.5-buster AS build
2 | FROM golang:1.19.5 AS build
3 |
4 | WORKDIR /app
5 |
6 | COPY go.mod ./
7 | COPY go.sum ./
8 |
9 | RUN go mod download && go mod verify
10 |
11 | COPY proto proto
12 | COPY cmd/grpc-server cmd/grpc-server
13 |
14 | RUN go build -o /grpc-server cmd/grpc-server/main.go
15 |
16 | FROM gcr.io/distroless/base-debian11
17 |
18 | COPY --from=build /grpc-server /grpc-server
19 |
20 | ENTRYPOINT ["/grpc-server"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/152/app/grpc-server.Dockerfile.
File: /lessons/152/app/grpc-server.Dockerfile:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | # FROM golang:1.19.5-buster AS build
2 | FROM golang:1.19.5 AS build
3 |
4 | WORKDIR /app
5 |
6 | COPY go.mod ./
7 | COPY go.sum ./
8 |
9 | RUN go mod download && go mod verify
10 |
11 | COPY proto proto
12 | COPY cmd/grpc-server cmd/grpc-server
13 |
14 | RUN go build -o /grpc-server cmd/grpc-server/main.go
15 |
16 | FROM gcr.io/distroless/base-debian11
17 |
18 | COPY --from=build /grpc-server /grpc-server
19 |
20 | ENTRYPOINT ["/grpc-server"]
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
FAILED for resource: /lessons/172/myapp/service-b.Dockerfile.FROM
File: /lessons/172/myapp/service-b.Dockerfile:14-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-the-base-image-uses-a-non-latest-version-tag.html
14 | FROM gcr.io/distroless/base-debian11
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/172/myapp/service-b.Dockerfile.
File: /lessons/172/myapp/service-b.Dockerfile:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM golang:1.20.6-bullseye AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY go.mod ./
6 | COPY go.sum ./
7 |
8 | RUN go mod download && go mod verify
9 |
10 | COPY cmd/service-b/main.go ./cmd/service-b/
11 |
12 | RUN go build -o /myapp cmd/service-b/main.go
13 |
14 | FROM gcr.io/distroless/base-debian11
15 |
16 | COPY --from=build /myapp /myapp
17 |
18 | ENTRYPOINT ["/myapp"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/172/myapp/service-b.Dockerfile.
File: /lessons/172/myapp/service-b.Dockerfile:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM golang:1.20.6-bullseye AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY go.mod ./
6 | COPY go.sum ./
7 |
8 | RUN go mod download && go mod verify
9 |
10 | COPY cmd/service-b/main.go ./cmd/service-b/
11 |
12 | RUN go build -o /myapp cmd/service-b/main.go
13 |
14 | FROM gcr.io/distroless/base-debian11
15 |
16 | COPY --from=build /myapp /myapp
17 |
18 | ENTRYPOINT ["/myapp"]
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
FAILED for resource: /lessons/149/app/rest.Dockerfile.FROM
File: /lessons/149/app/rest.Dockerfile:16-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-the-base-image-uses-a-non-latest-version-tag.html
16 | FROM gcr.io/distroless/base-debian11
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/149/app/rest.Dockerfile.
File: /lessons/149/app/rest.Dockerfile:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM golang:1.19.5-buster AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY go.mod ./
6 | COPY go.sum ./
7 |
8 | RUN go mod download && go mod verify
9 |
10 | COPY serializer serializer
11 | COPY event event
12 | COPY cmd/rest-server cmd/rest-server
13 |
14 | RUN go build -o /myapp cmd/rest-server/main.go
15 |
16 | FROM gcr.io/distroless/base-debian11
17 |
18 | COPY --from=build /myapp /myapp
19 |
20 | ENTRYPOINT ["/myapp"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/149/app/rest.Dockerfile.
File: /lessons/149/app/rest.Dockerfile:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM golang:1.19.5-buster AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY go.mod ./
6 | COPY go.sum ./
7 |
8 | RUN go mod download && go mod verify
9 |
10 | COPY serializer serializer
11 | COPY event event
12 | COPY cmd/rest-server cmd/rest-server
13 |
14 | RUN go build -o /myapp cmd/rest-server/main.go
15 |
16 | FROM gcr.io/distroless/base-debian11
17 |
18 | COPY --from=build /myapp /myapp
19 |
20 | ENTRYPOINT ["/myapp"]
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
FAILED for resource: /lessons/142/go-app/Dockerfile.FROM
File: /lessons/142/go-app/Dockerfile:14-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-the-base-image-uses-a-non-latest-version-tag.html
14 | FROM gcr.io/distroless/base-debian11
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/142/go-app/Dockerfile.
File: /lessons/142/go-app/Dockerfile:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM golang:1.19.4-buster AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY go.mod ./
6 | COPY go.sum ./
7 |
8 | RUN go mod download && go mod verify
9 |
10 | COPY cmd/main.go ./cmd/main.go
11 |
12 | RUN go build -o /myapp cmd/main.go
13 |
14 | FROM gcr.io/distroless/base-debian11
15 |
16 | COPY --from=build /myapp /myapp
17 |
18 | ENTRYPOINT ["/myapp"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/142/go-app/Dockerfile.
File: /lessons/142/go-app/Dockerfile:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM golang:1.19.4-buster AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY go.mod ./
6 | COPY go.sum ./
7 |
8 | RUN go mod download && go mod verify
9 |
10 | COPY cmd/main.go ./cmd/main.go
11 |
12 | RUN go build -o /myapp cmd/main.go
13 |
14 | FROM gcr.io/distroless/base-debian11
15 |
16 | COPY --from=build /myapp /myapp
17 |
18 | ENTRYPOINT ["/myapp"]
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
FAILED for resource: /lessons/154/myapp/Dockerfile.FROM
File: /lessons/154/myapp/Dockerfile:14-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-the-base-image-uses-a-non-latest-version-tag.html
14 | FROM gcr.io/distroless/base-debian11
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/154/myapp/Dockerfile.
File: /lessons/154/myapp/Dockerfile:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM golang:1.19.6-buster AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY go.mod ./
6 | COPY go.sum ./
7 |
8 | RUN go mod download && go mod verify
9 |
10 | COPY main.go main.go
11 |
12 | RUN go build -o /myapp main.go
13 |
14 | FROM gcr.io/distroless/base-debian11
15 |
16 | COPY --from=build /myapp /myapp
17 |
18 | ENTRYPOINT ["/myapp"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/154/myapp/Dockerfile.
File: /lessons/154/myapp/Dockerfile:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM golang:1.19.6-buster AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY go.mod ./
6 | COPY go.sum ./
7 |
8 | RUN go mod download && go mod verify
9 |
10 | COPY main.go main.go
11 |
12 | RUN go build -o /myapp main.go
13 |
14 | FROM gcr.io/distroless/base-debian11
15 |
16 | COPY --from=build /myapp /myapp
17 |
18 | ENTRYPOINT ["/myapp"]
Check: CKV_DOCKER_9: "Ensure that APT isn't used"
FAILED for resource: /lessons/147/rust-app/Dockerfile.RUN
File: /lessons/147/rust-app/Dockerfile:5-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-docker-apt-is-not-used.html
5 | RUN apt update && apt install -y protobuf-compiler libprotobuf-dev
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/147/rust-app/Dockerfile.
File: /lessons/147/rust-app/Dockerfile:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM rust:1.66.1-bullseye as build
2 |
3 | WORKDIR /app
4 |
5 | RUN apt update && apt install -y protobuf-compiler libprotobuf-dev
6 |
7 | COPY . .
8 |
9 | RUN cargo build --release
10 |
11 | FROM debian:11.6-slim
12 |
13 | COPY --from=build /app/target/release/hardware-server /hardware-server
14 |
15 | CMD ["/hardware-server"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/147/rust-app/Dockerfile.
File: /lessons/147/rust-app/Dockerfile:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM rust:1.66.1-bullseye as build
2 |
3 | WORKDIR /app
4 |
5 | RUN apt update && apt install -y protobuf-compiler libprotobuf-dev
6 |
7 | COPY . .
8 |
9 | RUN cargo build --release
10 |
11 | FROM debian:11.6-slim
12 |
13 | COPY --from=build /app/target/release/hardware-server /hardware-server
14 |
15 | CMD ["/hardware-server"]
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
FAILED for resource: /lessons/089/Dockerfile.FROM
File: /lessons/089/Dockerfile:1-1
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-the-base-image-uses-a-non-latest-version-tag.html
1 | FROM ubuntu
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/089/Dockerfile.
File: /lessons/089/Dockerfile:1-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM ubuntu
2 |
3 | RUN apt-get update
4 |
5 | RUN apt-get -y install nginx
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/089/Dockerfile.
File: /lessons/089/Dockerfile:1-5
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM ubuntu
2 |
3 | RUN apt-get update
4 |
5 | RUN apt-get -y install nginx
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/071/express/Dockerfile.
File: /lessons/071/express/Dockerfile:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM node:16-alpine3.11
2 |
3 | WORKDIR /usr/src/app
4 |
5 | COPY package*.json ./
6 |
7 | RUN npm ci --only=production
8 |
9 | COPY server.js .
10 |
11 | CMD [ "node", "server.js" ]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/071/express/Dockerfile.
File: /lessons/071/express/Dockerfile:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM node:16-alpine3.11
2 |
3 | WORKDIR /usr/src/app
4 |
5 | COPY package*.json ./
6 |
7 | RUN npm ci --only=production
8 |
9 | COPY server.js .
10 |
11 | CMD [ "node", "server.js" ]
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
FAILED for resource: /lessons/171/myapp/Dockerfile.FROM
File: /lessons/171/myapp/Dockerfile:14-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-the-base-image-uses-a-non-latest-version-tag.html
14 | FROM gcr.io/distroless/base-debian11
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/171/myapp/Dockerfile.
File: /lessons/171/myapp/Dockerfile:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM golang:1.20.6-bullseye AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY go.mod ./
6 | COPY go.sum ./
7 |
8 | RUN go mod download && go mod verify
9 |
10 | COPY main.go .
11 |
12 | RUN go build -o /myapp main.go
13 |
14 | FROM gcr.io/distroless/base-debian11
15 |
16 | COPY --from=build /myapp /myapp
17 |
18 | ENTRYPOINT ["/myapp"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/171/myapp/Dockerfile.
File: /lessons/171/myapp/Dockerfile:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM golang:1.20.6-bullseye AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY go.mod ./
6 | COPY go.sum ./
7 |
8 | RUN go mod download && go mod verify
9 |
10 | COPY main.go .
11 |
12 | RUN go build -o /myapp main.go
13 |
14 | FROM gcr.io/distroless/base-debian11
15 |
16 | COPY --from=build /myapp /myapp
17 |
18 | ENTRYPOINT ["/myapp"]
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
FAILED for resource: /lessons/136/my-app/Dockerfile.FROM
File: /lessons/136/my-app/Dockerfile:14-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-the-base-image-uses-a-non-latest-version-tag.html
14 | FROM gcr.io/distroless/base-debian11
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/136/my-app/Dockerfile.
File: /lessons/136/my-app/Dockerfile:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM golang:1.19.3-buster AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY go.mod ./
6 | COPY go.sum ./
7 |
8 | RUN go mod download && go mod verify
9 |
10 | COPY server.go ./
11 |
12 | RUN go build -o /my-app
13 |
14 | FROM gcr.io/distroless/base-debian11
15 |
16 | COPY --from=build /my-app /my-app
17 |
18 | ENTRYPOINT ["/my-app"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/136/my-app/Dockerfile.
File: /lessons/136/my-app/Dockerfile:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM golang:1.19.3-buster AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY go.mod ./
6 | COPY go.sum ./
7 |
8 | RUN go mod download && go mod verify
9 |
10 | COPY server.go ./
11 |
12 | RUN go build -o /my-app
13 |
14 | FROM gcr.io/distroless/base-debian11
15 |
16 | COPY --from=build /my-app /my-app
17 |
18 | ENTRYPOINT ["/my-app"]
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/076/wall-e/Dockerfile.
File: /lessons/076/wall-e/Dockerfile:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM public.ecr.aws/lambda/nodejs:14
2 |
3 | COPY *.js package*.json /var/task/
4 |
5 | RUN npm ci --production
6 |
7 | CMD [ "app.handler" ]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/076/wall-e/Dockerfile.
File: /lessons/076/wall-e/Dockerfile:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM public.ecr.aws/lambda/nodejs:14
2 |
3 | COPY *.js package*.json /var/task/
4 |
5 | RUN npm ci --production
6 |
7 | CMD [ "app.handler" ]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/050/drage/Dockerfile.
File: /lessons/050/drage/Dockerfile:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM node:15.10.0 AS builder
2 |
3 | WORKDIR /app
4 |
5 | COPY package*.json ./
6 |
7 | # RUN npm ci --only=production
8 | RUN npm install
9 |
10 | COPY . .
11 |
12 | RUN npm run build
13 |
14 | FROM node:15.10.0-alpine
15 |
16 | WORKDIR /app
17 |
18 | COPY --from=builder /app ./
19 |
20 | USER node
21 |
22 | CMD ["npm", "run", "start:prod"]
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
FAILED for resource: /lessons/172/myapp/service-a.Dockerfile.FROM
File: /lessons/172/myapp/service-a.Dockerfile:14-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-the-base-image-uses-a-non-latest-version-tag.html
14 | FROM gcr.io/distroless/base-debian11
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/172/myapp/service-a.Dockerfile.
File: /lessons/172/myapp/service-a.Dockerfile:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM golang:1.20.6-bullseye AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY go.mod ./
6 | COPY go.sum ./
7 |
8 | RUN go mod download && go mod verify
9 |
10 | COPY cmd/service-a/main.go ./cmd/service-a/
11 |
12 | RUN go build -o /myapp cmd/service-a/main.go
13 |
14 | FROM gcr.io/distroless/base-debian11
15 |
16 | COPY --from=build /myapp /myapp
17 |
18 | ENTRYPOINT ["/myapp"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/172/myapp/service-a.Dockerfile.
File: /lessons/172/myapp/service-a.Dockerfile:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM golang:1.20.6-bullseye AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY go.mod ./
6 | COPY go.sum ./
7 |
8 | RUN go mod download && go mod verify
9 |
10 | COPY cmd/service-a/main.go ./cmd/service-a/
11 |
12 | RUN go build -o /myapp cmd/service-a/main.go
13 |
14 | FROM gcr.io/distroless/base-debian11
15 |
16 | COPY --from=build /myapp /myapp
17 |
18 | ENTRYPOINT ["/myapp"]
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
FAILED for resource: /lessons/143/node-app/service-a.Dockerfile.FROM
File: /lessons/143/node-app/service-a.Dockerfile:9-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-the-base-image-uses-a-non-latest-version-tag.html
9 | FROM gcr.io/distroless/nodejs18-debian11
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/143/node-app/service-a.Dockerfile.
File: /lessons/143/node-app/service-a.Dockerfile:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM node:18 AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY service-a.js package*.json .
6 |
7 | RUN npm ci --only=production
8 |
9 | FROM gcr.io/distroless/nodejs18-debian11
10 |
11 | COPY --from=build /app /app
12 |
13 | WORKDIR /app
14 |
15 | CMD ["service-a.js"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/143/node-app/service-a.Dockerfile.
File: /lessons/143/node-app/service-a.Dockerfile:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM node:18 AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY service-a.js package*.json .
6 |
7 | RUN npm ci --only=production
8 |
9 | FROM gcr.io/distroless/nodejs18-debian11
10 |
11 | COPY --from=build /app /app
12 |
13 | WORKDIR /app
14 |
15 | CMD ["service-a.js"]
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
FAILED for resource: /lessons/141/prometheus-nginx-exporter/Dockerfile.FROM
File: /lessons/141/prometheus-nginx-exporter/Dockerfile:15-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-the-base-image-uses-a-non-latest-version-tag.html
15 | FROM gcr.io/distroless/base-debian11
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /lessons/141/prometheus-nginx-exporter/Dockerfile.
File: /lessons/141/prometheus-nginx-exporter/Dockerfile:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM golang:1.19.4-buster AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY go.mod ./
6 | COPY go.sum ./
7 |
8 | RUN go mod download && go mod verify
9 |
10 | COPY cmd/exporter/ ./cmd/exporter
11 | COPY basic_collector.go basic.go .
12 |
13 | RUN go build -o /exporter cmd/exporter/main.go
14 |
15 | FROM gcr.io/distroless/base-debian11
16 |
17 | COPY --from=build /exporter /exporter
18 |
19 | ENTRYPOINT ["/exporter"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /lessons/141/prometheus-nginx-exporter/Dockerfile.
File: /lessons/141/prometheus-nginx-exporter/Dockerfile:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM golang:1.19.4-buster AS build
2 |
3 | WORKDIR /app
4 |
5 | COPY go.mod ./
6 | COPY go.sum ./
7 |
8 | RUN go mod download && go mod verify
9 |
10 | COPY cmd/exporter/ ./cmd/exporter
11 | COPY basic_collector.go basic.go .
12 |
13 | RUN go build -o /exporter cmd/exporter/main.go
14 |
15 | FROM gcr.io/distroless/base-debian11
16 |
17 | COPY --from=build /exporter /exporter
18 |
19 | ENTRYPOINT ["/exporter"]
secrets scan results:
Passed checks: 0, Failed checks: 68, Skipped checks: 0
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: e433f187cfb04becd10ab686d460352d9f9a6f7e
File: /lessons/042/secret-v1.yaml:8-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
8 | token: c2Vj************
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 40ec7247ab11ff90928ea4b3d3763b8310db1213
File: /lessons/042/secret-v2.yaml:8-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
8 | token: se*********
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: ddb0541f39df42c1f0e9ceef41d4125ac7f4f2da
File: /lessons/043/k8s/01-secret.yaml:9-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
9 | password: c2V*********
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: bd31bdaedf8bf9dfcc6f5dbadec6f8cc47b22151
File: /lessons/044/k8s/03-secret.yaml:9-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
9 | token: JDMj************
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: c00efbcb2784322b38deb14601b360cfddd1b8a3
File: /lessons/044/k8s/04-sealedsecret.yaml:9-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
9 | token: AgBpFC**********************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 11f0b6aad889e6e3d00a24835dbbd060fcd0ca4d
File: /lessons/046/k8s/4-cert-manager.yaml:6-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
6 | cert-manager.io/inject-ca-from-secret: cert-m******************************
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 402720a0a1cf4494318ee024a43898d4166eed11
File: /lessons/049/grafana/4-secret.yaml:10-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
10 | admin-password: cGFz************
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 9fa3e3084dba980b7675647509f336690e64c2a0
File: /lessons/050/k8s/drage/2-secrets.yaml:9-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
9 | db-password: c2Vjcm******************
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 402720a0a1cf4494318ee024a43898d4166eed11
File: /lessons/050/k8s/mongodb/2-mongodb-secrets.yaml:9-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
9 | mongodb-root-password: cGFz************
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 9fa3e3084dba980b7675647509f336690e64c2a0
File: /lessons/050/k8s/mongodb/2-mongodb-secrets.yaml:10-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
10 | mongodb-password: c2Vjcm******************
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 116de62cebc3fa1bfcb5e0e0b1af44c8e5bbf5f1
File: /lessons/082/example-7/1-secrets.yaml:9-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
9 | postgresql-password: ZGV*********
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 116de62cebc3fa1bfcb5e0e0b1af44c8e5bbf5f1
File: /lessons/082/grafana/0-secret.yaml:10-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
10 | admin-password: ZGV*********
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 116de62cebc3fa1bfcb5e0e0b1af44c8e5bbf5f1
File: /lessons/083/grafana/0-secret.yaml:10-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
10 | admin-password: ZGV*********
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: adc7464351cb3c41951616b432f889e33d6234af
File: /lessons/083/helm-generated-yaml/cert-manager/templates/crds.yaml:8-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
8 | cert-manager.io/inject-ca-from-secret: 'cert-m***************************************'
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: adc7464351cb3c41951616b432f889e33d6234af
File: /lessons/083/helm-generated-yaml/cert-manager/templates/webhook-mutating-webhook.yaml:16-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
16 | cert-manager.io/inject-ca-from-secret: "cert-m***************************************"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: adc7464351cb3c41951616b432f889e33d6234af
File: /lessons/083/helm-generated-yaml/cert-manager/templates/webhook-validating-webhook.yaml:16-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
16 | cert-manager.io/inject-ca-from-secret: "cert-m***************************************"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 793001929c96f4237543a9517eeb50b5853fc76d
File: /lessons/105/k8s/grafana/secret.yaml:10-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
10 | admin-password: de*******
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 116de62cebc3fa1bfcb5e0e0b1af44c8e5bbf5f1
File: /lessons/130/k8s/grafana/1-secret.yaml:10-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
10 | admin-password: "ZGV*********"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 116de62cebc3fa1bfcb5e0e0b1af44c8e5bbf5f1
File: /lessons/132/k8s/grafana/0-secret.yaml:10-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
10 | admin-password: "ZGV*********" # base64 encoded "devops123"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 793001929c96f4237543a9517eeb50b5853fc76d
File: /lessons/132/k8s/grafana/0-secret.yaml:10-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
10 | admin-password: "ZGV2b3BzMTIz" # base64 encoded "de*******"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 116de62cebc3fa1bfcb5e0e0b1af44c8e5bbf5f1
File: /lessons/134/grafana/1-secret.yaml:10-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
10 | admin-password: "ZGV*********"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 116de62cebc3fa1bfcb5e0e0b1af44c8e5bbf5f1
File: /lessons/135/monitoring/grafana/1-secret.yaml:10-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
10 | admin-password: "ZGV*********"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 116de62cebc3fa1bfcb5e0e0b1af44c8e5bbf5f1
File: /lessons/136/monitoring/grafana/1-secret.yaml:10-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
10 | admin-password: "ZGV*********"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 116de62cebc3fa1bfcb5e0e0b1af44c8e5bbf5f1
File: /lessons/138/monitoring/grafana/1-secret.yaml:10-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
10 | admin-password: "ZGV*********"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 11f0b6aad889e6e3d00a24835dbbd060fcd0ca4d
File: /lessons/139/6-cert-manager/cert-manager.yaml:5442-5443
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
5442 | cert-manager.io/inject-ca-from-secret: "cert-m******************************"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 116de62cebc3fa1bfcb5e0e0b1af44c8e5bbf5f1
File: /lessons/139/9-monitoring/grafana/1-secret.yaml:10-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
10 | admin-password: "ZGV*********"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 116de62cebc3fa1bfcb5e0e0b1af44c8e5bbf5f1
File: /lessons/142/monitoring/grafana/1-secret.yaml:10-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
10 | admin-password: "ZGV*********"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 793001929c96f4237543a9517eeb50b5853fc76d
File: /lessons/143/docker-compose.yaml:14-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
14 | MINIO_ROOT_PASSWORD: de*******
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 793001929c96f4237543a9517eeb50b5853fc76d
File: /lessons/143/go-app/config.yaml:6-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
6 | secret: de*******
Check: CKV_SECRET_4: "Basic Auth Credentials"
FAILED for resource: 793001929c96f4237543a9517eeb50b5853fc76d
File: /lessons/143/go-app/config.yaml:11-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-4.html
11 | mongodbUri: "mongodb://root:de*******@localhost:27017/?retryWrites=true&w=majority"
Check: CKV_SECRET_4: "Basic Auth Credentials"
FAILED for resource: 793001929c96f4237543a9517eeb50b5853fc76d
File: /lessons/143/go-app/deploy/service-b/0-config.yaml:12-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-4.html
12 | mongodbUri: "mongodb://root:de*******@mongodb.mongodb:27017/?retryWrites=true&w=majority"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 116de62cebc3fa1bfcb5e0e0b1af44c8e5bbf5f1
File: /lessons/143/minio/secrets.yaml:10-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
10 | rootPassword: "ZGV*********"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 116de62cebc3fa1bfcb5e0e0b1af44c8e5bbf5f1
File: /lessons/143/mongodb/secrets.yaml:9-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
9 | mongodb-root-password: "ZGV*********"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 116de62cebc3fa1bfcb5e0e0b1af44c8e5bbf5f1
File: /lessons/143/monitoring/grafana/1-secret.yaml:10-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
10 | admin-password: "ZGV*********"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 793001929c96f4237543a9517eeb50b5853fc76d
File: /lessons/143/node-app/config.json:6-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
6 | "secret": "de*******",
Check: CKV_SECRET_4: "Basic Auth Credentials"
FAILED for resource: 793001929c96f4237543a9517eeb50b5853fc76d
File: /lessons/143/node-app/config.json:11-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-4.html
11 | "mongodbUri": "mongodb://root:de*******@localhost:27017/?retryWrites=true&w=majority"
Check: CKV_SECRET_4: "Basic Auth Credentials"
FAILED for resource: 793001929c96f4237543a9517eeb50b5853fc76d
File: /lessons/143/node-app/deploy/service-a/0-config.yaml:14-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-4.html
14 | "secret": "de*******",
Check: CKV_SECRET_4: "Basic Auth Credentials"
FAILED for resource: 793001929c96f4237543a9517eeb50b5853fc76d
File: /lessons/143/node-app/deploy/service-b/0-config.yaml:14-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-4.html
14 | "secret": "de*******",
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 793001929c96f4237543a9517eeb50b5853fc76d
File: /lessons/145/docker-compose.yaml:14-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
14 | MINIO_ROOT_PASSWORD: de*******
Check: CKV_SECRET_4: "Basic Auth Credentials"
FAILED for resource: 793001929c96f4237543a9517eeb50b5853fc76d
File: /lessons/145/docker-compose.yaml:33-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-4.html
33 | command: --mongodb.uri=mongodb://root:de*******@mongo:27017/ --collect-all
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 793001929c96f4237543a9517eeb50b5853fc76d
File: /lessons/145/go-app/config.yaml:6-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
6 | secret: de*******
Check: CKV_SECRET_4: "Basic Auth Credentials"
FAILED for resource: 793001929c96f4237543a9517eeb50b5853fc76d
File: /lessons/145/go-app/config.yaml:8-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-4.html
8 | mongodbUri: "mongodb://root:de*******@localhost:27017/?retryWrites=true&w=majority"
Check: CKV_SECRET_4: "Basic Auth Credentials"
FAILED for resource: 793001929c96f4237543a9517eeb50b5853fc76d
File: /lessons/145/go-app/deploy/config.yaml:14-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-4.html
14 | secret: de*******
Check: CKV_SECRET_4: "Basic Auth Credentials"
FAILED for resource: 793001929c96f4237543a9517eeb50b5853fc76d
File: /lessons/145/java-app/deploy/deployment.yaml:30-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-4.html
30 | value: "mongodb://root:de*******@mongodb.mongodb:27017/?retryWrites=true&w=majority"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 116de62cebc3fa1bfcb5e0e0b1af44c8e5bbf5f1
File: /lessons/145/minio/secrets.yaml:10-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
10 | rootPassword: "ZGV*********"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 116de62cebc3fa1bfcb5e0e0b1af44c8e5bbf5f1
File: /lessons/145/mongodb/secrets.yaml:9-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
9 | mongodb-root-password: "ZGV*********"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 116de62cebc3fa1bfcb5e0e0b1af44c8e5bbf5f1
File: /lessons/145/monitoring/grafana/secret.yaml:10-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
10 | admin-password: "ZGV*********"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 116de62cebc3fa1bfcb5e0e0b1af44c8e5bbf5f1
File: /lessons/147/monitoring/grafana/secret.yaml:10-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
10 | admin-password: "ZGV*********"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 116de62cebc3fa1bfcb5e0e0b1af44c8e5bbf5f1
File: /lessons/149/monitoring/grafana/secret.yaml:10-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
10 | admin-password: "ZGV*********"
Check: CKV_SECRET_14: "Slack Token"
FAILED for resource: 3b3aa77f03e68c73b6bd38ce075c767a471c8861
File: /lessons/154/alertmanager/0-config.yaml:28-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-14.html
28 | api_url: "https:************************************************************************"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: fc4b79ff2005c1bfacead828184f0c8aad8fd860
File: /lessons/154/grafana-values.yaml:378-379
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
378 | passwordKey: adm***********
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 11f0b6aad889e6e3d00a24835dbbd060fcd0ca4d
File: /lessons/155/cert-manager/cert-manager.yaml:5452-5453
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
5452 | cert-manager.io/inject-ca-from-secret: "cert-m******************************"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 116de62cebc3fa1bfcb5e0e0b1af44c8e5bbf5f1
File: /lessons/155/monitoring/grafana/1-secret.yaml:10-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
10 | admin-password: "ZGV*********"
Check: CKV_SECRET_13: "Private Key"
FAILED for resource: 7e68c86c43e4dee5e30ce1f225373264002e305f
File: /lessons/159/1-example/repo-secret.yaml:11-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-13.html
11 | sshPrivateKey: |
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 36c3b13ce7e0d3ecfbc3ef8abc35abf4e92d6210
File: /lessons/159/6-example/sealed-repo-secret.yaml:11-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
11 | sshPrivateKey: AgCg7v**************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 1603a99896899a2de4015992cf06541e46bafbb2
File: /lessons/159/chartmuseum.yaml:357-358
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
357 | publicKeySecret: chart*****************
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 793001929c96f4237543a9517eeb50b5853fc76d
File: /lessons/162/1-part/3-rds.tf:13-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
13 | password = "de*******"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 793001929c96f4237543a9517eeb50b5853fc76d
File: /lessons/162/3-part/db-creds.yml:3-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
3 | password: de*******
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 116de62cebc3fa1bfcb5e0e0b1af44c8e5bbf5f1
File: /lessons/163/minio/secrets.yaml:12-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
12 | rootPassword: "ZGV*********"
Check: CKV_SECRET_13: "Private Key"
FAILED for resource: a187440a8f5e64bdc44eedfd0c52bf7bb90b1f89
File: /lessons/163/prometheus-2/6-prometheus-tls.yaml:24-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-13.html
24 | tls.key: |
Check: CKV_SECRET_13: "Private Key"
FAILED for resource: 17b114f1be165aadb89830ccecd60b0515b42441
File: /lessons/163/prometheus/7-sidecar-tls.yaml:31-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-13.html
31 | tls.key: |
Check: CKV_SECRET_13: "Private Key"
FAILED for resource: 42909a752e8d1c5cae429faf9286f082cc5c9c1f
File: /lessons/163/receiver-tls.yaml:29-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-13.html
29 | tls.key: |
Check: CKV_SECRET_13: "Private Key"
FAILED for resource: e3ed4280734898ac64829067fe87dac05f74969f
File: /lessons/163/thanos/7-querier-tls.yaml:29-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-13.html
29 | tls.key: |
Check: CKV_SECRET_13: "Private Key"
FAILED for resource: a05480d44cab4e5261b82747bf940bf7f45cd151
File: /lessons/163/thanos/8-storegateway-tls.yaml:31-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-13.html
31 | tls.key: |
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 793001929c96f4237543a9517eeb50b5853fc76d
File: /lessons/165/infra/main.tf:21-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
21 | password = "de*******"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 116de62cebc3fa1bfcb5e0e0b1af44c8e5bbf5f1
File: /lessons/171/monitoring/grafana/secret.yaml:10-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
10 | admin-password: "ZGV*********"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 116de62cebc3fa1bfcb5e0e0b1af44c8e5bbf5f1
File: /lessons/172/monitoring/grafana/secret.yaml:10-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
10 | admin-password: "ZGV*********"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 116de62cebc3fa1bfcb5e0e0b1af44c8e5bbf5f1
File: /lessons/173/monitoring/grafana/secret.yaml:10-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
10 | admin-password: "ZGV*********"
github_actions scan results:
Passed checks: 31, Failed checks: 1, Skipped checks: 0
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Build and Deploy React App to CloudFront)
File: /lessons/110/www.devopsbyexample.io/.github/workflows/build-and-deploy.yaml:0-1
openapi scan results:
Passed checks: 15, Failed checks: 5, Skipped checks: 0
Check: CKV_OPENAPI_6: "Ensure that security requirement defined in securityDefinitions - version 2.0 files"
FAILED for resource: security
File: /lessons/106/openapi2-functions.yaml:2-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/api-policies/openapi-policies/ensure-that-security-requirement-defined-in-securitydefinitions.html
2 | swagger: '2.0'
3 | info:
4 | title: test-name-spec
5 | description: Sample API on API Gateway with a Google Cloud Functions backend
6 | version: 1.0.0
7 | schemes:
8 | - https
9 | produces:
10 | - application/json
11 | paths:
12 | /hello:
13 | get:
14 | summary: Greet a user
15 | operationId: hello
16 | x-google-backend:
17 | address: https://us-central1-devopsbyexample-v2.cloudfunctions.net/backend-function
18 | responses:
19 | '200':
20 | description: A successful response
21 | schema:
22 | type: string
Check: CKV_OPENAPI_5: "Ensure that security operations is not empty."
FAILED for resource: security
File: /lessons/106/openapi2-functions.yaml:2-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/api-policies/openapi-policies/ensure-that-security-operations-is-not-empty.html
2 | swagger: '2.0'
3 | info:
4 | title: test-name-spec
5 | description: Sample API on API Gateway with a Google Cloud Functions backend
6 | version: 1.0.0
7 | schemes:
8 | - https
9 | produces:
10 | - application/json
11 | paths:
12 | /hello:
13 | get:
14 | summary: Greet a user
15 | operationId: hello
16 | x-google-backend:
17 | address: https://us-central1-devopsbyexample-v2.cloudfunctions.net/backend-function
18 | responses:
19 | '200':
20 | description: A successful response
21 | schema:
22 | type: string
Check: CKV_OPENAPI_4: "Ensure that the global security field has rules defined"
FAILED for resource: security
File: /lessons/106/openapi2-functions.yaml:2-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/api-policies/openapi-policies/ensure-that-the-global-security-field-has-rules-defined.html
2 | swagger: '2.0'
3 | info:
4 | title: test-name-spec
5 | description: Sample API on API Gateway with a Google Cloud Functions backend
6 | version: 1.0.0
7 | schemes:
8 | - https
9 | produces:
10 | - application/json
11 | paths:
12 | /hello:
13 | get:
14 | summary: Greet a user
15 | operationId: hello
16 | x-google-backend:
17 | address: https://us-central1-devopsbyexample-v2.cloudfunctions.net/backend-function
18 | responses:
19 | '200':
20 | description: A successful response
21 | schema:
22 | type: string
Check: CKV_OPENAPI_16: "Ensure that operation objects have 'produces' field defined for GET operations - version 2.0 files"
FAILED for resource: paths
File: /lessons/106/openapi2-functions.yaml:14-24
14 | summary: Greet a user
15 | operationId: hello
16 | x-google-backend:
17 | address: https://us-central1-devopsbyexample-v2.cloudfunctions.net/backend-function
18 | responses:
19 | '200':
20 | description: A successful response
21 | schema:
22 | type: string
Check: CKV_OPENAPI_1: "Ensure that securityDefinitions is defined and not empty - version 2.0 files"
FAILED for resource: securityDefinitions
File: /lessons/106/openapi2-functions.yaml:2-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/api-policies/openapi-policies/ensure-that-securitydefinitions-is-defined-and-not-empty.html
2 | swagger: '2.0'
3 | info:
4 | title: test-name-spec
5 | description: Sample API on API Gateway with a Google Cloud Functions backend
6 | version: 1.0.0
7 | schemes:
8 | - https
9 | produces:
10 | - application/json
11 | paths:
12 | /hello:
13 | get:
14 | summary: Greet a user
15 | operationId: hello
16 | x-google-backend:
17 | address: https://us-central1-devopsbyexample-v2.cloudfunctions.net/backend-function
18 | responses:
19 | '200':
20 | description: A successful response
21 | schema:
22 | type: string
circleci_pipelines scan results:
Passed checks: 2, Failed checks: 0, Skipped checks: 0
ansible scan results:
Passed checks: 46, Failed checks: 0, Skipped checks: 0
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools