Repository | ChristianLempa / boilerplates |
Description | This is my personal template collection. Here you'll find templates, and configurations for various tools, and technologies. |
Stars | 2915 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
terraform scan results:
Passed checks: 38, Failed checks: 22, Skipped checks: 0
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment.your-deployment
File: /terraform/kubernetes/deployment.tf:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | resource "kubernetes_deployment" "your-deployment" {
2 |
3 | depends_on = [kubernetes_namespace.your-namespace]
4 |
5 | metadata {
6 | name = "your-deployment"
7 | namespace = "your-namespace"
8 | labels = {
9 | app = "your-app-selector"
10 | }
11 | }
12 |
13 | spec {
14 | replicas = 1
15 |
16 | selector {
17 | match_labels = {
18 | app = "your-app-selector"
19 | }
20 | }
21 |
22 | template {
23 | metadata {
24 | labels = {
25 | app = "your-app-selector"
26 | }
27 | }
28 |
29 | spec {
30 | container {
31 | image = "your-image:latest"
32 | name = "your-container"
33 |
34 | port {
35 | container_port = 80
36 | }
37 | }
38 | }
39 | }
40 | }
41 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment.your-deployment
File: /terraform/kubernetes/deployment.tf:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | resource "kubernetes_deployment" "your-deployment" {
2 |
3 | depends_on = [kubernetes_namespace.your-namespace]
4 |
5 | metadata {
6 | name = "your-deployment"
7 | namespace = "your-namespace"
8 | labels = {
9 | app = "your-app-selector"
10 | }
11 | }
12 |
13 | spec {
14 | replicas = 1
15 |
16 | selector {
17 | match_labels = {
18 | app = "your-app-selector"
19 | }
20 | }
21 |
22 | template {
23 | metadata {
24 | labels = {
25 | app = "your-app-selector"
26 | }
27 | }
28 |
29 | spec {
30 | container {
31 | image = "your-image:latest"
32 | name = "your-container"
33 |
34 | port {
35 | container_port = 80
36 | }
37 | }
38 | }
39 | }
40 | }
41 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment.your-deployment
File: /terraform/kubernetes/deployment.tf:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | resource "kubernetes_deployment" "your-deployment" {
2 |
3 | depends_on = [kubernetes_namespace.your-namespace]
4 |
5 | metadata {
6 | name = "your-deployment"
7 | namespace = "your-namespace"
8 | labels = {
9 | app = "your-app-selector"
10 | }
11 | }
12 |
13 | spec {
14 | replicas = 1
15 |
16 | selector {
17 | match_labels = {
18 | app = "your-app-selector"
19 | }
20 | }
21 |
22 | template {
23 | metadata {
24 | labels = {
25 | app = "your-app-selector"
26 | }
27 | }
28 |
29 | spec {
30 | container {
31 | image = "your-image:latest"
32 | name = "your-container"
33 |
34 | port {
35 | container_port = 80
36 | }
37 | }
38 | }
39 | }
40 | }
41 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment.your-deployment
File: /terraform/kubernetes/deployment.tf:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | resource "kubernetes_deployment" "your-deployment" {
2 |
3 | depends_on = [kubernetes_namespace.your-namespace]
4 |
5 | metadata {
6 | name = "your-deployment"
7 | namespace = "your-namespace"
8 | labels = {
9 | app = "your-app-selector"
10 | }
11 | }
12 |
13 | spec {
14 | replicas = 1
15 |
16 | selector {
17 | match_labels = {
18 | app = "your-app-selector"
19 | }
20 | }
21 |
22 | template {
23 | metadata {
24 | labels = {
25 | app = "your-app-selector"
26 | }
27 | }
28 |
29 | spec {
30 | container {
31 | image = "your-image:latest"
32 | name = "your-container"
33 |
34 | port {
35 | container_port = 80
36 | }
37 | }
38 | }
39 | }
40 | }
41 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment.your-deployment
File: /terraform/kubernetes/deployment.tf:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | resource "kubernetes_deployment" "your-deployment" {
2 |
3 | depends_on = [kubernetes_namespace.your-namespace]
4 |
5 | metadata {
6 | name = "your-deployment"
7 | namespace = "your-namespace"
8 | labels = {
9 | app = "your-app-selector"
10 | }
11 | }
12 |
13 | spec {
14 | replicas = 1
15 |
16 | selector {
17 | match_labels = {
18 | app = "your-app-selector"
19 | }
20 | }
21 |
22 | template {
23 | metadata {
24 | labels = {
25 | app = "your-app-selector"
26 | }
27 | }
28 |
29 | spec {
30 | container {
31 | image = "your-image:latest"
32 | name = "your-container"
33 |
34 | port {
35 | container_port = 80
36 | }
37 | }
38 | }
39 | }
40 | }
41 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment.your-deployment
File: /terraform/kubernetes/deployment.tf:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | resource "kubernetes_deployment" "your-deployment" {
2 |
3 | depends_on = [kubernetes_namespace.your-namespace]
4 |
5 | metadata {
6 | name = "your-deployment"
7 | namespace = "your-namespace"
8 | labels = {
9 | app = "your-app-selector"
10 | }
11 | }
12 |
13 | spec {
14 | replicas = 1
15 |
16 | selector {
17 | match_labels = {
18 | app = "your-app-selector"
19 | }
20 | }
21 |
22 | template {
23 | metadata {
24 | labels = {
25 | app = "your-app-selector"
26 | }
27 | }
28 |
29 | spec {
30 | container {
31 | image = "your-image:latest"
32 | name = "your-container"
33 |
34 | port {
35 | container_port = 80
36 | }
37 | }
38 | }
39 | }
40 | }
41 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment.your-deployment
File: /terraform/kubernetes/deployment.tf:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | resource "kubernetes_deployment" "your-deployment" {
2 |
3 | depends_on = [kubernetes_namespace.your-namespace]
4 |
5 | metadata {
6 | name = "your-deployment"
7 | namespace = "your-namespace"
8 | labels = {
9 | app = "your-app-selector"
10 | }
11 | }
12 |
13 | spec {
14 | replicas = 1
15 |
16 | selector {
17 | match_labels = {
18 | app = "your-app-selector"
19 | }
20 | }
21 |
22 | template {
23 | metadata {
24 | labels = {
25 | app = "your-app-selector"
26 | }
27 | }
28 |
29 | spec {
30 | container {
31 | image = "your-image:latest"
32 | name = "your-container"
33 |
34 | port {
35 | container_port = 80
36 | }
37 | }
38 | }
39 | }
40 | }
41 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment.your-deployment
File: /terraform/kubernetes/deployment.tf:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | resource "kubernetes_deployment" "your-deployment" {
2 |
3 | depends_on = [kubernetes_namespace.your-namespace]
4 |
5 | metadata {
6 | name = "your-deployment"
7 | namespace = "your-namespace"
8 | labels = {
9 | app = "your-app-selector"
10 | }
11 | }
12 |
13 | spec {
14 | replicas = 1
15 |
16 | selector {
17 | match_labels = {
18 | app = "your-app-selector"
19 | }
20 | }
21 |
22 | template {
23 | metadata {
24 | labels = {
25 | app = "your-app-selector"
26 | }
27 | }
28 |
29 | spec {
30 | container {
31 | image = "your-image:latest"
32 | name = "your-container"
33 |
34 | port {
35 | container_port = 80
36 | }
37 | }
38 | }
39 | }
40 | }
41 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment.your-deployment
File: /terraform/kubernetes/deployment.tf:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | resource "kubernetes_deployment" "your-deployment" {
2 |
3 | depends_on = [kubernetes_namespace.your-namespace]
4 |
5 | metadata {
6 | name = "your-deployment"
7 | namespace = "your-namespace"
8 | labels = {
9 | app = "your-app-selector"
10 | }
11 | }
12 |
13 | spec {
14 | replicas = 1
15 |
16 | selector {
17 | match_labels = {
18 | app = "your-app-selector"
19 | }
20 | }
21 |
22 | template {
23 | metadata {
24 | labels = {
25 | app = "your-app-selector"
26 | }
27 | }
28 |
29 | spec {
30 | container {
31 | image = "your-image:latest"
32 | name = "your-container"
33 |
34 | port {
35 | container_port = 80
36 | }
37 | }
38 | }
39 | }
40 | }
41 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment.your-deployment
File: /terraform/kubernetes/deployment.tf:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | resource "kubernetes_deployment" "your-deployment" {
2 |
3 | depends_on = [kubernetes_namespace.your-namespace]
4 |
5 | metadata {
6 | name = "your-deployment"
7 | namespace = "your-namespace"
8 | labels = {
9 | app = "your-app-selector"
10 | }
11 | }
12 |
13 | spec {
14 | replicas = 1
15 |
16 | selector {
17 | match_labels = {
18 | app = "your-app-selector"
19 | }
20 | }
21 |
22 | template {
23 | metadata {
24 | labels = {
25 | app = "your-app-selector"
26 | }
27 | }
28 |
29 | spec {
30 | container {
31 | image = "your-image:latest"
32 | name = "your-container"
33 |
34 | port {
35 | container_port = 80
36 | }
37 | }
38 | }
39 | }
40 | }
41 | }
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: kubernetes_deployment.your-deployment
File: /terraform/kubernetes/deployment.tf:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | resource "kubernetes_deployment" "your-deployment" {
2 |
3 | depends_on = [kubernetes_namespace.your-namespace]
4 |
5 | metadata {
6 | name = "your-deployment"
7 | namespace = "your-namespace"
8 | labels = {
9 | app = "your-app-selector"
10 | }
11 | }
12 |
13 | spec {
14 | replicas = 1
15 |
16 | selector {
17 | match_labels = {
18 | app = "your-app-selector"
19 | }
20 | }
21 |
22 | template {
23 | metadata {
24 | labels = {
25 | app = "your-app-selector"
26 | }
27 | }
28 |
29 | spec {
30 | container {
31 | image = "your-image:latest"
32 | name = "your-container"
33 |
34 | port {
35 | container_port = 80
36 | }
37 | }
38 | }
39 | }
40 | }
41 | }
Check: CKV_K8S_11: "CPU Limits should be set"
FAILED for resource: kubernetes_deployment.nginx1
File: /terraform/templates/kubernetes-automation-example/nginx1.tf:19-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
19 | resource "kubernetes_deployment" "nginx1" {
20 |
21 | depends_on = [
22 | kubernetes_namespace.nginx1
23 | ]
24 |
25 | metadata {
26 | name = "nginx1"
27 | namespace = "nginx1"
28 | labels = {
29 | app = "nginx1"
30 | }
31 | }
32 |
33 | spec {
34 | replicas = 1
35 |
36 | selector {
37 | match_labels = {
38 | app = "nginx1"
39 | }
40 | }
41 |
42 | template {
43 | metadata {
44 | labels = {
45 | app = "nginx1"
46 | }
47 | }
48 |
49 | spec {
50 | container {
51 | image = "nginx:latest"
52 | name = "nginx"
53 |
54 | port {
55 | container_port = 80
56 | }
57 | }
58 | }
59 | }
60 | }
61 | }
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: kubernetes_deployment.nginx1
File: /terraform/templates/kubernetes-automation-example/nginx1.tf:19-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
19 | resource "kubernetes_deployment" "nginx1" {
20 |
21 | depends_on = [
22 | kubernetes_namespace.nginx1
23 | ]
24 |
25 | metadata {
26 | name = "nginx1"
27 | namespace = "nginx1"
28 | labels = {
29 | app = "nginx1"
30 | }
31 | }
32 |
33 | spec {
34 | replicas = 1
35 |
36 | selector {
37 | match_labels = {
38 | app = "nginx1"
39 | }
40 | }
41 |
42 | template {
43 | metadata {
44 | labels = {
45 | app = "nginx1"
46 | }
47 | }
48 |
49 | spec {
50 | container {
51 | image = "nginx:latest"
52 | name = "nginx"
53 |
54 | port {
55 | container_port = 80
56 | }
57 | }
58 | }
59 | }
60 | }
61 | }
Check: CKV_K8S_30: "Apply security context to your pods and containers"
FAILED for resource: kubernetes_deployment.nginx1
File: /terraform/templates/kubernetes-automation-example/nginx1.tf:19-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
19 | resource "kubernetes_deployment" "nginx1" {
20 |
21 | depends_on = [
22 | kubernetes_namespace.nginx1
23 | ]
24 |
25 | metadata {
26 | name = "nginx1"
27 | namespace = "nginx1"
28 | labels = {
29 | app = "nginx1"
30 | }
31 | }
32 |
33 | spec {
34 | replicas = 1
35 |
36 | selector {
37 | match_labels = {
38 | app = "nginx1"
39 | }
40 | }
41 |
42 | template {
43 | metadata {
44 | labels = {
45 | app = "nginx1"
46 | }
47 | }
48 |
49 | spec {
50 | container {
51 | image = "nginx:latest"
52 | name = "nginx"
53 |
54 | port {
55 | container_port = 80
56 | }
57 | }
58 | }
59 | }
60 | }
61 | }
Check: CKV_K8S_29: "Apply security context to your pods, deployments and daemon_sets"
FAILED for resource: kubernetes_deployment.nginx1
File: /terraform/templates/kubernetes-automation-example/nginx1.tf:19-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
19 | resource "kubernetes_deployment" "nginx1" {
20 |
21 | depends_on = [
22 | kubernetes_namespace.nginx1
23 | ]
24 |
25 | metadata {
26 | name = "nginx1"
27 | namespace = "nginx1"
28 | labels = {
29 | app = "nginx1"
30 | }
31 | }
32 |
33 | spec {
34 | replicas = 1
35 |
36 | selector {
37 | match_labels = {
38 | app = "nginx1"
39 | }
40 | }
41 |
42 | template {
43 | metadata {
44 | labels = {
45 | app = "nginx1"
46 | }
47 | }
48 |
49 | spec {
50 | container {
51 | image = "nginx:latest"
52 | name = "nginx"
53 |
54 | port {
55 | container_port = 80
56 | }
57 | }
58 | }
59 | }
60 | }
61 | }
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: kubernetes_deployment.nginx1
File: /terraform/templates/kubernetes-automation-example/nginx1.tf:19-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
19 | resource "kubernetes_deployment" "nginx1" {
20 |
21 | depends_on = [
22 | kubernetes_namespace.nginx1
23 | ]
24 |
25 | metadata {
26 | name = "nginx1"
27 | namespace = "nginx1"
28 | labels = {
29 | app = "nginx1"
30 | }
31 | }
32 |
33 | spec {
34 | replicas = 1
35 |
36 | selector {
37 | match_labels = {
38 | app = "nginx1"
39 | }
40 | }
41 |
42 | template {
43 | metadata {
44 | labels = {
45 | app = "nginx1"
46 | }
47 | }
48 |
49 | spec {
50 | container {
51 | image = "nginx:latest"
52 | name = "nginx"
53 |
54 | port {
55 | container_port = 80
56 | }
57 | }
58 | }
59 | }
60 | }
61 | }
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: kubernetes_deployment.nginx1
File: /terraform/templates/kubernetes-automation-example/nginx1.tf:19-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
19 | resource "kubernetes_deployment" "nginx1" {
20 |
21 | depends_on = [
22 | kubernetes_namespace.nginx1
23 | ]
24 |
25 | metadata {
26 | name = "nginx1"
27 | namespace = "nginx1"
28 | labels = {
29 | app = "nginx1"
30 | }
31 | }
32 |
33 | spec {
34 | replicas = 1
35 |
36 | selector {
37 | match_labels = {
38 | app = "nginx1"
39 | }
40 | }
41 |
42 | template {
43 | metadata {
44 | labels = {
45 | app = "nginx1"
46 | }
47 | }
48 |
49 | spec {
50 | container {
51 | image = "nginx:latest"
52 | name = "nginx"
53 |
54 | port {
55 | container_port = 80
56 | }
57 | }
58 | }
59 | }
60 | }
61 | }
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: kubernetes_deployment.nginx1
File: /terraform/templates/kubernetes-automation-example/nginx1.tf:19-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
19 | resource "kubernetes_deployment" "nginx1" {
20 |
21 | depends_on = [
22 | kubernetes_namespace.nginx1
23 | ]
24 |
25 | metadata {
26 | name = "nginx1"
27 | namespace = "nginx1"
28 | labels = {
29 | app = "nginx1"
30 | }
31 | }
32 |
33 | spec {
34 | replicas = 1
35 |
36 | selector {
37 | match_labels = {
38 | app = "nginx1"
39 | }
40 | }
41 |
42 | template {
43 | metadata {
44 | labels = {
45 | app = "nginx1"
46 | }
47 | }
48 |
49 | spec {
50 | container {
51 | image = "nginx:latest"
52 | name = "nginx"
53 |
54 | port {
55 | container_port = 80
56 | }
57 | }
58 | }
59 | }
60 | }
61 | }
Check: CKV_K8S_12: "Memory Limits should be set"
FAILED for resource: kubernetes_deployment.nginx1
File: /terraform/templates/kubernetes-automation-example/nginx1.tf:19-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
19 | resource "kubernetes_deployment" "nginx1" {
20 |
21 | depends_on = [
22 | kubernetes_namespace.nginx1
23 | ]
24 |
25 | metadata {
26 | name = "nginx1"
27 | namespace = "nginx1"
28 | labels = {
29 | app = "nginx1"
30 | }
31 | }
32 |
33 | spec {
34 | replicas = 1
35 |
36 | selector {
37 | match_labels = {
38 | app = "nginx1"
39 | }
40 | }
41 |
42 | template {
43 | metadata {
44 | labels = {
45 | app = "nginx1"
46 | }
47 | }
48 |
49 | spec {
50 | container {
51 | image = "nginx:latest"
52 | name = "nginx"
53 |
54 | port {
55 | container_port = 80
56 | }
57 | }
58 | }
59 | }
60 | }
61 | }
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: kubernetes_deployment.nginx1
File: /terraform/templates/kubernetes-automation-example/nginx1.tf:19-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
19 | resource "kubernetes_deployment" "nginx1" {
20 |
21 | depends_on = [
22 | kubernetes_namespace.nginx1
23 | ]
24 |
25 | metadata {
26 | name = "nginx1"
27 | namespace = "nginx1"
28 | labels = {
29 | app = "nginx1"
30 | }
31 | }
32 |
33 | spec {
34 | replicas = 1
35 |
36 | selector {
37 | match_labels = {
38 | app = "nginx1"
39 | }
40 | }
41 |
42 | template {
43 | metadata {
44 | labels = {
45 | app = "nginx1"
46 | }
47 | }
48 |
49 | spec {
50 | container {
51 | image = "nginx:latest"
52 | name = "nginx"
53 |
54 | port {
55 | container_port = 80
56 | }
57 | }
58 | }
59 | }
60 | }
61 | }
Check: CKV_K8S_13: "Memory requests should be set"
FAILED for resource: kubernetes_deployment.nginx1
File: /terraform/templates/kubernetes-automation-example/nginx1.tf:19-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
19 | resource "kubernetes_deployment" "nginx1" {
20 |
21 | depends_on = [
22 | kubernetes_namespace.nginx1
23 | ]
24 |
25 | metadata {
26 | name = "nginx1"
27 | namespace = "nginx1"
28 | labels = {
29 | app = "nginx1"
30 | }
31 | }
32 |
33 | spec {
34 | replicas = 1
35 |
36 | selector {
37 | match_labels = {
38 | app = "nginx1"
39 | }
40 | }
41 |
42 | template {
43 | metadata {
44 | labels = {
45 | app = "nginx1"
46 | }
47 | }
48 |
49 | spec {
50 | container {
51 | image = "nginx:latest"
52 | name = "nginx"
53 |
54 | port {
55 | container_port = 80
56 | }
57 | }
58 | }
59 | }
60 | }
61 | }
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: kubernetes_deployment.nginx1
File: /terraform/templates/kubernetes-automation-example/nginx1.tf:19-61
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
19 | resource "kubernetes_deployment" "nginx1" {
20 |
21 | depends_on = [
22 | kubernetes_namespace.nginx1
23 | ]
24 |
25 | metadata {
26 | name = "nginx1"
27 | namespace = "nginx1"
28 | labels = {
29 | app = "nginx1"
30 | }
31 | }
32 |
33 | spec {
34 | replicas = 1
35 |
36 | selector {
37 | match_labels = {
38 | app = "nginx1"
39 | }
40 | }
41 |
42 | template {
43 | metadata {
44 | labels = {
45 | app = "nginx1"
46 | }
47 | }
48 |
49 | spec {
50 | container {
51 | image = "nginx:latest"
52 | name = "nginx"
53 |
54 | port {
55 | container_port = 80
56 | }
57 | }
58 | }
59 | }
60 | }
61 | }
kubernetes scan results:
Passed checks: 558, Failed checks: 169, Skipped checks: 0
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.namespace.appname
File: /kubernetes/templates/deployment.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: appname # Name of the deployment
5 | namespace: namespace # Name of the namespace
6 | labels:
7 | app: appname # Name of your application
8 | spec:
9 | selector:
10 | matchLabels:
11 | app: appname # Name of your application
12 | replicas: 1 # Number of replicas
13 | template:
14 | metadata:
15 | labels:
16 | app: appname # Name of your application
17 | spec:
18 | containers:
19 | # Containers are the individual pieces of your application that you want
20 | # to run.
21 | - name: helloworld # Name of the container
22 | image: helloworld:latest # The image you want to run
23 | # resources:
24 | # limits:
25 | # memory: 512Mi
26 | # cpu: "1"
27 | # requests:
28 | # memory: 256Mi
29 | # cpu: "0.2"
30 | ports:
31 | # Ports are the ports that your application uses.
32 | - containerPort: 8080 # The port that your application uses
33 | volumeMounts:
34 | # VolumeMounts are the volumes that your application uses.
35 | - mountPath: /var/www/html # The path that your application uses
36 | name: vol0 # Name of the volume
37 | volumes:
38 | # Volumes are the persistent storage that your application uses.
39 | - name: vol0 # Name of the volume
40 | persistentVolumeClaim:
41 | claimName: pvc0 # Name of the persistent volume claim
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.namespace.appname
File: /kubernetes/templates/deployment.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: appname # Name of the deployment
5 | namespace: namespace # Name of the namespace
6 | labels:
7 | app: appname # Name of your application
8 | spec:
9 | selector:
10 | matchLabels:
11 | app: appname # Name of your application
12 | replicas: 1 # Number of replicas
13 | template:
14 | metadata:
15 | labels:
16 | app: appname # Name of your application
17 | spec:
18 | containers:
19 | # Containers are the individual pieces of your application that you want
20 | # to run.
21 | - name: helloworld # Name of the container
22 | image: helloworld:latest # The image you want to run
23 | # resources:
24 | # limits:
25 | # memory: 512Mi
26 | # cpu: "1"
27 | # requests:
28 | # memory: 256Mi
29 | # cpu: "0.2"
30 | ports:
31 | # Ports are the ports that your application uses.
32 | - containerPort: 8080 # The port that your application uses
33 | volumeMounts:
34 | # VolumeMounts are the volumes that your application uses.
35 | - mountPath: /var/www/html # The path that your application uses
36 | name: vol0 # Name of the volume
37 | volumes:
38 | # Volumes are the persistent storage that your application uses.
39 | - name: vol0 # Name of the volume
40 | persistentVolumeClaim:
41 | claimName: pvc0 # Name of the persistent volume claim
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.namespace.appname
File: /kubernetes/templates/deployment.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: appname # Name of the deployment
5 | namespace: namespace # Name of the namespace
6 | labels:
7 | app: appname # Name of your application
8 | spec:
9 | selector:
10 | matchLabels:
11 | app: appname # Name of your application
12 | replicas: 1 # Number of replicas
13 | template:
14 | metadata:
15 | labels:
16 | app: appname # Name of your application
17 | spec:
18 | containers:
19 | # Containers are the individual pieces of your application that you want
20 | # to run.
21 | - name: helloworld # Name of the container
22 | image: helloworld:latest # The image you want to run
23 | # resources:
24 | # limits:
25 | # memory: 512Mi
26 | # cpu: "1"
27 | # requests:
28 | # memory: 256Mi
29 | # cpu: "0.2"
30 | ports:
31 | # Ports are the ports that your application uses.
32 | - containerPort: 8080 # The port that your application uses
33 | volumeMounts:
34 | # VolumeMounts are the volumes that your application uses.
35 | - mountPath: /var/www/html # The path that your application uses
36 | name: vol0 # Name of the volume
37 | volumes:
38 | # Volumes are the persistent storage that your application uses.
39 | - name: vol0 # Name of the volume
40 | persistentVolumeClaim:
41 | claimName: pvc0 # Name of the persistent volume claim
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.namespace.appname
File: /kubernetes/templates/deployment.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: appname # Name of the deployment
5 | namespace: namespace # Name of the namespace
6 | labels:
7 | app: appname # Name of your application
8 | spec:
9 | selector:
10 | matchLabels:
11 | app: appname # Name of your application
12 | replicas: 1 # Number of replicas
13 | template:
14 | metadata:
15 | labels:
16 | app: appname # Name of your application
17 | spec:
18 | containers:
19 | # Containers are the individual pieces of your application that you want
20 | # to run.
21 | - name: helloworld # Name of the container
22 | image: helloworld:latest # The image you want to run
23 | # resources:
24 | # limits:
25 | # memory: 512Mi
26 | # cpu: "1"
27 | # requests:
28 | # memory: 256Mi
29 | # cpu: "0.2"
30 | ports:
31 | # Ports are the ports that your application uses.
32 | - containerPort: 8080 # The port that your application uses
33 | volumeMounts:
34 | # VolumeMounts are the volumes that your application uses.
35 | - mountPath: /var/www/html # The path that your application uses
36 | name: vol0 # Name of the volume
37 | volumes:
38 | # Volumes are the persistent storage that your application uses.
39 | - name: vol0 # Name of the volume
40 | persistentVolumeClaim:
41 | claimName: pvc0 # Name of the persistent volume claim
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.namespace.appname
File: /kubernetes/templates/deployment.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: appname # Name of the deployment
5 | namespace: namespace # Name of the namespace
6 | labels:
7 | app: appname # Name of your application
8 | spec:
9 | selector:
10 | matchLabels:
11 | app: appname # Name of your application
12 | replicas: 1 # Number of replicas
13 | template:
14 | metadata:
15 | labels:
16 | app: appname # Name of your application
17 | spec:
18 | containers:
19 | # Containers are the individual pieces of your application that you want
20 | # to run.
21 | - name: helloworld # Name of the container
22 | image: helloworld:latest # The image you want to run
23 | # resources:
24 | # limits:
25 | # memory: 512Mi
26 | # cpu: "1"
27 | # requests:
28 | # memory: 256Mi
29 | # cpu: "0.2"
30 | ports:
31 | # Ports are the ports that your application uses.
32 | - containerPort: 8080 # The port that your application uses
33 | volumeMounts:
34 | # VolumeMounts are the volumes that your application uses.
35 | - mountPath: /var/www/html # The path that your application uses
36 | name: vol0 # Name of the volume
37 | volumes:
38 | # Volumes are the persistent storage that your application uses.
39 | - name: vol0 # Name of the volume
40 | persistentVolumeClaim:
41 | claimName: pvc0 # Name of the persistent volume claim
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.namespace.appname
File: /kubernetes/templates/deployment.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: appname # Name of the deployment
5 | namespace: namespace # Name of the namespace
6 | labels:
7 | app: appname # Name of your application
8 | spec:
9 | selector:
10 | matchLabels:
11 | app: appname # Name of your application
12 | replicas: 1 # Number of replicas
13 | template:
14 | metadata:
15 | labels:
16 | app: appname # Name of your application
17 | spec:
18 | containers:
19 | # Containers are the individual pieces of your application that you want
20 | # to run.
21 | - name: helloworld # Name of the container
22 | image: helloworld:latest # The image you want to run
23 | # resources:
24 | # limits:
25 | # memory: 512Mi
26 | # cpu: "1"
27 | # requests:
28 | # memory: 256Mi
29 | # cpu: "0.2"
30 | ports:
31 | # Ports are the ports that your application uses.
32 | - containerPort: 8080 # The port that your application uses
33 | volumeMounts:
34 | # VolumeMounts are the volumes that your application uses.
35 | - mountPath: /var/www/html # The path that your application uses
36 | name: vol0 # Name of the volume
37 | volumes:
38 | # Volumes are the persistent storage that your application uses.
39 | - name: vol0 # Name of the volume
40 | persistentVolumeClaim:
41 | claimName: pvc0 # Name of the persistent volume claim
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.namespace.appname
File: /kubernetes/templates/deployment.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: appname # Name of the deployment
5 | namespace: namespace # Name of the namespace
6 | labels:
7 | app: appname # Name of your application
8 | spec:
9 | selector:
10 | matchLabels:
11 | app: appname # Name of your application
12 | replicas: 1 # Number of replicas
13 | template:
14 | metadata:
15 | labels:
16 | app: appname # Name of your application
17 | spec:
18 | containers:
19 | # Containers are the individual pieces of your application that you want
20 | # to run.
21 | - name: helloworld # Name of the container
22 | image: helloworld:latest # The image you want to run
23 | # resources:
24 | # limits:
25 | # memory: 512Mi
26 | # cpu: "1"
27 | # requests:
28 | # memory: 256Mi
29 | # cpu: "0.2"
30 | ports:
31 | # Ports are the ports that your application uses.
32 | - containerPort: 8080 # The port that your application uses
33 | volumeMounts:
34 | # VolumeMounts are the volumes that your application uses.
35 | - mountPath: /var/www/html # The path that your application uses
36 | name: vol0 # Name of the volume
37 | volumes:
38 | # Volumes are the persistent storage that your application uses.
39 | - name: vol0 # Name of the volume
40 | persistentVolumeClaim:
41 | claimName: pvc0 # Name of the persistent volume claim
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.namespace.appname
File: /kubernetes/templates/deployment.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: appname # Name of the deployment
5 | namespace: namespace # Name of the namespace
6 | labels:
7 | app: appname # Name of your application
8 | spec:
9 | selector:
10 | matchLabels:
11 | app: appname # Name of your application
12 | replicas: 1 # Number of replicas
13 | template:
14 | metadata:
15 | labels:
16 | app: appname # Name of your application
17 | spec:
18 | containers:
19 | # Containers are the individual pieces of your application that you want
20 | # to run.
21 | - name: helloworld # Name of the container
22 | image: helloworld:latest # The image you want to run
23 | # resources:
24 | # limits:
25 | # memory: 512Mi
26 | # cpu: "1"
27 | # requests:
28 | # memory: 256Mi
29 | # cpu: "0.2"
30 | ports:
31 | # Ports are the ports that your application uses.
32 | - containerPort: 8080 # The port that your application uses
33 | volumeMounts:
34 | # VolumeMounts are the volumes that your application uses.
35 | - mountPath: /var/www/html # The path that your application uses
36 | name: vol0 # Name of the volume
37 | volumes:
38 | # Volumes are the persistent storage that your application uses.
39 | - name: vol0 # Name of the volume
40 | persistentVolumeClaim:
41 | claimName: pvc0 # Name of the persistent volume claim
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.namespace.appname
File: /kubernetes/templates/deployment.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: appname # Name of the deployment
5 | namespace: namespace # Name of the namespace
6 | labels:
7 | app: appname # Name of your application
8 | spec:
9 | selector:
10 | matchLabels:
11 | app: appname # Name of your application
12 | replicas: 1 # Number of replicas
13 | template:
14 | metadata:
15 | labels:
16 | app: appname # Name of your application
17 | spec:
18 | containers:
19 | # Containers are the individual pieces of your application that you want
20 | # to run.
21 | - name: helloworld # Name of the container
22 | image: helloworld:latest # The image you want to run
23 | # resources:
24 | # limits:
25 | # memory: 512Mi
26 | # cpu: "1"
27 | # requests:
28 | # memory: 256Mi
29 | # cpu: "0.2"
30 | ports:
31 | # Ports are the ports that your application uses.
32 | - containerPort: 8080 # The port that your application uses
33 | volumeMounts:
34 | # VolumeMounts are the volumes that your application uses.
35 | - mountPath: /var/www/html # The path that your application uses
36 | name: vol0 # Name of the volume
37 | volumes:
38 | # Volumes are the persistent storage that your application uses.
39 | - name: vol0 # Name of the volume
40 | persistentVolumeClaim:
41 | claimName: pvc0 # Name of the persistent volume claim
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.namespace.appname
File: /kubernetes/templates/deployment.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: appname # Name of the deployment
5 | namespace: namespace # Name of the namespace
6 | labels:
7 | app: appname # Name of your application
8 | spec:
9 | selector:
10 | matchLabels:
11 | app: appname # Name of your application
12 | replicas: 1 # Number of replicas
13 | template:
14 | metadata:
15 | labels:
16 | app: appname # Name of your application
17 | spec:
18 | containers:
19 | # Containers are the individual pieces of your application that you want
20 | # to run.
21 | - name: helloworld # Name of the container
22 | image: helloworld:latest # The image you want to run
23 | # resources:
24 | # limits:
25 | # memory: 512Mi
26 | # cpu: "1"
27 | # requests:
28 | # memory: 256Mi
29 | # cpu: "0.2"
30 | ports:
31 | # Ports are the ports that your application uses.
32 | - containerPort: 8080 # The port that your application uses
33 | volumeMounts:
34 | # VolumeMounts are the volumes that your application uses.
35 | - mountPath: /var/www/html # The path that your application uses
36 | name: vol0 # Name of the volume
37 | volumes:
38 | # Volumes are the persistent storage that your application uses.
39 | - name: vol0 # Name of the volume
40 | persistentVolumeClaim:
41 | claimName: pvc0 # Name of the persistent volume claim
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.namespace.appname
File: /kubernetes/templates/deployment.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: appname # Name of the deployment
5 | namespace: namespace # Name of the namespace
6 | labels:
7 | app: appname # Name of your application
8 | spec:
9 | selector:
10 | matchLabels:
11 | app: appname # Name of your application
12 | replicas: 1 # Number of replicas
13 | template:
14 | metadata:
15 | labels:
16 | app: appname # Name of your application
17 | spec:
18 | containers:
19 | # Containers are the individual pieces of your application that you want
20 | # to run.
21 | - name: helloworld # Name of the container
22 | image: helloworld:latest # The image you want to run
23 | # resources:
24 | # limits:
25 | # memory: 512Mi
26 | # cpu: "1"
27 | # requests:
28 | # memory: 256Mi
29 | # cpu: "0.2"
30 | ports:
31 | # Ports are the ports that your application uses.
32 | - containerPort: 8080 # The port that your application uses
33 | volumeMounts:
34 | # VolumeMounts are the volumes that your application uses.
35 | - mountPath: /var/www/html # The path that your application uses
36 | name: vol0 # Name of the volume
37 | volumes:
38 | # Volumes are the persistent storage that your application uses.
39 | - name: vol0 # Name of the volume
40 | persistentVolumeClaim:
41 | claimName: pvc0 # Name of the persistent volume claim
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.namespace.appname
File: /kubernetes/templates/deployment.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: appname # Name of the deployment
5 | namespace: namespace # Name of the namespace
6 | labels:
7 | app: appname # Name of your application
8 | spec:
9 | selector:
10 | matchLabels:
11 | app: appname # Name of your application
12 | replicas: 1 # Number of replicas
13 | template:
14 | metadata:
15 | labels:
16 | app: appname # Name of your application
17 | spec:
18 | containers:
19 | # Containers are the individual pieces of your application that you want
20 | # to run.
21 | - name: helloworld # Name of the container
22 | image: helloworld:latest # The image you want to run
23 | # resources:
24 | # limits:
25 | # memory: 512Mi
26 | # cpu: "1"
27 | # requests:
28 | # memory: 256Mi
29 | # cpu: "0.2"
30 | ports:
31 | # Ports are the ports that your application uses.
32 | - containerPort: 8080 # The port that your application uses
33 | volumeMounts:
34 | # VolumeMounts are the volumes that your application uses.
35 | - mountPath: /var/www/html # The path that your application uses
36 | name: vol0 # Name of the volume
37 | volumes:
38 | # Volumes are the persistent storage that your application uses.
39 | - name: vol0 # Name of the volume
40 | persistentVolumeClaim:
41 | claimName: pvc0 # Name of the persistent volume claim
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.namespace.appname
File: /kubernetes/templates/deployment.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: appname # Name of the deployment
5 | namespace: namespace # Name of the namespace
6 | labels:
7 | app: appname # Name of your application
8 | spec:
9 | selector:
10 | matchLabels:
11 | app: appname # Name of your application
12 | replicas: 1 # Number of replicas
13 | template:
14 | metadata:
15 | labels:
16 | app: appname # Name of your application
17 | spec:
18 | containers:
19 | # Containers are the individual pieces of your application that you want
20 | # to run.
21 | - name: helloworld # Name of the container
22 | image: helloworld:latest # The image you want to run
23 | # resources:
24 | # limits:
25 | # memory: 512Mi
26 | # cpu: "1"
27 | # requests:
28 | # memory: 256Mi
29 | # cpu: "0.2"
30 | ports:
31 | # Ports are the ports that your application uses.
32 | - containerPort: 8080 # The port that your application uses
33 | volumeMounts:
34 | # VolumeMounts are the volumes that your application uses.
35 | - mountPath: /var/www/html # The path that your application uses
36 | name: vol0 # Name of the volume
37 | volumes:
38 | # Volumes are the persistent storage that your application uses.
39 | - name: vol0 # Name of the volume
40 | persistentVolumeClaim:
41 | claimName: pvc0 # Name of the persistent volume claim
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.namespace.appname
File: /kubernetes/templates/deployment.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: appname # Name of the deployment
5 | namespace: namespace # Name of the namespace
6 | labels:
7 | app: appname # Name of your application
8 | spec:
9 | selector:
10 | matchLabels:
11 | app: appname # Name of your application
12 | replicas: 1 # Number of replicas
13 | template:
14 | metadata:
15 | labels:
16 | app: appname # Name of your application
17 | spec:
18 | containers:
19 | # Containers are the individual pieces of your application that you want
20 | # to run.
21 | - name: helloworld # Name of the container
22 | image: helloworld:latest # The image you want to run
23 | # resources:
24 | # limits:
25 | # memory: 512Mi
26 | # cpu: "1"
27 | # requests:
28 | # memory: 256Mi
29 | # cpu: "0.2"
30 | ports:
31 | # Ports are the ports that your application uses.
32 | - containerPort: 8080 # The port that your application uses
33 | volumeMounts:
34 | # VolumeMounts are the volumes that your application uses.
35 | - mountPath: /var/www/html # The path that your application uses
36 | name: vol0 # Name of the volume
37 | volumes:
38 | # Volumes are the persistent storage that your application uses.
39 | - name: vol0 # Name of the volume
40 | persistentVolumeClaim:
41 | claimName: pvc0 # Name of the persistent volume claim
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.namespace.appname
File: /kubernetes/templates/deployment.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: appname # Name of the deployment
5 | namespace: namespace # Name of the namespace
6 | labels:
7 | app: appname # Name of your application
8 | spec:
9 | selector:
10 | matchLabels:
11 | app: appname # Name of your application
12 | replicas: 1 # Number of replicas
13 | template:
14 | metadata:
15 | labels:
16 | app: appname # Name of your application
17 | spec:
18 | containers:
19 | # Containers are the individual pieces of your application that you want
20 | # to run.
21 | - name: helloworld # Name of the container
22 | image: helloworld:latest # The image you want to run
23 | # resources:
24 | # limits:
25 | # memory: 512Mi
26 | # cpu: "1"
27 | # requests:
28 | # memory: 256Mi
29 | # cpu: "0.2"
30 | ports:
31 | # Ports are the ports that your application uses.
32 | - containerPort: 8080 # The port that your application uses
33 | volumeMounts:
34 | # VolumeMounts are the volumes that your application uses.
35 | - mountPath: /var/www/html # The path that your application uses
36 | name: vol0 # Name of the volume
37 | volumes:
38 | # Volumes are the persistent storage that your application uses.
39 | - name: vol0 # Name of the volume
40 | persistentVolumeClaim:
41 | claimName: pvc0 # Name of the persistent volume claim
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.namespace.appname
File: /kubernetes/templates/deployment.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: appname # Name of the deployment
5 | namespace: namespace # Name of the namespace
6 | labels:
7 | app: appname # Name of your application
8 | spec:
9 | selector:
10 | matchLabels:
11 | app: appname # Name of your application
12 | replicas: 1 # Number of replicas
13 | template:
14 | metadata:
15 | labels:
16 | app: appname # Name of your application
17 | spec:
18 | containers:
19 | # Containers are the individual pieces of your application that you want
20 | # to run.
21 | - name: helloworld # Name of the container
22 | image: helloworld:latest # The image you want to run
23 | # resources:
24 | # limits:
25 | # memory: 512Mi
26 | # cpu: "1"
27 | # requests:
28 | # memory: 256Mi
29 | # cpu: "0.2"
30 | ports:
31 | # Ports are the ports that your application uses.
32 | - containerPort: 8080 # The port that your application uses
33 | volumeMounts:
34 | # VolumeMounts are the volumes that your application uses.
35 | - mountPath: /var/www/html # The path that your application uses
36 | name: vol0 # Name of the volume
37 | volumes:
38 | # Volumes are the persistent storage that your application uses.
39 | - name: vol0 # Name of the volume
40 | persistentVolumeClaim:
41 | claimName: pvc0 # Name of the persistent volume claim
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.namespace.appname
File: /kubernetes/templates/deployment.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: appname # Name of the deployment
5 | namespace: namespace # Name of the namespace
6 | labels:
7 | app: appname # Name of your application
8 | spec:
9 | selector:
10 | matchLabels:
11 | app: appname # Name of your application
12 | replicas: 1 # Number of replicas
13 | template:
14 | metadata:
15 | labels:
16 | app: appname # Name of your application
17 | spec:
18 | containers:
19 | # Containers are the individual pieces of your application that you want
20 | # to run.
21 | - name: helloworld # Name of the container
22 | image: helloworld:latest # The image you want to run
23 | # resources:
24 | # limits:
25 | # memory: 512Mi
26 | # cpu: "1"
27 | # requests:
28 | # memory: 256Mi
29 | # cpu: "0.2"
30 | ports:
31 | # Ports are the ports that your application uses.
32 | - containerPort: 8080 # The port that your application uses
33 | volumeMounts:
34 | # VolumeMounts are the volumes that your application uses.
35 | - mountPath: /var/www/html # The path that your application uses
36 | name: vol0 # Name of the volume
37 | volumes:
38 | # Volumes are the persistent storage that your application uses.
39 | - name: vol0 # Name of the volume
40 | persistentVolumeClaim:
41 | claimName: pvc0 # Name of the persistent volume claim
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.namespace.appname
File: /kubernetes/templates/deployment.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: appname # Name of the deployment
5 | namespace: namespace # Name of the namespace
6 | labels:
7 | app: appname # Name of your application
8 | spec:
9 | selector:
10 | matchLabels:
11 | app: appname # Name of your application
12 | replicas: 1 # Number of replicas
13 | template:
14 | metadata:
15 | labels:
16 | app: appname # Name of your application
17 | spec:
18 | containers:
19 | # Containers are the individual pieces of your application that you want
20 | # to run.
21 | - name: helloworld # Name of the container
22 | image: helloworld:latest # The image you want to run
23 | # resources:
24 | # limits:
25 | # memory: 512Mi
26 | # cpu: "1"
27 | # requests:
28 | # memory: 256Mi
29 | # cpu: "0.2"
30 | ports:
31 | # Ports are the ports that your application uses.
32 | - containerPort: 8080 # The port that your application uses
33 | volumeMounts:
34 | # VolumeMounts are the volumes that your application uses.
35 | - mountPath: /var/www/html # The path that your application uses
36 | name: vol0 # Name of the volume
37 | volumes:
38 | # Volumes are the persistent storage that your application uses.
39 | - name: vol0 # Name of the volume
40 | persistentVolumeClaim:
41 | claimName: pvc0 # Name of the persistent volume claim
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nfs-web
File: /kubernetes/templates/pv-and-pvc/nfs-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nfs-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nfs-web
10 | template:
11 | metadata:
12 | labels:
13 | app: nfs-web
14 | spec:
15 | containers:
16 | - name: nfs-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nfs
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: nfs
26 | persistentVolumeClaim:
27 | claimName: nfs
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nfs-web
File: /kubernetes/templates/pv-and-pvc/nfs-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nfs-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nfs-web
10 | template:
11 | metadata:
12 | labels:
13 | app: nfs-web
14 | spec:
15 | containers:
16 | - name: nfs-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nfs
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: nfs
26 | persistentVolumeClaim:
27 | claimName: nfs
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.nfs-web
File: /kubernetes/templates/pv-and-pvc/nfs-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nfs-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nfs-web
10 | template:
11 | metadata:
12 | labels:
13 | app: nfs-web
14 | spec:
15 | containers:
16 | - name: nfs-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nfs
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: nfs
26 | persistentVolumeClaim:
27 | claimName: nfs
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nfs-web
File: /kubernetes/templates/pv-and-pvc/nfs-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nfs-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nfs-web
10 | template:
11 | metadata:
12 | labels:
13 | app: nfs-web
14 | spec:
15 | containers:
16 | - name: nfs-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nfs
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: nfs
26 | persistentVolumeClaim:
27 | claimName: nfs
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nfs-web
File: /kubernetes/templates/pv-and-pvc/nfs-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nfs-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nfs-web
10 | template:
11 | metadata:
12 | labels:
13 | app: nfs-web
14 | spec:
15 | containers:
16 | - name: nfs-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nfs
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: nfs
26 | persistentVolumeClaim:
27 | claimName: nfs
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nfs-web
File: /kubernetes/templates/pv-and-pvc/nfs-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nfs-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nfs-web
10 | template:
11 | metadata:
12 | labels:
13 | app: nfs-web
14 | spec:
15 | containers:
16 | - name: nfs-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nfs
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: nfs
26 | persistentVolumeClaim:
27 | claimName: nfs
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nfs-web
File: /kubernetes/templates/pv-and-pvc/nfs-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nfs-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nfs-web
10 | template:
11 | metadata:
12 | labels:
13 | app: nfs-web
14 | spec:
15 | containers:
16 | - name: nfs-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nfs
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: nfs
26 | persistentVolumeClaim:
27 | claimName: nfs
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nfs-web
File: /kubernetes/templates/pv-and-pvc/nfs-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nfs-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nfs-web
10 | template:
11 | metadata:
12 | labels:
13 | app: nfs-web
14 | spec:
15 | containers:
16 | - name: nfs-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nfs
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: nfs
26 | persistentVolumeClaim:
27 | claimName: nfs
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nfs-web
File: /kubernetes/templates/pv-and-pvc/nfs-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nfs-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nfs-web
10 | template:
11 | metadata:
12 | labels:
13 | app: nfs-web
14 | spec:
15 | containers:
16 | - name: nfs-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nfs
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: nfs
26 | persistentVolumeClaim:
27 | claimName: nfs
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nfs-web
File: /kubernetes/templates/pv-and-pvc/nfs-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nfs-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nfs-web
10 | template:
11 | metadata:
12 | labels:
13 | app: nfs-web
14 | spec:
15 | containers:
16 | - name: nfs-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nfs
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: nfs
26 | persistentVolumeClaim:
27 | claimName: nfs
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nfs-web
File: /kubernetes/templates/pv-and-pvc/nfs-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nfs-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nfs-web
10 | template:
11 | metadata:
12 | labels:
13 | app: nfs-web
14 | spec:
15 | containers:
16 | - name: nfs-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nfs
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: nfs
26 | persistentVolumeClaim:
27 | claimName: nfs
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nfs-web
File: /kubernetes/templates/pv-and-pvc/nfs-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nfs-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nfs-web
10 | template:
11 | metadata:
12 | labels:
13 | app: nfs-web
14 | spec:
15 | containers:
16 | - name: nfs-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nfs
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: nfs
26 | persistentVolumeClaim:
27 | claimName: nfs
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nfs-web
File: /kubernetes/templates/pv-and-pvc/nfs-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nfs-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nfs-web
10 | template:
11 | metadata:
12 | labels:
13 | app: nfs-web
14 | spec:
15 | containers:
16 | - name: nfs-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nfs
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: nfs
26 | persistentVolumeClaim:
27 | claimName: nfs
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nfs-web
File: /kubernetes/templates/pv-and-pvc/nfs-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nfs-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nfs-web
10 | template:
11 | metadata:
12 | labels:
13 | app: nfs-web
14 | spec:
15 | containers:
16 | - name: nfs-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nfs
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: nfs
26 | persistentVolumeClaim:
27 | claimName: nfs
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nfs-web
File: /kubernetes/templates/pv-and-pvc/nfs-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nfs-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nfs-web
10 | template:
11 | metadata:
12 | labels:
13 | app: nfs-web
14 | spec:
15 | containers:
16 | - name: nfs-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nfs
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: nfs
26 | persistentVolumeClaim:
27 | claimName: nfs
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nfs-web
File: /kubernetes/templates/pv-and-pvc/nfs-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nfs-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nfs-web
10 | template:
11 | metadata:
12 | labels:
13 | app: nfs-web
14 | spec:
15 | containers:
16 | - name: nfs-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nfs
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: nfs
26 | persistentVolumeClaim:
27 | claimName: nfs
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.nfs-web
File: /kubernetes/templates/pv-and-pvc/nfs-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nfs-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nfs-web
10 | template:
11 | metadata:
12 | labels:
13 | app: nfs-web
14 | spec:
15 | containers:
16 | - name: nfs-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nfs
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: nfs
26 | persistentVolumeClaim:
27 | claimName: nfs
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.nfs-web
File: /kubernetes/templates/pv-and-pvc/nfs-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nfs-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nfs-web
10 | template:
11 | metadata:
12 | labels:
13 | app: nfs-web
14 | spec:
15 | containers:
16 | - name: nfs-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nfs
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: nfs
26 | persistentVolumeClaim:
27 | claimName: nfs
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nfs-web
File: /kubernetes/templates/pv-and-pvc/nfs-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nfs-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nfs-web
10 | template:
11 | metadata:
12 | labels:
13 | app: nfs-web
14 | spec:
15 | containers:
16 | - name: nfs-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nfs
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: nfs
26 | persistentVolumeClaim:
27 | claimName: nfs
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.local-web
File: /kubernetes/templates/pv-and-pvc/local-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: local-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: local-web
10 | template:
11 | metadata:
12 | labels:
13 | app: local-web
14 | spec:
15 | containers:
16 | - name: local-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: local
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: local
26 | hostPath:
27 | path: /var/nginxserver
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.local-web
File: /kubernetes/templates/pv-and-pvc/local-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: local-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: local-web
10 | template:
11 | metadata:
12 | labels:
13 | app: local-web
14 | spec:
15 | containers:
16 | - name: local-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: local
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: local
26 | hostPath:
27 | path: /var/nginxserver
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.local-web
File: /kubernetes/templates/pv-and-pvc/local-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: local-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: local-web
10 | template:
11 | metadata:
12 | labels:
13 | app: local-web
14 | spec:
15 | containers:
16 | - name: local-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: local
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: local
26 | hostPath:
27 | path: /var/nginxserver
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.local-web
File: /kubernetes/templates/pv-and-pvc/local-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: local-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: local-web
10 | template:
11 | metadata:
12 | labels:
13 | app: local-web
14 | spec:
15 | containers:
16 | - name: local-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: local
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: local
26 | hostPath:
27 | path: /var/nginxserver
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.local-web
File: /kubernetes/templates/pv-and-pvc/local-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: local-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: local-web
10 | template:
11 | metadata:
12 | labels:
13 | app: local-web
14 | spec:
15 | containers:
16 | - name: local-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: local
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: local
26 | hostPath:
27 | path: /var/nginxserver
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.local-web
File: /kubernetes/templates/pv-and-pvc/local-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: local-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: local-web
10 | template:
11 | metadata:
12 | labels:
13 | app: local-web
14 | spec:
15 | containers:
16 | - name: local-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: local
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: local
26 | hostPath:
27 | path: /var/nginxserver
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.local-web
File: /kubernetes/templates/pv-and-pvc/local-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: local-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: local-web
10 | template:
11 | metadata:
12 | labels:
13 | app: local-web
14 | spec:
15 | containers:
16 | - name: local-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: local
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: local
26 | hostPath:
27 | path: /var/nginxserver
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.local-web
File: /kubernetes/templates/pv-and-pvc/local-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: local-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: local-web
10 | template:
11 | metadata:
12 | labels:
13 | app: local-web
14 | spec:
15 | containers:
16 | - name: local-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: local
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: local
26 | hostPath:
27 | path: /var/nginxserver
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.local-web
File: /kubernetes/templates/pv-and-pvc/local-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: local-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: local-web
10 | template:
11 | metadata:
12 | labels:
13 | app: local-web
14 | spec:
15 | containers:
16 | - name: local-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: local
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: local
26 | hostPath:
27 | path: /var/nginxserver
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.local-web
File: /kubernetes/templates/pv-and-pvc/local-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: local-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: local-web
10 | template:
11 | metadata:
12 | labels:
13 | app: local-web
14 | spec:
15 | containers:
16 | - name: local-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: local
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: local
26 | hostPath:
27 | path: /var/nginxserver
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.local-web
File: /kubernetes/templates/pv-and-pvc/local-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: local-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: local-web
10 | template:
11 | metadata:
12 | labels:
13 | app: local-web
14 | spec:
15 | containers:
16 | - name: local-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: local
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: local
26 | hostPath:
27 | path: /var/nginxserver
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.local-web
File: /kubernetes/templates/pv-and-pvc/local-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: local-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: local-web
10 | template:
11 | metadata:
12 | labels:
13 | app: local-web
14 | spec:
15 | containers:
16 | - name: local-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: local
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: local
26 | hostPath:
27 | path: /var/nginxserver
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.local-web
File: /kubernetes/templates/pv-and-pvc/local-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: local-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: local-web
10 | template:
11 | metadata:
12 | labels:
13 | app: local-web
14 | spec:
15 | containers:
16 | - name: local-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: local
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: local
26 | hostPath:
27 | path: /var/nginxserver
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.local-web
File: /kubernetes/templates/pv-and-pvc/local-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: local-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: local-web
10 | template:
11 | metadata:
12 | labels:
13 | app: local-web
14 | spec:
15 | containers:
16 | - name: local-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: local
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: local
26 | hostPath:
27 | path: /var/nginxserver
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.local-web
File: /kubernetes/templates/pv-and-pvc/local-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: local-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: local-web
10 | template:
11 | metadata:
12 | labels:
13 | app: local-web
14 | spec:
15 | containers:
16 | - name: local-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: local
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: local
26 | hostPath:
27 | path: /var/nginxserver
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.local-web
File: /kubernetes/templates/pv-and-pvc/local-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: local-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: local-web
10 | template:
11 | metadata:
12 | labels:
13 | app: local-web
14 | spec:
15 | containers:
16 | - name: local-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: local
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: local
26 | hostPath:
27 | path: /var/nginxserver
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.local-web
File: /kubernetes/templates/pv-and-pvc/local-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: local-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: local-web
10 | template:
11 | metadata:
12 | labels:
13 | app: local-web
14 | spec:
15 | containers:
16 | - name: local-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: local
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: local
26 | hostPath:
27 | path: /var/nginxserver
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.local-web
File: /kubernetes/templates/pv-and-pvc/local-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: local-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: local-web
10 | template:
11 | metadata:
12 | labels:
13 | app: local-web
14 | spec:
15 | containers:
16 | - name: local-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: local
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: local
26 | hostPath:
27 | path: /var/nginxserver
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.local-web
File: /kubernetes/templates/pv-and-pvc/local-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: local-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: local-web
10 | template:
11 | metadata:
12 | labels:
13 | app: local-web
14 | spec:
15 | containers:
16 | - name: local-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: local
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: local
26 | hostPath:
27 | path: /var/nginxserver
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.civo-web
File: /kubernetes/templates/pv-and-pvc/civo-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: civo-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: civo-web
10 | template:
11 | metadata:
12 | labels:
13 | app: civo-web
14 | spec:
15 | containers:
16 | - name: civo-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: civo
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: civo
26 | persistentVolumeClaim:
27 | claimName: civo
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.civo-web
File: /kubernetes/templates/pv-and-pvc/civo-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: civo-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: civo-web
10 | template:
11 | metadata:
12 | labels:
13 | app: civo-web
14 | spec:
15 | containers:
16 | - name: civo-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: civo
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: civo
26 | persistentVolumeClaim:
27 | claimName: civo
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.civo-web
File: /kubernetes/templates/pv-and-pvc/civo-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: civo-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: civo-web
10 | template:
11 | metadata:
12 | labels:
13 | app: civo-web
14 | spec:
15 | containers:
16 | - name: civo-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: civo
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: civo
26 | persistentVolumeClaim:
27 | claimName: civo
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.civo-web
File: /kubernetes/templates/pv-and-pvc/civo-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: civo-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: civo-web
10 | template:
11 | metadata:
12 | labels:
13 | app: civo-web
14 | spec:
15 | containers:
16 | - name: civo-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: civo
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: civo
26 | persistentVolumeClaim:
27 | claimName: civo
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.civo-web
File: /kubernetes/templates/pv-and-pvc/civo-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: civo-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: civo-web
10 | template:
11 | metadata:
12 | labels:
13 | app: civo-web
14 | spec:
15 | containers:
16 | - name: civo-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: civo
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: civo
26 | persistentVolumeClaim:
27 | claimName: civo
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.civo-web
File: /kubernetes/templates/pv-and-pvc/civo-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: civo-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: civo-web
10 | template:
11 | metadata:
12 | labels:
13 | app: civo-web
14 | spec:
15 | containers:
16 | - name: civo-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: civo
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: civo
26 | persistentVolumeClaim:
27 | claimName: civo
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.civo-web
File: /kubernetes/templates/pv-and-pvc/civo-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: civo-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: civo-web
10 | template:
11 | metadata:
12 | labels:
13 | app: civo-web
14 | spec:
15 | containers:
16 | - name: civo-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: civo
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: civo
26 | persistentVolumeClaim:
27 | claimName: civo
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.civo-web
File: /kubernetes/templates/pv-and-pvc/civo-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: civo-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: civo-web
10 | template:
11 | metadata:
12 | labels:
13 | app: civo-web
14 | spec:
15 | containers:
16 | - name: civo-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: civo
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: civo
26 | persistentVolumeClaim:
27 | claimName: civo
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.civo-web
File: /kubernetes/templates/pv-and-pvc/civo-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: civo-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: civo-web
10 | template:
11 | metadata:
12 | labels:
13 | app: civo-web
14 | spec:
15 | containers:
16 | - name: civo-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: civo
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: civo
26 | persistentVolumeClaim:
27 | claimName: civo
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.civo-web
File: /kubernetes/templates/pv-and-pvc/civo-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: civo-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: civo-web
10 | template:
11 | metadata:
12 | labels:
13 | app: civo-web
14 | spec:
15 | containers:
16 | - name: civo-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: civo
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: civo
26 | persistentVolumeClaim:
27 | claimName: civo
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.civo-web
File: /kubernetes/templates/pv-and-pvc/civo-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: civo-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: civo-web
10 | template:
11 | metadata:
12 | labels:
13 | app: civo-web
14 | spec:
15 | containers:
16 | - name: civo-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: civo
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: civo
26 | persistentVolumeClaim:
27 | claimName: civo
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.civo-web
File: /kubernetes/templates/pv-and-pvc/civo-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: civo-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: civo-web
10 | template:
11 | metadata:
12 | labels:
13 | app: civo-web
14 | spec:
15 | containers:
16 | - name: civo-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: civo
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: civo
26 | persistentVolumeClaim:
27 | claimName: civo
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.civo-web
File: /kubernetes/templates/pv-and-pvc/civo-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: civo-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: civo-web
10 | template:
11 | metadata:
12 | labels:
13 | app: civo-web
14 | spec:
15 | containers:
16 | - name: civo-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: civo
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: civo
26 | persistentVolumeClaim:
27 | claimName: civo
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.civo-web
File: /kubernetes/templates/pv-and-pvc/civo-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: civo-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: civo-web
10 | template:
11 | metadata:
12 | labels:
13 | app: civo-web
14 | spec:
15 | containers:
16 | - name: civo-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: civo
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: civo
26 | persistentVolumeClaim:
27 | claimName: civo
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.civo-web
File: /kubernetes/templates/pv-and-pvc/civo-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: civo-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: civo-web
10 | template:
11 | metadata:
12 | labels:
13 | app: civo-web
14 | spec:
15 | containers:
16 | - name: civo-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: civo
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: civo
26 | persistentVolumeClaim:
27 | claimName: civo
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.civo-web
File: /kubernetes/templates/pv-and-pvc/civo-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: civo-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: civo-web
10 | template:
11 | metadata:
12 | labels:
13 | app: civo-web
14 | spec:
15 | containers:
16 | - name: civo-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: civo
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: civo
26 | persistentVolumeClaim:
27 | claimName: civo
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.civo-web
File: /kubernetes/templates/pv-and-pvc/civo-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: civo-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: civo-web
10 | template:
11 | metadata:
12 | labels:
13 | app: civo-web
14 | spec:
15 | containers:
16 | - name: civo-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: civo
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: civo
26 | persistentVolumeClaim:
27 | claimName: civo
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.civo-web
File: /kubernetes/templates/pv-and-pvc/civo-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: civo-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: civo-web
10 | template:
11 | metadata:
12 | labels:
13 | app: civo-web
14 | spec:
15 | containers:
16 | - name: civo-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: civo
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: civo
26 | persistentVolumeClaim:
27 | claimName: civo
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.civo-web
File: /kubernetes/templates/pv-and-pvc/civo-web.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: civo-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: civo-web
10 | template:
11 | metadata:
12 | labels:
13 | app: civo-web
14 | spec:
15 | containers:
16 | - name: civo-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: civo
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: civo
26 | persistentVolumeClaim:
27 | claimName: civo
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nginx-https
File: /kubernetes/templates/cm-and-secrets/nginx-https-deploy.yml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-https
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-https
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-https
14 | spec:
15 | containers:
16 | - name: nginx-https
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | - name: secureweb
22 | containerPort: 443
23 | volumeMounts:
24 | - name: nginx-https-cm
25 | mountPath: /etc/nginx
26 | - name: nginx-https-secret
27 | mountPath: /etc/nginx/ssl
28 | readOnly: true
29 | - name: nginx-https-vol
30 | mountPath: /usr/share/nginx/html
31 | volumes:
32 | - name: nginx-https-cm
33 | configMap:
34 | name: nginx-https-cm
35 | - name: nginx-https-secret
36 | secret:
37 | secretName: nginx-https-secret
38 | - name: nginx-https-vol
39 | hostPath:
40 | path: /var/nginxserver
41 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx-https
File: /kubernetes/templates/cm-and-secrets/nginx-https-deploy.yml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-https
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-https
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-https
14 | spec:
15 | containers:
16 | - name: nginx-https
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | - name: secureweb
22 | containerPort: 443
23 | volumeMounts:
24 | - name: nginx-https-cm
25 | mountPath: /etc/nginx
26 | - name: nginx-https-secret
27 | mountPath: /etc/nginx/ssl
28 | readOnly: true
29 | - name: nginx-https-vol
30 | mountPath: /usr/share/nginx/html
31 | volumes:
32 | - name: nginx-https-cm
33 | configMap:
34 | name: nginx-https-cm
35 | - name: nginx-https-secret
36 | secret:
37 | secretName: nginx-https-secret
38 | - name: nginx-https-vol
39 | hostPath:
40 | path: /var/nginxserver
41 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.nginx-https
File: /kubernetes/templates/cm-and-secrets/nginx-https-deploy.yml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-https
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-https
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-https
14 | spec:
15 | containers:
16 | - name: nginx-https
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | - name: secureweb
22 | containerPort: 443
23 | volumeMounts:
24 | - name: nginx-https-cm
25 | mountPath: /etc/nginx
26 | - name: nginx-https-secret
27 | mountPath: /etc/nginx/ssl
28 | readOnly: true
29 | - name: nginx-https-vol
30 | mountPath: /usr/share/nginx/html
31 | volumes:
32 | - name: nginx-https-cm
33 | configMap:
34 | name: nginx-https-cm
35 | - name: nginx-https-secret
36 | secret:
37 | secretName: nginx-https-secret
38 | - name: nginx-https-vol
39 | hostPath:
40 | path: /var/nginxserver
41 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx-https
File: /kubernetes/templates/cm-and-secrets/nginx-https-deploy.yml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-https
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-https
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-https
14 | spec:
15 | containers:
16 | - name: nginx-https
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | - name: secureweb
22 | containerPort: 443
23 | volumeMounts:
24 | - name: nginx-https-cm
25 | mountPath: /etc/nginx
26 | - name: nginx-https-secret
27 | mountPath: /etc/nginx/ssl
28 | readOnly: true
29 | - name: nginx-https-vol
30 | mountPath: /usr/share/nginx/html
31 | volumes:
32 | - name: nginx-https-cm
33 | configMap:
34 | name: nginx-https-cm
35 | - name: nginx-https-secret
36 | secret:
37 | secretName: nginx-https-secret
38 | - name: nginx-https-vol
39 | hostPath:
40 | path: /var/nginxserver
41 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx-https
File: /kubernetes/templates/cm-and-secrets/nginx-https-deploy.yml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-https
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-https
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-https
14 | spec:
15 | containers:
16 | - name: nginx-https
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | - name: secureweb
22 | containerPort: 443
23 | volumeMounts:
24 | - name: nginx-https-cm
25 | mountPath: /etc/nginx
26 | - name: nginx-https-secret
27 | mountPath: /etc/nginx/ssl
28 | readOnly: true
29 | - name: nginx-https-vol
30 | mountPath: /usr/share/nginx/html
31 | volumes:
32 | - name: nginx-https-cm
33 | configMap:
34 | name: nginx-https-cm
35 | - name: nginx-https-secret
36 | secret:
37 | secretName: nginx-https-secret
38 | - name: nginx-https-vol
39 | hostPath:
40 | path: /var/nginxserver
41 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx-https
File: /kubernetes/templates/cm-and-secrets/nginx-https-deploy.yml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-https
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-https
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-https
14 | spec:
15 | containers:
16 | - name: nginx-https
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | - name: secureweb
22 | containerPort: 443
23 | volumeMounts:
24 | - name: nginx-https-cm
25 | mountPath: /etc/nginx
26 | - name: nginx-https-secret
27 | mountPath: /etc/nginx/ssl
28 | readOnly: true
29 | - name: nginx-https-vol
30 | mountPath: /usr/share/nginx/html
31 | volumes:
32 | - name: nginx-https-cm
33 | configMap:
34 | name: nginx-https-cm
35 | - name: nginx-https-secret
36 | secret:
37 | secretName: nginx-https-secret
38 | - name: nginx-https-vol
39 | hostPath:
40 | path: /var/nginxserver
41 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-https
File: /kubernetes/templates/cm-and-secrets/nginx-https-deploy.yml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-https
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-https
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-https
14 | spec:
15 | containers:
16 | - name: nginx-https
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | - name: secureweb
22 | containerPort: 443
23 | volumeMounts:
24 | - name: nginx-https-cm
25 | mountPath: /etc/nginx
26 | - name: nginx-https-secret
27 | mountPath: /etc/nginx/ssl
28 | readOnly: true
29 | - name: nginx-https-vol
30 | mountPath: /usr/share/nginx/html
31 | volumes:
32 | - name: nginx-https-cm
33 | configMap:
34 | name: nginx-https-cm
35 | - name: nginx-https-secret
36 | secret:
37 | secretName: nginx-https-secret
38 | - name: nginx-https-vol
39 | hostPath:
40 | path: /var/nginxserver
41 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx-https
File: /kubernetes/templates/cm-and-secrets/nginx-https-deploy.yml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-https
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-https
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-https
14 | spec:
15 | containers:
16 | - name: nginx-https
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | - name: secureweb
22 | containerPort: 443
23 | volumeMounts:
24 | - name: nginx-https-cm
25 | mountPath: /etc/nginx
26 | - name: nginx-https-secret
27 | mountPath: /etc/nginx/ssl
28 | readOnly: true
29 | - name: nginx-https-vol
30 | mountPath: /usr/share/nginx/html
31 | volumes:
32 | - name: nginx-https-cm
33 | configMap:
34 | name: nginx-https-cm
35 | - name: nginx-https-secret
36 | secret:
37 | secretName: nginx-https-secret
38 | - name: nginx-https-vol
39 | hostPath:
40 | path: /var/nginxserver
41 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx-https
File: /kubernetes/templates/cm-and-secrets/nginx-https-deploy.yml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-https
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-https
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-https
14 | spec:
15 | containers:
16 | - name: nginx-https
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | - name: secureweb
22 | containerPort: 443
23 | volumeMounts:
24 | - name: nginx-https-cm
25 | mountPath: /etc/nginx
26 | - name: nginx-https-secret
27 | mountPath: /etc/nginx/ssl
28 | readOnly: true
29 | - name: nginx-https-vol
30 | mountPath: /usr/share/nginx/html
31 | volumes:
32 | - name: nginx-https-cm
33 | configMap:
34 | name: nginx-https-cm
35 | - name: nginx-https-secret
36 | secret:
37 | secretName: nginx-https-secret
38 | - name: nginx-https-vol
39 | hostPath:
40 | path: /var/nginxserver
41 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx-https
File: /kubernetes/templates/cm-and-secrets/nginx-https-deploy.yml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-https
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-https
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-https
14 | spec:
15 | containers:
16 | - name: nginx-https
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | - name: secureweb
22 | containerPort: 443
23 | volumeMounts:
24 | - name: nginx-https-cm
25 | mountPath: /etc/nginx
26 | - name: nginx-https-secret
27 | mountPath: /etc/nginx/ssl
28 | readOnly: true
29 | - name: nginx-https-vol
30 | mountPath: /usr/share/nginx/html
31 | volumes:
32 | - name: nginx-https-cm
33 | configMap:
34 | name: nginx-https-cm
35 | - name: nginx-https-secret
36 | secret:
37 | secretName: nginx-https-secret
38 | - name: nginx-https-vol
39 | hostPath:
40 | path: /var/nginxserver
41 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-https
File: /kubernetes/templates/cm-and-secrets/nginx-https-deploy.yml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-https
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-https
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-https
14 | spec:
15 | containers:
16 | - name: nginx-https
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | - name: secureweb
22 | containerPort: 443
23 | volumeMounts:
24 | - name: nginx-https-cm
25 | mountPath: /etc/nginx
26 | - name: nginx-https-secret
27 | mountPath: /etc/nginx/ssl
28 | readOnly: true
29 | - name: nginx-https-vol
30 | mountPath: /usr/share/nginx/html
31 | volumes:
32 | - name: nginx-https-cm
33 | configMap:
34 | name: nginx-https-cm
35 | - name: nginx-https-secret
36 | secret:
37 | secretName: nginx-https-secret
38 | - name: nginx-https-vol
39 | hostPath:
40 | path: /var/nginxserver
41 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx-https
File: /kubernetes/templates/cm-and-secrets/nginx-https-deploy.yml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-https
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-https
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-https
14 | spec:
15 | containers:
16 | - name: nginx-https
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | - name: secureweb
22 | containerPort: 443
23 | volumeMounts:
24 | - name: nginx-https-cm
25 | mountPath: /etc/nginx
26 | - name: nginx-https-secret
27 | mountPath: /etc/nginx/ssl
28 | readOnly: true
29 | - name: nginx-https-vol
30 | mountPath: /usr/share/nginx/html
31 | volumes:
32 | - name: nginx-https-cm
33 | configMap:
34 | name: nginx-https-cm
35 | - name: nginx-https-secret
36 | secret:
37 | secretName: nginx-https-secret
38 | - name: nginx-https-vol
39 | hostPath:
40 | path: /var/nginxserver
41 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nginx-https
File: /kubernetes/templates/cm-and-secrets/nginx-https-deploy.yml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-https
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-https
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-https
14 | spec:
15 | containers:
16 | - name: nginx-https
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | - name: secureweb
22 | containerPort: 443
23 | volumeMounts:
24 | - name: nginx-https-cm
25 | mountPath: /etc/nginx
26 | - name: nginx-https-secret
27 | mountPath: /etc/nginx/ssl
28 | readOnly: true
29 | - name: nginx-https-vol
30 | mountPath: /usr/share/nginx/html
31 | volumes:
32 | - name: nginx-https-cm
33 | configMap:
34 | name: nginx-https-cm
35 | - name: nginx-https-secret
36 | secret:
37 | secretName: nginx-https-secret
38 | - name: nginx-https-vol
39 | hostPath:
40 | path: /var/nginxserver
41 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx-https
File: /kubernetes/templates/cm-and-secrets/nginx-https-deploy.yml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-https
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-https
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-https
14 | spec:
15 | containers:
16 | - name: nginx-https
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | - name: secureweb
22 | containerPort: 443
23 | volumeMounts:
24 | - name: nginx-https-cm
25 | mountPath: /etc/nginx
26 | - name: nginx-https-secret
27 | mountPath: /etc/nginx/ssl
28 | readOnly: true
29 | - name: nginx-https-vol
30 | mountPath: /usr/share/nginx/html
31 | volumes:
32 | - name: nginx-https-cm
33 | configMap:
34 | name: nginx-https-cm
35 | - name: nginx-https-secret
36 | secret:
37 | secretName: nginx-https-secret
38 | - name: nginx-https-vol
39 | hostPath:
40 | path: /var/nginxserver
41 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx-https
File: /kubernetes/templates/cm-and-secrets/nginx-https-deploy.yml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-https
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-https
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-https
14 | spec:
15 | containers:
16 | - name: nginx-https
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | - name: secureweb
22 | containerPort: 443
23 | volumeMounts:
24 | - name: nginx-https-cm
25 | mountPath: /etc/nginx
26 | - name: nginx-https-secret
27 | mountPath: /etc/nginx/ssl
28 | readOnly: true
29 | - name: nginx-https-vol
30 | mountPath: /usr/share/nginx/html
31 | volumes:
32 | - name: nginx-https-cm
33 | configMap:
34 | name: nginx-https-cm
35 | - name: nginx-https-secret
36 | secret:
37 | secretName: nginx-https-secret
38 | - name: nginx-https-vol
39 | hostPath:
40 | path: /var/nginxserver
41 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx-https
File: /kubernetes/templates/cm-and-secrets/nginx-https-deploy.yml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-https
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-https
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-https
14 | spec:
15 | containers:
16 | - name: nginx-https
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | - name: secureweb
22 | containerPort: 443
23 | volumeMounts:
24 | - name: nginx-https-cm
25 | mountPath: /etc/nginx
26 | - name: nginx-https-secret
27 | mountPath: /etc/nginx/ssl
28 | readOnly: true
29 | - name: nginx-https-vol
30 | mountPath: /usr/share/nginx/html
31 | volumes:
32 | - name: nginx-https-cm
33 | configMap:
34 | name: nginx-https-cm
35 | - name: nginx-https-secret
36 | secret:
37 | secretName: nginx-https-secret
38 | - name: nginx-https-vol
39 | hostPath:
40 | path: /var/nginxserver
41 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.nginx-https
File: /kubernetes/templates/cm-and-secrets/nginx-https-deploy.yml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-https
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-https
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-https
14 | spec:
15 | containers:
16 | - name: nginx-https
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | - name: secureweb
22 | containerPort: 443
23 | volumeMounts:
24 | - name: nginx-https-cm
25 | mountPath: /etc/nginx
26 | - name: nginx-https-secret
27 | mountPath: /etc/nginx/ssl
28 | readOnly: true
29 | - name: nginx-https-vol
30 | mountPath: /usr/share/nginx/html
31 | volumes:
32 | - name: nginx-https-cm
33 | configMap:
34 | name: nginx-https-cm
35 | - name: nginx-https-secret
36 | secret:
37 | secretName: nginx-https-secret
38 | - name: nginx-https-vol
39 | hostPath:
40 | path: /var/nginxserver
41 | ---
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.nginx-https
File: /kubernetes/templates/cm-and-secrets/nginx-https-deploy.yml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-https
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-https
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-https
14 | spec:
15 | containers:
16 | - name: nginx-https
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | - name: secureweb
22 | containerPort: 443
23 | volumeMounts:
24 | - name: nginx-https-cm
25 | mountPath: /etc/nginx
26 | - name: nginx-https-secret
27 | mountPath: /etc/nginx/ssl
28 | readOnly: true
29 | - name: nginx-https-vol
30 | mountPath: /usr/share/nginx/html
31 | volumes:
32 | - name: nginx-https-cm
33 | configMap:
34 | name: nginx-https-cm
35 | - name: nginx-https-secret
36 | secret:
37 | secretName: nginx-https-secret
38 | - name: nginx-https-vol
39 | hostPath:
40 | path: /var/nginxserver
41 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx-https
File: /kubernetes/templates/cm-and-secrets/nginx-https-deploy.yml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-https
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-https
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-https
14 | spec:
15 | containers:
16 | - name: nginx-https
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | - name: secureweb
22 | containerPort: 443
23 | volumeMounts:
24 | - name: nginx-https-cm
25 | mountPath: /etc/nginx
26 | - name: nginx-https-secret
27 | mountPath: /etc/nginx/ssl
28 | readOnly: true
29 | - name: nginx-https-vol
30 | mountPath: /usr/share/nginx/html
31 | volumes:
32 | - name: nginx-https-cm
33 | configMap:
34 | name: nginx-https-cm
35 | - name: nginx-https-secret
36 | secret:
37 | secretName: nginx-https-secret
38 | - name: nginx-https-vol
39 | hostPath:
40 | path: /var/nginxserver
41 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.nginx-https-cm
File: /kubernetes/templates/cm-and-secrets/nginx-https-deploy.yml:42-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
42 | apiVersion: v1
43 | kind: ConfigMap
44 | metadata:
45 | name: nginx-https-cm
46 | data:
47 | nginx.conf: |
48 | user nginx;
49 | worker_processes 1;
50 | events {
51 | worker_connections 10240;
52 | }
53 | http {
54 | server {
55 | listen 80;
56 | listen 443 ssl;
57 |
58 | server_name _;
59 |
60 | ssl_certificate /etc/nginx/ssl/server-cert.pem;
61 | ssl_certificate_key /etc/nginx/ssl/server-key.pem;
62 |
63 | location / {
64 | root /usr/share/nginx/html;
65 | index index.html index.htm;
66 | }
67 | }
68 | }
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nginx-http
File: /kubernetes/templates/cm-and-secrets/nginx-http-deploy.yml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-http
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-http
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-http
14 | spec:
15 | containers:
16 | - name: nginx-http
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nginx-http-cm
23 | mountPath: /etc/nginx
24 | - name: nginx-http-vol
25 | mountPath: /usr/share/nginx/html
26 | volumes:
27 | - name: nginx-http-cm
28 | configMap:
29 | name: nginx-http-cm
30 | - name: nginx-http-vol
31 | hostPath:
32 | path: /var/nginxserver
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx-http
File: /kubernetes/templates/cm-and-secrets/nginx-http-deploy.yml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-http
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-http
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-http
14 | spec:
15 | containers:
16 | - name: nginx-http
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nginx-http-cm
23 | mountPath: /etc/nginx
24 | - name: nginx-http-vol
25 | mountPath: /usr/share/nginx/html
26 | volumes:
27 | - name: nginx-http-cm
28 | configMap:
29 | name: nginx-http-cm
30 | - name: nginx-http-vol
31 | hostPath:
32 | path: /var/nginxserver
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.nginx-http
File: /kubernetes/templates/cm-and-secrets/nginx-http-deploy.yml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-http
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-http
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-http
14 | spec:
15 | containers:
16 | - name: nginx-http
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nginx-http-cm
23 | mountPath: /etc/nginx
24 | - name: nginx-http-vol
25 | mountPath: /usr/share/nginx/html
26 | volumes:
27 | - name: nginx-http-cm
28 | configMap:
29 | name: nginx-http-cm
30 | - name: nginx-http-vol
31 | hostPath:
32 | path: /var/nginxserver
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx-http
File: /kubernetes/templates/cm-and-secrets/nginx-http-deploy.yml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-http
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-http
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-http
14 | spec:
15 | containers:
16 | - name: nginx-http
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nginx-http-cm
23 | mountPath: /etc/nginx
24 | - name: nginx-http-vol
25 | mountPath: /usr/share/nginx/html
26 | volumes:
27 | - name: nginx-http-cm
28 | configMap:
29 | name: nginx-http-cm
30 | - name: nginx-http-vol
31 | hostPath:
32 | path: /var/nginxserver
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx-http
File: /kubernetes/templates/cm-and-secrets/nginx-http-deploy.yml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-http
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-http
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-http
14 | spec:
15 | containers:
16 | - name: nginx-http
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nginx-http-cm
23 | mountPath: /etc/nginx
24 | - name: nginx-http-vol
25 | mountPath: /usr/share/nginx/html
26 | volumes:
27 | - name: nginx-http-cm
28 | configMap:
29 | name: nginx-http-cm
30 | - name: nginx-http-vol
31 | hostPath:
32 | path: /var/nginxserver
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx-http
File: /kubernetes/templates/cm-and-secrets/nginx-http-deploy.yml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-http
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-http
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-http
14 | spec:
15 | containers:
16 | - name: nginx-http
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nginx-http-cm
23 | mountPath: /etc/nginx
24 | - name: nginx-http-vol
25 | mountPath: /usr/share/nginx/html
26 | volumes:
27 | - name: nginx-http-cm
28 | configMap:
29 | name: nginx-http-cm
30 | - name: nginx-http-vol
31 | hostPath:
32 | path: /var/nginxserver
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-http
File: /kubernetes/templates/cm-and-secrets/nginx-http-deploy.yml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-http
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-http
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-http
14 | spec:
15 | containers:
16 | - name: nginx-http
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nginx-http-cm
23 | mountPath: /etc/nginx
24 | - name: nginx-http-vol
25 | mountPath: /usr/share/nginx/html
26 | volumes:
27 | - name: nginx-http-cm
28 | configMap:
29 | name: nginx-http-cm
30 | - name: nginx-http-vol
31 | hostPath:
32 | path: /var/nginxserver
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx-http
File: /kubernetes/templates/cm-and-secrets/nginx-http-deploy.yml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-http
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-http
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-http
14 | spec:
15 | containers:
16 | - name: nginx-http
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nginx-http-cm
23 | mountPath: /etc/nginx
24 | - name: nginx-http-vol
25 | mountPath: /usr/share/nginx/html
26 | volumes:
27 | - name: nginx-http-cm
28 | configMap:
29 | name: nginx-http-cm
30 | - name: nginx-http-vol
31 | hostPath:
32 | path: /var/nginxserver
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx-http
File: /kubernetes/templates/cm-and-secrets/nginx-http-deploy.yml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-http
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-http
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-http
14 | spec:
15 | containers:
16 | - name: nginx-http
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nginx-http-cm
23 | mountPath: /etc/nginx
24 | - name: nginx-http-vol
25 | mountPath: /usr/share/nginx/html
26 | volumes:
27 | - name: nginx-http-cm
28 | configMap:
29 | name: nginx-http-cm
30 | - name: nginx-http-vol
31 | hostPath:
32 | path: /var/nginxserver
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx-http
File: /kubernetes/templates/cm-and-secrets/nginx-http-deploy.yml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-http
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-http
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-http
14 | spec:
15 | containers:
16 | - name: nginx-http
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nginx-http-cm
23 | mountPath: /etc/nginx
24 | - name: nginx-http-vol
25 | mountPath: /usr/share/nginx/html
26 | volumes:
27 | - name: nginx-http-cm
28 | configMap:
29 | name: nginx-http-cm
30 | - name: nginx-http-vol
31 | hostPath:
32 | path: /var/nginxserver
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-http
File: /kubernetes/templates/cm-and-secrets/nginx-http-deploy.yml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-http
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-http
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-http
14 | spec:
15 | containers:
16 | - name: nginx-http
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nginx-http-cm
23 | mountPath: /etc/nginx
24 | - name: nginx-http-vol
25 | mountPath: /usr/share/nginx/html
26 | volumes:
27 | - name: nginx-http-cm
28 | configMap:
29 | name: nginx-http-cm
30 | - name: nginx-http-vol
31 | hostPath:
32 | path: /var/nginxserver
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx-http
File: /kubernetes/templates/cm-and-secrets/nginx-http-deploy.yml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-http
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-http
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-http
14 | spec:
15 | containers:
16 | - name: nginx-http
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nginx-http-cm
23 | mountPath: /etc/nginx
24 | - name: nginx-http-vol
25 | mountPath: /usr/share/nginx/html
26 | volumes:
27 | - name: nginx-http-cm
28 | configMap:
29 | name: nginx-http-cm
30 | - name: nginx-http-vol
31 | hostPath:
32 | path: /var/nginxserver
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nginx-http
File: /kubernetes/templates/cm-and-secrets/nginx-http-deploy.yml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-http
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-http
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-http
14 | spec:
15 | containers:
16 | - name: nginx-http
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nginx-http-cm
23 | mountPath: /etc/nginx
24 | - name: nginx-http-vol
25 | mountPath: /usr/share/nginx/html
26 | volumes:
27 | - name: nginx-http-cm
28 | configMap:
29 | name: nginx-http-cm
30 | - name: nginx-http-vol
31 | hostPath:
32 | path: /var/nginxserver
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx-http
File: /kubernetes/templates/cm-and-secrets/nginx-http-deploy.yml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-http
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-http
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-http
14 | spec:
15 | containers:
16 | - name: nginx-http
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nginx-http-cm
23 | mountPath: /etc/nginx
24 | - name: nginx-http-vol
25 | mountPath: /usr/share/nginx/html
26 | volumes:
27 | - name: nginx-http-cm
28 | configMap:
29 | name: nginx-http-cm
30 | - name: nginx-http-vol
31 | hostPath:
32 | path: /var/nginxserver
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx-http
File: /kubernetes/templates/cm-and-secrets/nginx-http-deploy.yml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-http
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-http
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-http
14 | spec:
15 | containers:
16 | - name: nginx-http
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nginx-http-cm
23 | mountPath: /etc/nginx
24 | - name: nginx-http-vol
25 | mountPath: /usr/share/nginx/html
26 | volumes:
27 | - name: nginx-http-cm
28 | configMap:
29 | name: nginx-http-cm
30 | - name: nginx-http-vol
31 | hostPath:
32 | path: /var/nginxserver
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx-http
File: /kubernetes/templates/cm-and-secrets/nginx-http-deploy.yml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-http
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-http
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-http
14 | spec:
15 | containers:
16 | - name: nginx-http
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nginx-http-cm
23 | mountPath: /etc/nginx
24 | - name: nginx-http-vol
25 | mountPath: /usr/share/nginx/html
26 | volumes:
27 | - name: nginx-http-cm
28 | configMap:
29 | name: nginx-http-cm
30 | - name: nginx-http-vol
31 | hostPath:
32 | path: /var/nginxserver
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.nginx-http
File: /kubernetes/templates/cm-and-secrets/nginx-http-deploy.yml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-http
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-http
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-http
14 | spec:
15 | containers:
16 | - name: nginx-http
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nginx-http-cm
23 | mountPath: /etc/nginx
24 | - name: nginx-http-vol
25 | mountPath: /usr/share/nginx/html
26 | volumes:
27 | - name: nginx-http-cm
28 | configMap:
29 | name: nginx-http-cm
30 | - name: nginx-http-vol
31 | hostPath:
32 | path: /var/nginxserver
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.nginx-http
File: /kubernetes/templates/cm-and-secrets/nginx-http-deploy.yml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-http
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-http
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-http
14 | spec:
15 | containers:
16 | - name: nginx-http
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nginx-http-cm
23 | mountPath: /etc/nginx
24 | - name: nginx-http-vol
25 | mountPath: /usr/share/nginx/html
26 | volumes:
27 | - name: nginx-http-cm
28 | configMap:
29 | name: nginx-http-cm
30 | - name: nginx-http-vol
31 | hostPath:
32 | path: /var/nginxserver
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx-http
File: /kubernetes/templates/cm-and-secrets/nginx-http-deploy.yml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-http
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-http
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-http
14 | spec:
15 | containers:
16 | - name: nginx-http
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nginx-http-cm
23 | mountPath: /etc/nginx
24 | - name: nginx-http-vol
25 | mountPath: /usr/share/nginx/html
26 | volumes:
27 | - name: nginx-http-cm
28 | configMap:
29 | name: nginx-http-cm
30 | - name: nginx-http-vol
31 | hostPath:
32 | path: /var/nginxserver
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.mysql
File: /kubernetes/templates/cm-and-secrets/mysql-deploy.yml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | template:
11 | metadata:
12 | labels:
13 | app: mysql
14 | spec:
15 | containers:
16 | - image: mysql:5.6
17 | name: mysql
18 | env:
19 | - name: MYSQL_ROOT_PASSWORD
20 | valueFrom:
21 | secretKeyRef:
22 | name: mysql-secret
23 | key: root-pass
24 | ports:
25 | - name: mysql
26 | containerPort: 3306
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.mysql
File: /kubernetes/templates/cm-and-secrets/mysql-deploy.yml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | template:
11 | metadata:
12 | labels:
13 | app: mysql
14 | spec:
15 | containers:
16 | - image: mysql:5.6
17 | name: mysql
18 | env:
19 | - name: MYSQL_ROOT_PASSWORD
20 | valueFrom:
21 | secretKeyRef:
22 | name: mysql-secret
23 | key: root-pass
24 | ports:
25 | - name: mysql
26 | containerPort: 3306
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.mysql
File: /kubernetes/templates/cm-and-secrets/mysql-deploy.yml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | template:
11 | metadata:
12 | labels:
13 | app: mysql
14 | spec:
15 | containers:
16 | - image: mysql:5.6
17 | name: mysql
18 | env:
19 | - name: MYSQL_ROOT_PASSWORD
20 | valueFrom:
21 | secretKeyRef:
22 | name: mysql-secret
23 | key: root-pass
24 | ports:
25 | - name: mysql
26 | containerPort: 3306
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.mysql
File: /kubernetes/templates/cm-and-secrets/mysql-deploy.yml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | template:
11 | metadata:
12 | labels:
13 | app: mysql
14 | spec:
15 | containers:
16 | - image: mysql:5.6
17 | name: mysql
18 | env:
19 | - name: MYSQL_ROOT_PASSWORD
20 | valueFrom:
21 | secretKeyRef:
22 | name: mysql-secret
23 | key: root-pass
24 | ports:
25 | - name: mysql
26 | containerPort: 3306
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.mysql
File: /kubernetes/templates/cm-and-secrets/mysql-deploy.yml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | template:
11 | metadata:
12 | labels:
13 | app: mysql
14 | spec:
15 | containers:
16 | - image: mysql:5.6
17 | name: mysql
18 | env:
19 | - name: MYSQL_ROOT_PASSWORD
20 | valueFrom:
21 | secretKeyRef:
22 | name: mysql-secret
23 | key: root-pass
24 | ports:
25 | - name: mysql
26 | containerPort: 3306
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.mysql
File: /kubernetes/templates/cm-and-secrets/mysql-deploy.yml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | template:
11 | metadata:
12 | labels:
13 | app: mysql
14 | spec:
15 | containers:
16 | - image: mysql:5.6
17 | name: mysql
18 | env:
19 | - name: MYSQL_ROOT_PASSWORD
20 | valueFrom:
21 | secretKeyRef:
22 | name: mysql-secret
23 | key: root-pass
24 | ports:
25 | - name: mysql
26 | containerPort: 3306
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.mysql
File: /kubernetes/templates/cm-and-secrets/mysql-deploy.yml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | template:
11 | metadata:
12 | labels:
13 | app: mysql
14 | spec:
15 | containers:
16 | - image: mysql:5.6
17 | name: mysql
18 | env:
19 | - name: MYSQL_ROOT_PASSWORD
20 | valueFrom:
21 | secretKeyRef:
22 | name: mysql-secret
23 | key: root-pass
24 | ports:
25 | - name: mysql
26 | containerPort: 3306
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.mysql
File: /kubernetes/templates/cm-and-secrets/mysql-deploy.yml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | template:
11 | metadata:
12 | labels:
13 | app: mysql
14 | spec:
15 | containers:
16 | - image: mysql:5.6
17 | name: mysql
18 | env:
19 | - name: MYSQL_ROOT_PASSWORD
20 | valueFrom:
21 | secretKeyRef:
22 | name: mysql-secret
23 | key: root-pass
24 | ports:
25 | - name: mysql
26 | containerPort: 3306
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.mysql
File: /kubernetes/templates/cm-and-secrets/mysql-deploy.yml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | template:
11 | metadata:
12 | labels:
13 | app: mysql
14 | spec:
15 | containers:
16 | - image: mysql:5.6
17 | name: mysql
18 | env:
19 | - name: MYSQL_ROOT_PASSWORD
20 | valueFrom:
21 | secretKeyRef:
22 | name: mysql-secret
23 | key: root-pass
24 | ports:
25 | - name: mysql
26 | containerPort: 3306
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.mysql
File: /kubernetes/templates/cm-and-secrets/mysql-deploy.yml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | template:
11 | metadata:
12 | labels:
13 | app: mysql
14 | spec:
15 | containers:
16 | - image: mysql:5.6
17 | name: mysql
18 | env:
19 | - name: MYSQL_ROOT_PASSWORD
20 | valueFrom:
21 | secretKeyRef:
22 | name: mysql-secret
23 | key: root-pass
24 | ports:
25 | - name: mysql
26 | containerPort: 3306
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.mysql
File: /kubernetes/templates/cm-and-secrets/mysql-deploy.yml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | template:
11 | metadata:
12 | labels:
13 | app: mysql
14 | spec:
15 | containers:
16 | - image: mysql:5.6
17 | name: mysql
18 | env:
19 | - name: MYSQL_ROOT_PASSWORD
20 | valueFrom:
21 | secretKeyRef:
22 | name: mysql-secret
23 | key: root-pass
24 | ports:
25 | - name: mysql
26 | containerPort: 3306
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.mysql
File: /kubernetes/templates/cm-and-secrets/mysql-deploy.yml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | template:
11 | metadata:
12 | labels:
13 | app: mysql
14 | spec:
15 | containers:
16 | - image: mysql:5.6
17 | name: mysql
18 | env:
19 | - name: MYSQL_ROOT_PASSWORD
20 | valueFrom:
21 | secretKeyRef:
22 | name: mysql-secret
23 | key: root-pass
24 | ports:
25 | - name: mysql
26 | containerPort: 3306
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: Deployment.default.mysql
File: /kubernetes/templates/cm-and-secrets/mysql-deploy.yml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | template:
11 | metadata:
12 | labels:
13 | app: mysql
14 | spec:
15 | containers:
16 | - image: mysql:5.6
17 | name: mysql
18 | env:
19 | - name: MYSQL_ROOT_PASSWORD
20 | valueFrom:
21 | secretKeyRef:
22 | name: mysql-secret
23 | key: root-pass
24 | ports:
25 | - name: mysql
26 | containerPort: 3306
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.mysql
File: /kubernetes/templates/cm-and-secrets/mysql-deploy.yml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | template:
11 | metadata:
12 | labels:
13 | app: mysql
14 | spec:
15 | containers:
16 | - image: mysql:5.6
17 | name: mysql
18 | env:
19 | - name: MYSQL_ROOT_PASSWORD
20 | valueFrom:
21 | secretKeyRef:
22 | name: mysql-secret
23 | key: root-pass
24 | ports:
25 | - name: mysql
26 | containerPort: 3306
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.mysql
File: /kubernetes/templates/cm-and-secrets/mysql-deploy.yml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | template:
11 | metadata:
12 | labels:
13 | app: mysql
14 | spec:
15 | containers:
16 | - image: mysql:5.6
17 | name: mysql
18 | env:
19 | - name: MYSQL_ROOT_PASSWORD
20 | valueFrom:
21 | secretKeyRef:
22 | name: mysql-secret
23 | key: root-pass
24 | ports:
25 | - name: mysql
26 | containerPort: 3306
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.mysql
File: /kubernetes/templates/cm-and-secrets/mysql-deploy.yml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | template:
11 | metadata:
12 | labels:
13 | app: mysql
14 | spec:
15 | containers:
16 | - image: mysql:5.6
17 | name: mysql
18 | env:
19 | - name: MYSQL_ROOT_PASSWORD
20 | valueFrom:
21 | secretKeyRef:
22 | name: mysql-secret
23 | key: root-pass
24 | ports:
25 | - name: mysql
26 | containerPort: 3306
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.mysql
File: /kubernetes/templates/cm-and-secrets/mysql-deploy.yml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | template:
11 | metadata:
12 | labels:
13 | app: mysql
14 | spec:
15 | containers:
16 | - image: mysql:5.6
17 | name: mysql
18 | env:
19 | - name: MYSQL_ROOT_PASSWORD
20 | valueFrom:
21 | secretKeyRef:
22 | name: mysql-secret
23 | key: root-pass
24 | ports:
25 | - name: mysql
26 | containerPort: 3306
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.mysql
File: /kubernetes/templates/cm-and-secrets/mysql-deploy.yml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | template:
11 | metadata:
12 | labels:
13 | app: mysql
14 | spec:
15 | containers:
16 | - image: mysql:5.6
17 | name: mysql
18 | env:
19 | - name: MYSQL_ROOT_PASSWORD
20 | valueFrom:
21 | secretKeyRef:
22 | name: mysql-secret
23 | key: root-pass
24 | ports:
25 | - name: mysql
26 | containerPort: 3306
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.mysql
File: /kubernetes/templates/cm-and-secrets/mysql-deploy.yml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | template:
11 | metadata:
12 | labels:
13 | app: mysql
14 | spec:
15 | containers:
16 | - image: mysql:5.6
17 | name: mysql
18 | env:
19 | - name: MYSQL_ROOT_PASSWORD
20 | valueFrom:
21 | secretKeyRef:
22 | name: mysql-secret
23 | key: root-pass
24 | ports:
25 | - name: mysql
26 | containerPort: 3306
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.mysql
File: /kubernetes/templates/cm-and-secrets/mysql-deploy.yml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | template:
11 | metadata:
12 | labels:
13 | app: mysql
14 | spec:
15 | containers:
16 | - image: mysql:5.6
17 | name: mysql
18 | env:
19 | - name: MYSQL_ROOT_PASSWORD
20 | valueFrom:
21 | secretKeyRef:
22 | name: mysql-secret
23 | key: root-pass
24 | ports:
25 | - name: mysql
26 | containerPort: 3306
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.nginx-http-cm
File: /kubernetes/templates/cm-and-secrets/nginx-http-cm.yml:1-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: nginx-http-cm
5 | data:
6 | # key: value
7 | # file: |
8 | # content
9 | # ---
10 | nginx.conf: |
11 | user nginx;
12 | worker_processes 1;
13 | events {
14 | worker_connections 10240;
15 | }
16 | http {
17 | server {
18 | listen 80;
19 | server_name _;
20 | location / {
21 | root /usr/share/nginx/html;
22 | index index.html index.htm;
23 | }
24 | location /test {
25 | return 401;
26 | }
27 | }
28 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.nginx-https-svc
File: /kubernetes/templates/cm-and-secrets/nginx-https-svc.yml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: nginx-https-svc
5 | labels:
6 | app: nginx-https
7 | spec:
8 | type: LoadBalancer
9 | ports:
10 | - port: 31080
11 | targetPort: 80
12 | protocol: TCP
13 | name: http
14 | - port: 31443
15 | targetPort: 443
16 | protocol: TCP
17 | name: https
18 | selector:
19 | app: nginx-https
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.nginx-http-svc
File: /kubernetes/templates/cm-and-secrets/nginx-http-svc.yml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: nginx-http-svc
5 | labels:
6 | app: nginx-http
7 | spec:
8 | type: LoadBalancer
9 | ports:
10 | - port: 30080
11 | targetPort: 80
12 | protocol: TCP
13 | name: http
14 | selector:
15 | app: nginx-http
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Secret.default.mysql-secret
File: /kubernetes/templates/cm-and-secrets/mysql-secret.yml:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Secret
3 | metadata:
4 | name: mysql-secret
5 | type: Opaque
6 | stringData:
7 | root-pass: test123
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Secret.default.nginx-https-secret
File: /kubernetes/templates/cm-and-secrets/nginx-https-secret-blank.yml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Secret
3 | metadata:
4 | name: nginx-https-secret
5 | type: Opaque
6 | stringData:
7 | server-cert.pem: |
8 | -----BEGIN CERTIFICATE-----
9 | ...
10 | -----END CERTIFICATE-----
11 | server-key.pem: |
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.nginx-https-cm
File: /kubernetes/templates/cm-and-secrets/nginx-https-cm.yml:1-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: nginx-https-cm
5 | data:
6 | nginx.conf: |
7 | user nginx;
8 | worker_processes 1;
9 | events {
10 | worker_connections 10240;
11 | }
12 | http {
13 | server {
14 | listen 80;
15 | listen 443 ssl;
16 |
17 | server_name _;
18 |
19 | ssl_certificate /etc/nginx/ssl/server-cert.pem;
20 | ssl_certificate_key /etc/nginx/ssl/server-key.pem;
21 |
22 | location / {
23 | root /usr/share/nginx/html;
24 | index index.html index.htm;
25 | }
26 | }
27 | }
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nginx-http
File: /kubernetes/nginx-http/nginx-http-deploy.yml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-http
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-http
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-http
14 | spec:
15 | containers:
16 | - name: nginx-http
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nginx-http-cm
23 | mountPath: /etc/nginx
24 | - name: nginx-http-vol
25 | mountPath: /usr/share/nginx/html
26 | volumes:
27 | - name: nginx-http-cm
28 | configMap:
29 | name: nginx-http-cm
30 | - name: nginx-http-vol
31 | hostPath:
32 | path: /var/nginxserver
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx-http
File: /kubernetes/nginx-http/nginx-http-deploy.yml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-http
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-http
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-http
14 | spec:
15 | containers:
16 | - name: nginx-http
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nginx-http-cm
23 | mountPath: /etc/nginx
24 | - name: nginx-http-vol
25 | mountPath: /usr/share/nginx/html
26 | volumes:
27 | - name: nginx-http-cm
28 | configMap:
29 | name: nginx-http-cm
30 | - name: nginx-http-vol
31 | hostPath:
32 | path: /var/nginxserver
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.nginx-http
File: /kubernetes/nginx-http/nginx-http-deploy.yml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-http
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-http
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-http
14 | spec:
15 | containers:
16 | - name: nginx-http
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nginx-http-cm
23 | mountPath: /etc/nginx
24 | - name: nginx-http-vol
25 | mountPath: /usr/share/nginx/html
26 | volumes:
27 | - name: nginx-http-cm
28 | configMap:
29 | name: nginx-http-cm
30 | - name: nginx-http-vol
31 | hostPath:
32 | path: /var/nginxserver
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx-http
File: /kubernetes/nginx-http/nginx-http-deploy.yml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-http
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-http
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-http
14 | spec:
15 | containers:
16 | - name: nginx-http
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nginx-http-cm
23 | mountPath: /etc/nginx
24 | - name: nginx-http-vol
25 | mountPath: /usr/share/nginx/html
26 | volumes:
27 | - name: nginx-http-cm
28 | configMap:
29 | name: nginx-http-cm
30 | - name: nginx-http-vol
31 | hostPath:
32 | path: /var/nginxserver
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx-http
File: /kubernetes/nginx-http/nginx-http-deploy.yml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-http
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-http
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-http
14 | spec:
15 | containers:
16 | - name: nginx-http
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nginx-http-cm
23 | mountPath: /etc/nginx
24 | - name: nginx-http-vol
25 | mountPath: /usr/share/nginx/html
26 | volumes:
27 | - name: nginx-http-cm
28 | configMap:
29 | name: nginx-http-cm
30 | - name: nginx-http-vol
31 | hostPath:
32 | path: /var/nginxserver
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx-http
File: /kubernetes/nginx-http/nginx-http-deploy.yml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-http
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-http
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-http
14 | spec:
15 | containers:
16 | - name: nginx-http
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nginx-http-cm
23 | mountPath: /etc/nginx
24 | - name: nginx-http-vol
25 | mountPath: /usr/share/nginx/html
26 | volumes:
27 | - name: nginx-http-cm
28 | configMap:
29 | name: nginx-http-cm
30 | - name: nginx-http-vol
31 | hostPath:
32 | path: /var/nginxserver
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-http
File: /kubernetes/nginx-http/nginx-http-deploy.yml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-http
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-http
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-http
14 | spec:
15 | containers:
16 | - name: nginx-http
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nginx-http-cm
23 | mountPath: /etc/nginx
24 | - name: nginx-http-vol
25 | mountPath: /usr/share/nginx/html
26 | volumes:
27 | - name: nginx-http-cm
28 | configMap:
29 | name: nginx-http-cm
30 | - name: nginx-http-vol
31 | hostPath:
32 | path: /var/nginxserver
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx-http
File: /kubernetes/nginx-http/nginx-http-deploy.yml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-http
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-http
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-http
14 | spec:
15 | containers:
16 | - name: nginx-http
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nginx-http-cm
23 | mountPath: /etc/nginx
24 | - name: nginx-http-vol
25 | mountPath: /usr/share/nginx/html
26 | volumes:
27 | - name: nginx-http-cm
28 | configMap:
29 | name: nginx-http-cm
30 | - name: nginx-http-vol
31 | hostPath:
32 | path: /var/nginxserver
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx-http
File: /kubernetes/nginx-http/nginx-http-deploy.yml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-http
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-http
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-http
14 | spec:
15 | containers:
16 | - name: nginx-http
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nginx-http-cm
23 | mountPath: /etc/nginx
24 | - name: nginx-http-vol
25 | mountPath: /usr/share/nginx/html
26 | volumes:
27 | - name: nginx-http-cm
28 | configMap:
29 | name: nginx-http-cm
30 | - name: nginx-http-vol
31 | hostPath:
32 | path: /var/nginxserver
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx-http
File: /kubernetes/nginx-http/nginx-http-deploy.yml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-http
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-http
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-http
14 | spec:
15 | containers:
16 | - name: nginx-http
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nginx-http-cm
23 | mountPath: /etc/nginx
24 | - name: nginx-http-vol
25 | mountPath: /usr/share/nginx/html
26 | volumes:
27 | - name: nginx-http-cm
28 | configMap:
29 | name: nginx-http-cm
30 | - name: nginx-http-vol
31 | hostPath:
32 | path: /var/nginxserver
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-http
File: /kubernetes/nginx-http/nginx-http-deploy.yml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-http
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-http
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-http
14 | spec:
15 | containers:
16 | - name: nginx-http
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nginx-http-cm
23 | mountPath: /etc/nginx
24 | - name: nginx-http-vol
25 | mountPath: /usr/share/nginx/html
26 | volumes:
27 | - name: nginx-http-cm
28 | configMap:
29 | name: nginx-http-cm
30 | - name: nginx-http-vol
31 | hostPath:
32 | path: /var/nginxserver
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx-http
File: /kubernetes/nginx-http/nginx-http-deploy.yml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-http
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-http
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-http
14 | spec:
15 | containers:
16 | - name: nginx-http
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nginx-http-cm
23 | mountPath: /etc/nginx
24 | - name: nginx-http-vol
25 | mountPath: /usr/share/nginx/html
26 | volumes:
27 | - name: nginx-http-cm
28 | configMap:
29 | name: nginx-http-cm
30 | - name: nginx-http-vol
31 | hostPath:
32 | path: /var/nginxserver
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nginx-http
File: /kubernetes/nginx-http/nginx-http-deploy.yml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-http
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-http
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-http
14 | spec:
15 | containers:
16 | - name: nginx-http
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nginx-http-cm
23 | mountPath: /etc/nginx
24 | - name: nginx-http-vol
25 | mountPath: /usr/share/nginx/html
26 | volumes:
27 | - name: nginx-http-cm
28 | configMap:
29 | name: nginx-http-cm
30 | - name: nginx-http-vol
31 | hostPath:
32 | path: /var/nginxserver
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx-http
File: /kubernetes/nginx-http/nginx-http-deploy.yml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-http
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-http
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-http
14 | spec:
15 | containers:
16 | - name: nginx-http
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nginx-http-cm
23 | mountPath: /etc/nginx
24 | - name: nginx-http-vol
25 | mountPath: /usr/share/nginx/html
26 | volumes:
27 | - name: nginx-http-cm
28 | configMap:
29 | name: nginx-http-cm
30 | - name: nginx-http-vol
31 | hostPath:
32 | path: /var/nginxserver
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx-http
File: /kubernetes/nginx-http/nginx-http-deploy.yml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-http
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-http
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-http
14 | spec:
15 | containers:
16 | - name: nginx-http
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nginx-http-cm
23 | mountPath: /etc/nginx
24 | - name: nginx-http-vol
25 | mountPath: /usr/share/nginx/html
26 | volumes:
27 | - name: nginx-http-cm
28 | configMap:
29 | name: nginx-http-cm
30 | - name: nginx-http-vol
31 | hostPath:
32 | path: /var/nginxserver
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx-http
File: /kubernetes/nginx-http/nginx-http-deploy.yml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-http
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-http
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-http
14 | spec:
15 | containers:
16 | - name: nginx-http
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nginx-http-cm
23 | mountPath: /etc/nginx
24 | - name: nginx-http-vol
25 | mountPath: /usr/share/nginx/html
26 | volumes:
27 | - name: nginx-http-cm
28 | configMap:
29 | name: nginx-http-cm
30 | - name: nginx-http-vol
31 | hostPath:
32 | path: /var/nginxserver
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.nginx-http
File: /kubernetes/nginx-http/nginx-http-deploy.yml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-http
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-http
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-http
14 | spec:
15 | containers:
16 | - name: nginx-http
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nginx-http-cm
23 | mountPath: /etc/nginx
24 | - name: nginx-http-vol
25 | mountPath: /usr/share/nginx/html
26 | volumes:
27 | - name: nginx-http-cm
28 | configMap:
29 | name: nginx-http-cm
30 | - name: nginx-http-vol
31 | hostPath:
32 | path: /var/nginxserver
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.nginx-http
File: /kubernetes/nginx-http/nginx-http-deploy.yml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-http
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-http
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-http
14 | spec:
15 | containers:
16 | - name: nginx-http
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nginx-http-cm
23 | mountPath: /etc/nginx
24 | - name: nginx-http-vol
25 | mountPath: /usr/share/nginx/html
26 | volumes:
27 | - name: nginx-http-cm
28 | configMap:
29 | name: nginx-http-cm
30 | - name: nginx-http-vol
31 | hostPath:
32 | path: /var/nginxserver
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx-http
File: /kubernetes/nginx-http/nginx-http-deploy.yml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-http
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-http
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-http
14 | spec:
15 | containers:
16 | - name: nginx-http
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nginx-http-cm
23 | mountPath: /etc/nginx
24 | - name: nginx-http-vol
25 | mountPath: /usr/share/nginx/html
26 | volumes:
27 | - name: nginx-http-cm
28 | configMap:
29 | name: nginx-http-cm
30 | - name: nginx-http-vol
31 | hostPath:
32 | path: /var/nginxserver
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.nginx-http-cm
File: /kubernetes/nginx-http/nginx-http-cm.yml:1-28
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: nginx-http-cm
5 | data:
6 | # key: value
7 | # file: |
8 | # content
9 | # ---
10 | nginx.conf: |
11 | user nginx;
12 | worker_processes 1;
13 | events {
14 | worker_connections 10240;
15 | }
16 | http {
17 | server {
18 | listen 80;
19 | server_name _;
20 | location / {
21 | root /usr/share/nginx/html;
22 | index index.html index.htm;
23 | }
24 | location /test {
25 | return 401;
26 | }
27 | }
28 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.nginx-http-svc
File: /kubernetes/nginx-http/nginx-http-svc.yml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: nginx-http-svc
5 | labels:
6 | app: nginx-http
7 | spec:
8 | type: LoadBalancer
9 | ports:
10 | - port: 30080
11 | targetPort: 80
12 | protocol: TCP
13 | name: http
14 | selector:
15 | app: nginx-http
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.appname.app-appname
File: /kubernetes/templates/deployment.yaml:1-41
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: appname # Name of the deployment
5 | namespace: namespace # Name of the namespace
6 | labels:
7 | app: appname # Name of your application
8 | spec:
9 | selector:
10 | matchLabels:
11 | app: appname # Name of your application
12 | replicas: 1 # Number of replicas
13 | template:
14 | metadata:
15 | labels:
16 | app: appname # Name of your application
17 | spec:
18 | containers:
19 | # Containers are the individual pieces of your application that you want
20 | # to run.
21 | - name: helloworld # Name of the container
22 | image: helloworld:latest # The image you want to run
23 | # resources:
24 | # limits:
25 | # memory: 512Mi
26 | # cpu: "1"
27 | # requests:
28 | # memory: 256Mi
29 | # cpu: "0.2"
30 | ports:
31 | # Ports are the ports that your application uses.
32 | - containerPort: 8080 # The port that your application uses
33 | volumeMounts:
34 | # VolumeMounts are the volumes that your application uses.
35 | - mountPath: /var/www/html # The path that your application uses
36 | name: vol0 # Name of the volume
37 | volumes:
38 | # Volumes are the persistent storage that your application uses.
39 | - name: vol0 # Name of the volume
40 | persistentVolumeClaim:
41 | claimName: pvc0 # Name of the persistent volume claim
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.nfs-web.app-nfs-web
File: /kubernetes/templates/pv-and-pvc/nfs-web.yml:1-27
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nfs-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nfs-web
10 | template:
11 | metadata:
12 | labels:
13 | app: nfs-web
14 | spec:
15 | containers:
16 | - name: nfs-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nfs
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: nfs
26 | persistentVolumeClaim:
27 | claimName: nfs
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.local-web.app-local-web
File: /kubernetes/templates/pv-and-pvc/local-web.yml:1-27
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: local-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: local-web
10 | template:
11 | metadata:
12 | labels:
13 | app: local-web
14 | spec:
15 | containers:
16 | - name: local-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: local
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: local
26 | hostPath:
27 | path: /var/nginxserver
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.civo-web.app-civo-web
File: /kubernetes/templates/pv-and-pvc/civo-web.yml:1-27
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: civo-web
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: civo-web
10 | template:
11 | metadata:
12 | labels:
13 | app: civo-web
14 | spec:
15 | containers:
16 | - name: civo-web
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: civo
23 | mountPath: /usr/share/nginx/html
24 | volumes:
25 | - name: civo
26 | persistentVolumeClaim:
27 | claimName: civo
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.nginx-https.app-nginx-https
File: /kubernetes/templates/cm-and-secrets/nginx-https-deploy.yml:1-41
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-https
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-https
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-https
14 | spec:
15 | containers:
16 | - name: nginx-https
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | - name: secureweb
22 | containerPort: 443
23 | volumeMounts:
24 | - name: nginx-https-cm
25 | mountPath: /etc/nginx
26 | - name: nginx-https-secret
27 | mountPath: /etc/nginx/ssl
28 | readOnly: true
29 | - name: nginx-https-vol
30 | mountPath: /usr/share/nginx/html
31 | volumes:
32 | - name: nginx-https-cm
33 | configMap:
34 | name: nginx-https-cm
35 | - name: nginx-https-secret
36 | secret:
37 | secretName: nginx-https-secret
38 | - name: nginx-https-vol
39 | hostPath:
40 | path: /var/nginxserver
41 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.nginx-http.app-nginx-http
File: /kubernetes/templates/cm-and-secrets/nginx-http-deploy.yml:1-32
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-http
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-http
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-http
14 | spec:
15 | containers:
16 | - name: nginx-http
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nginx-http-cm
23 | mountPath: /etc/nginx
24 | - name: nginx-http-vol
25 | mountPath: /usr/share/nginx/html
26 | volumes:
27 | - name: nginx-http-cm
28 | configMap:
29 | name: nginx-http-cm
30 | - name: nginx-http-vol
31 | hostPath:
32 | path: /var/nginxserver
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.mysql.app-mysql
File: /kubernetes/templates/cm-and-secrets/mysql-deploy.yml:1-26
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: mysql
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: mysql
10 | template:
11 | metadata:
12 | labels:
13 | app: mysql
14 | spec:
15 | containers:
16 | - image: mysql:5.6
17 | name: mysql
18 | env:
19 | - name: MYSQL_ROOT_PASSWORD
20 | valueFrom:
21 | secretKeyRef:
22 | name: mysql-secret
23 | key: root-pass
24 | ports:
25 | - name: mysql
26 | containerPort: 3306
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.nginx-http.app-nginx-http
File: /kubernetes/nginx-http/nginx-http-deploy.yml:1-32
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-http
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: nginx-http
10 | template:
11 | metadata:
12 | labels:
13 | app: nginx-http
14 | spec:
15 | containers:
16 | - name: nginx-http
17 | image: nginx
18 | ports:
19 | - name: web
20 | containerPort: 80
21 | volumeMounts:
22 | - name: nginx-http-cm
23 | mountPath: /etc/nginx
24 | - name: nginx-http-vol
25 | mountPath: /usr/share/nginx/html
26 | volumes:
27 | - name: nginx-http-cm
28 | configMap:
29 | name: nginx-http-cm
30 | - name: nginx-http-vol
31 | hostPath:
32 | path: /var/nginxserver
secrets scan results:
Passed checks: 0, Failed checks: 7, Skipped checks: 0
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 179ee5d89ad049cbb6ff92853979e2d9ac617c13
File: /packer/proxmox/credentials.pkr.hcl:3-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
3 | proxmox_api_token_secret = "your-****************"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 45d676e7c6ab44cf4b8fa366ef2d8fccd3e6d6e6
File: /packer/proxmox/ubuntu-server-focal-docker/ubuntu-server-focal-docker.pkr.hcl:97-98
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
97 | # ssh_password = "you**********"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 45d676e7c6ab44cf4b8fa366ef2d8fccd3e6d6e6
File: /packer/proxmox/ubuntu-server-focal/ubuntu-server-focal.pkr.hcl:97-98
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
97 | # ssh_password = "you**********"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 45d676e7c6ab44cf4b8fa366ef2d8fccd3e6d6e6
File: /packer/proxmox/ubuntu-server-jammy-docker/ubuntu-server-jammy-docker.pkr.hcl:98-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
98 | # ssh_password = "you**********"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 45d676e7c6ab44cf4b8fa366ef2d8fccd3e6d6e6
File: /packer/proxmox/ubuntu-server-jammy/ubuntu-server-jammy.pkr.hcl:98-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
98 | # ssh_password = "you**********"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 11fa7c37d697f30e6aee828b4426a10f83ab2380
File: /terraform/templates/cloud-deployment-example/main.tf:21-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
21 | # cloudflare_api_key = "you*********"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: a6f44976f8e3da391c40edd51d26d2ac5613b39a
File: /terraform/templates/cloud-deployment-example/main.tf:22-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
22 | # civo_token = "yo********"
ansible scan results:
Passed checks: 49, Failed checks: 1, Skipped checks: 0
Check: CKV2_ANSIBLE_1: "Ensure that HTTPS url is used with uri"
FAILED for resource: tasks.uri.send discord message
File: /ansible/notification/notify-discord.yaml:5-15
5 | - name: send discord message
6 | uri:
7 | url: "your-webhook"
8 | method: POST
9 | body_format: json
10 | body: '{"content": "your-message"}'
11 | headers:
12 | Content-Type: application/json
13 | status_code: 204
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools