Repository | codeaprendiz / learn-devops |
Description | I am using this repository to document my devops journey. I follow the process of learning everything by tasks. Every task has an associated objective that encompasses an underlying concept. Concep… |
Stars | 1200 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:41:40,400 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/vpc/aws:3.6.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:41:40,400 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/eks/aws:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:41:40,400 [MainThread ] [WARNI] Failed to download module terraform-google-modules/vm/google//modules/instance_template:~>8.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:41:40,400 [MainThread ] [WARNI] Failed to download module terraform-google-modules/vm/google//modules/mig:~>8.0 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:41:40,400 [MainThread ] [WARNI] Failed to download module terraform-google-modules/cloud-nat/google:~>2.2 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:41:40,401 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/ec2-instance/aws:~>2.15 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:41:40,401 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/security-group/aws:~>3.17 (for external modules, the --download-external-modules flag is required)
2023-10-05 14:41:40,401 [MainThread ] [WARNI] Failed to download module github.com/wardviaene/terraform-consul-module.git?ref=terraform-0.12:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:41:40,401 [MainThread ] [WARNI] Failed to download module git::https://github.com/poseidon/typhoon//aws/container-linux/kubernetes?ref=v1.18.5:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:41:40,401 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-iam-s3-user.git?ref=master:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:41:40,402 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-s3-bucket.git?ref=master:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:41:40,402 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn.git?ref=0.41.0:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:41:40,403 [MainThread ] [WARNI] Failed to download module git::https://github.com/cloudposse/terraform-aws-iam-s3-user.git?ref=0.14.1:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:41:40,403 [MainThread ] [WARNI] Failed to download module oracle-terraform-modules/vcn/oci:3.5.1 (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 448, Failed checks: 315, Skipped checks: 0
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.web
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_001_vars_provider_ec2_dataSources/05-instance.tf:17-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
17 | resource "aws_instance" "web" {
18 | ami = data.aws_ami.ubuntu.id
19 | instance_type = "t2.micro"
20 |
21 | tags = {
22 | Name = "HelloWorld"
23 | }
24 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.web
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_001_vars_provider_ec2_dataSources/05-instance.tf:17-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
17 | resource "aws_instance" "web" {
18 | ami = data.aws_ami.ubuntu.id
19 | instance_type = "t2.micro"
20 |
21 | tags = {
22 | Name = "HelloWorld"
23 | }
24 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.web
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_001_vars_provider_ec2_dataSources/05-instance.tf:17-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
17 | resource "aws_instance" "web" {
18 | ami = data.aws_ami.ubuntu.id
19 | instance_type = "t2.micro"
20 |
21 | tags = {
22 | Name = "HelloWorld"
23 | }
24 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.web
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_001_vars_provider_ec2_dataSources/05-instance.tf:17-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
17 | resource "aws_instance" "web" {
18 | ami = data.aws_ami.ubuntu.id
19 | instance_type = "t2.micro"
20 |
21 | tags = {
22 | Name = "HelloWorld"
23 | }
24 | }
Check: CKV_AWS_148: "Ensure no default VPC is planned to be provisioned"
FAILED for resource: aws_default_vpc.default
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_002_defaultVPC_sbnt_sg_kp_ec2/05-vpc.tf:5-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-no-default-vpc-is-planned-to-be-provisioned.html
5 | resource "aws_default_vpc" "default" {
6 | tags = {
7 | Name = "Default VPC"
8 | }
9 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.sg_22
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_002_defaultVPC_sbnt_sg_kp_ec2/25-security-group.tf:4-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
4 | resource "aws_security_group" "sg_22" {
5 | name = "sg_22"
6 | vpc_id = aws_default_vpc.default.id
7 | ingress {
8 | from_port = 22
9 | to_port = 22
10 | protocol = "tcp"
11 | cidr_blocks = ["0.0.0.0/0"]
12 | }
13 | ingress {
14 | from_port = 443
15 | to_port = 443
16 | protocol = "tcp"
17 | cidr_blocks = ["0.0.0.0/0"]
18 | }
19 | ingress {
20 | from_port = 80
21 | to_port = 80
22 | protocol = "tcp"
23 |
24 | cidr_blocks = ["0.0.0.0/0"]
25 | }
26 | egress {
27 | from_port = 0
28 | to_port = 0
29 | protocol = "-1"
30 | cidr_blocks = ["0.0.0.0/0"]
31 | }
32 | tags = {
33 | Environment = var.environment_tag
34 | }
35 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.sg_22
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_002_defaultVPC_sbnt_sg_kp_ec2/25-security-group.tf:4-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
4 | resource "aws_security_group" "sg_22" {
5 | name = "sg_22"
6 | vpc_id = aws_default_vpc.default.id
7 | ingress {
8 | from_port = 22
9 | to_port = 22
10 | protocol = "tcp"
11 | cidr_blocks = ["0.0.0.0/0"]
12 | }
13 | ingress {
14 | from_port = 443
15 | to_port = 443
16 | protocol = "tcp"
17 | cidr_blocks = ["0.0.0.0/0"]
18 | }
19 | ingress {
20 | from_port = 80
21 | to_port = 80
22 | protocol = "tcp"
23 |
24 | cidr_blocks = ["0.0.0.0/0"]
25 | }
26 | egress {
27 | from_port = 0
28 | to_port = 0
29 | protocol = "-1"
30 | cidr_blocks = ["0.0.0.0/0"]
31 | }
32 | tags = {
33 | Environment = var.environment_tag
34 | }
35 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.sg_22
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_002_defaultVPC_sbnt_sg_kp_ec2/25-security-group.tf:4-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
4 | resource "aws_security_group" "sg_22" {
5 | name = "sg_22"
6 | vpc_id = aws_default_vpc.default.id
7 | ingress {
8 | from_port = 22
9 | to_port = 22
10 | protocol = "tcp"
11 | cidr_blocks = ["0.0.0.0/0"]
12 | }
13 | ingress {
14 | from_port = 443
15 | to_port = 443
16 | protocol = "tcp"
17 | cidr_blocks = ["0.0.0.0/0"]
18 | }
19 | ingress {
20 | from_port = 80
21 | to_port = 80
22 | protocol = "tcp"
23 |
24 | cidr_blocks = ["0.0.0.0/0"]
25 | }
26 | egress {
27 | from_port = 0
28 | to_port = 0
29 | protocol = "-1"
30 | cidr_blocks = ["0.0.0.0/0"]
31 | }
32 | tags = {
33 | Environment = var.environment_tag
34 | }
35 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.web
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_002_defaultVPC_sbnt_sg_kp_ec2/35-ec2-instance.tf:23-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
23 | resource "aws_instance" "web" {
24 | ami = data.aws_ami.ubuntu-bionic-latest.id
25 | instance_type = var.instance_type
26 | subnet_id = aws_default_subnet.default_az1.id
27 | vpc_security_group_ids = [aws_security_group.sg_22.id]
28 | key_name = aws_key_pair.ec2key.key_name
29 |
30 | tags = {
31 | Name = "DroneCI"
32 | }
33 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.web
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_002_defaultVPC_sbnt_sg_kp_ec2/35-ec2-instance.tf:23-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
23 | resource "aws_instance" "web" {
24 | ami = data.aws_ami.ubuntu-bionic-latest.id
25 | instance_type = var.instance_type
26 | subnet_id = aws_default_subnet.default_az1.id
27 | vpc_security_group_ids = [aws_security_group.sg_22.id]
28 | key_name = aws_key_pair.ec2key.key_name
29 |
30 | tags = {
31 | Name = "DroneCI"
32 | }
33 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.web
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_002_defaultVPC_sbnt_sg_kp_ec2/35-ec2-instance.tf:23-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
23 | resource "aws_instance" "web" {
24 | ami = data.aws_ami.ubuntu-bionic-latest.id
25 | instance_type = var.instance_type
26 | subnet_id = aws_default_subnet.default_az1.id
27 | vpc_security_group_ids = [aws_security_group.sg_22.id]
28 | key_name = aws_key_pair.ec2key.key_name
29 |
30 | tags = {
31 | Name = "DroneCI"
32 | }
33 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.web
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_002_defaultVPC_sbnt_sg_kp_ec2/35-ec2-instance.tf:23-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
23 | resource "aws_instance" "web" {
24 | ami = data.aws_ami.ubuntu-bionic-latest.id
25 | instance_type = var.instance_type
26 | subnet_id = aws_default_subnet.default_az1.id
27 | vpc_security_group_ids = [aws_security_group.sg_22.id]
28 | key_name = aws_key_pair.ec2key.key_name
29 |
30 | tags = {
31 | Name = "DroneCI"
32 | }
33 | }
Check: CKV_AWS_148: "Ensure no default VPC is planned to be provisioned"
FAILED for resource: aws_default_vpc.default
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_003_defaultVPC_kp_sbnt_sg_ec2_script/07-vpc.tf:5-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-no-default-vpc-is-planned-to-be-provisioned.html
5 | resource "aws_default_vpc" "default" {
6 | tags = {
7 | Name = "Default VPC"
8 | }
9 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.sg_22
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_003_defaultVPC_kp_sbnt_sg_ec2_script/20-security-group.tf:4-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
4 | resource "aws_security_group" "sg_22" {
5 | name = "sg_22"
6 | vpc_id = aws_default_vpc.default.id
7 | ingress {
8 | from_port = 22
9 | to_port = 22
10 | protocol = "tcp"
11 | cidr_blocks = ["0.0.0.0/0"]
12 | }
13 | ingress {
14 | from_port = 443
15 | to_port = 443
16 | protocol = "tcp"
17 | cidr_blocks = ["0.0.0.0/0"]
18 | }
19 | ingress {
20 | from_port = 80
21 | to_port = 80
22 | protocol = "tcp"
23 |
24 | cidr_blocks = ["0.0.0.0/0"]
25 | }
26 | egress {
27 | from_port = 0
28 | to_port = 0
29 | protocol = "-1"
30 | cidr_blocks = ["0.0.0.0/0"]
31 | }
32 | tags = {
33 | Environment = var.environment_tag
34 | }
35 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.sg_22
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_003_defaultVPC_kp_sbnt_sg_ec2_script/20-security-group.tf:4-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
4 | resource "aws_security_group" "sg_22" {
5 | name = "sg_22"
6 | vpc_id = aws_default_vpc.default.id
7 | ingress {
8 | from_port = 22
9 | to_port = 22
10 | protocol = "tcp"
11 | cidr_blocks = ["0.0.0.0/0"]
12 | }
13 | ingress {
14 | from_port = 443
15 | to_port = 443
16 | protocol = "tcp"
17 | cidr_blocks = ["0.0.0.0/0"]
18 | }
19 | ingress {
20 | from_port = 80
21 | to_port = 80
22 | protocol = "tcp"
23 |
24 | cidr_blocks = ["0.0.0.0/0"]
25 | }
26 | egress {
27 | from_port = 0
28 | to_port = 0
29 | protocol = "-1"
30 | cidr_blocks = ["0.0.0.0/0"]
31 | }
32 | tags = {
33 | Environment = var.environment_tag
34 | }
35 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.sg_22
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_003_defaultVPC_kp_sbnt_sg_ec2_script/20-security-group.tf:4-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
4 | resource "aws_security_group" "sg_22" {
5 | name = "sg_22"
6 | vpc_id = aws_default_vpc.default.id
7 | ingress {
8 | from_port = 22
9 | to_port = 22
10 | protocol = "tcp"
11 | cidr_blocks = ["0.0.0.0/0"]
12 | }
13 | ingress {
14 | from_port = 443
15 | to_port = 443
16 | protocol = "tcp"
17 | cidr_blocks = ["0.0.0.0/0"]
18 | }
19 | ingress {
20 | from_port = 80
21 | to_port = 80
22 | protocol = "tcp"
23 |
24 | cidr_blocks = ["0.0.0.0/0"]
25 | }
26 | egress {
27 | from_port = 0
28 | to_port = 0
29 | protocol = "-1"
30 | cidr_blocks = ["0.0.0.0/0"]
31 | }
32 | tags = {
33 | Environment = var.environment_tag
34 | }
35 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.web
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_003_defaultVPC_kp_sbnt_sg_ec2_script/25-instance.tf:17-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
17 | resource "aws_instance" "web" {
18 | ami = data.aws_ami.ubuntu.id
19 | instance_type = "t2.micro"
20 | key_name = aws_key_pair.mykey.key_name
21 | subnet_id = aws_default_subnet.default_az1.id
22 | vpc_security_group_ids = [aws_security_group.sg_22.id]
23 | provisioner "file" {
24 | source = "script.sh"
25 | destination = "/tmp/script.sh"
26 | }
27 |
28 | provisioner "remote-exec" {
29 | inline = [
30 | "chmod +x /tmp/script.sh",
31 | "sudo /tmp/script.sh",
32 | ]
33 | }
34 | connection {
35 | host = coalesce(self.public_ip, self.private_ip)
36 | type = "ssh"
37 | user = var.INSTANCE_USERNAME
38 | private_key = file(var.PATH_TO_PRIVATE_KEY)
39 | }
40 | tags = {
41 | Name = "HelloWorld"
42 | }
43 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.web
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_003_defaultVPC_kp_sbnt_sg_ec2_script/25-instance.tf:17-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
17 | resource "aws_instance" "web" {
18 | ami = data.aws_ami.ubuntu.id
19 | instance_type = "t2.micro"
20 | key_name = aws_key_pair.mykey.key_name
21 | subnet_id = aws_default_subnet.default_az1.id
22 | vpc_security_group_ids = [aws_security_group.sg_22.id]
23 | provisioner "file" {
24 | source = "script.sh"
25 | destination = "/tmp/script.sh"
26 | }
27 |
28 | provisioner "remote-exec" {
29 | inline = [
30 | "chmod +x /tmp/script.sh",
31 | "sudo /tmp/script.sh",
32 | ]
33 | }
34 | connection {
35 | host = coalesce(self.public_ip, self.private_ip)
36 | type = "ssh"
37 | user = var.INSTANCE_USERNAME
38 | private_key = file(var.PATH_TO_PRIVATE_KEY)
39 | }
40 | tags = {
41 | Name = "HelloWorld"
42 | }
43 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.web
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_003_defaultVPC_kp_sbnt_sg_ec2_script/25-instance.tf:17-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
17 | resource "aws_instance" "web" {
18 | ami = data.aws_ami.ubuntu.id
19 | instance_type = "t2.micro"
20 | key_name = aws_key_pair.mykey.key_name
21 | subnet_id = aws_default_subnet.default_az1.id
22 | vpc_security_group_ids = [aws_security_group.sg_22.id]
23 | provisioner "file" {
24 | source = "script.sh"
25 | destination = "/tmp/script.sh"
26 | }
27 |
28 | provisioner "remote-exec" {
29 | inline = [
30 | "chmod +x /tmp/script.sh",
31 | "sudo /tmp/script.sh",
32 | ]
33 | }
34 | connection {
35 | host = coalesce(self.public_ip, self.private_ip)
36 | type = "ssh"
37 | user = var.INSTANCE_USERNAME
38 | private_key = file(var.PATH_TO_PRIVATE_KEY)
39 | }
40 | tags = {
41 | Name = "HelloWorld"
42 | }
43 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.web
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_003_defaultVPC_kp_sbnt_sg_ec2_script/25-instance.tf:17-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
17 | resource "aws_instance" "web" {
18 | ami = data.aws_ami.ubuntu.id
19 | instance_type = "t2.micro"
20 | key_name = aws_key_pair.mykey.key_name
21 | subnet_id = aws_default_subnet.default_az1.id
22 | vpc_security_group_ids = [aws_security_group.sg_22.id]
23 | provisioner "file" {
24 | source = "script.sh"
25 | destination = "/tmp/script.sh"
26 | }
27 |
28 | provisioner "remote-exec" {
29 | inline = [
30 | "chmod +x /tmp/script.sh",
31 | "sudo /tmp/script.sh",
32 | ]
33 | }
34 | connection {
35 | host = coalesce(self.public_ip, self.private_ip)
36 | type = "ssh"
37 | user = var.INSTANCE_USERNAME
38 | private_key = file(var.PATH_TO_PRIVATE_KEY)
39 | }
40 | tags = {
41 | Name = "HelloWorld"
42 | }
43 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.web
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_004_vars_provider_ec2_output/10-instance.tf:17-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
17 | resource "aws_instance" "web" {
18 | ami = data.aws_ami.ubuntu.id
19 | instance_type = "t2.micro"
20 |
21 | provisioner "local-exec" {
22 | command = "echo ${aws_instance.web.private_ip} >> private_ips.txt"
23 | }
24 | tags = {
25 | Name = "HelloWorld"
26 | }
27 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.web
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_004_vars_provider_ec2_output/10-instance.tf:17-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
17 | resource "aws_instance" "web" {
18 | ami = data.aws_ami.ubuntu.id
19 | instance_type = "t2.micro"
20 |
21 | provisioner "local-exec" {
22 | command = "echo ${aws_instance.web.private_ip} >> private_ips.txt"
23 | }
24 | tags = {
25 | Name = "HelloWorld"
26 | }
27 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.web
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_004_vars_provider_ec2_output/10-instance.tf:17-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
17 | resource "aws_instance" "web" {
18 | ami = data.aws_ami.ubuntu.id
19 | instance_type = "t2.micro"
20 |
21 | provisioner "local-exec" {
22 | command = "echo ${aws_instance.web.private_ip} >> private_ips.txt"
23 | }
24 | tags = {
25 | Name = "HelloWorld"
26 | }
27 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.web
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_004_vars_provider_ec2_output/10-instance.tf:17-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
17 | resource "aws_instance" "web" {
18 | ami = data.aws_ami.ubuntu.id
19 | instance_type = "t2.micro"
20 |
21 | provisioner "local-exec" {
22 | command = "echo ${aws_instance.web.private_ip} >> private_ips.txt"
23 | }
24 | tags = {
25 | Name = "HelloWorld"
26 | }
27 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.web
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_005_vars_provider_ec2_remoteStateInS3/10-instance.tf:17-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
17 | resource "aws_instance" "web" {
18 | ami = data.aws_ami.ubuntu.id
19 | instance_type = "t2.micro"
20 |
21 | tags = {
22 | Name = "HelloWorld"
23 | }
24 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.web
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_005_vars_provider_ec2_remoteStateInS3/10-instance.tf:17-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
17 | resource "aws_instance" "web" {
18 | ami = data.aws_ami.ubuntu.id
19 | instance_type = "t2.micro"
20 |
21 | tags = {
22 | Name = "HelloWorld"
23 | }
24 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.web
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_005_vars_provider_ec2_remoteStateInS3/10-instance.tf:17-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
17 | resource "aws_instance" "web" {
18 | ami = data.aws_ami.ubuntu.id
19 | instance_type = "t2.micro"
20 |
21 | tags = {
22 | Name = "HelloWorld"
23 | }
24 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.web
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_005_vars_provider_ec2_remoteStateInS3/10-instance.tf:17-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
17 | resource "aws_instance" "web" {
18 | ami = data.aws_ami.ubuntu.id
19 | instance_type = "t2.micro"
20 |
21 | tags = {
22 | Name = "HelloWorld"
23 | }
24 | }
Check: CKV_AWS_148: "Ensure no default VPC is planned to be provisioned"
FAILED for resource: aws_default_vpc.default
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_006_defaultVPC_defaultSbnt_modules_kp/10-default_vpc.tf:5-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-no-default-vpc-is-planned-to-be-provisioned.html
5 | resource "aws_default_vpc" "default" {
6 | tags = {
7 | Name = "Default VPC"
8 | }
9 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.subnet_public
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_007_customVPC_igw_sbnt_rt_sg_kp_ec2/15-subnet.tf:3-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
3 | resource "aws_subnet" "subnet_public" {
4 | vpc_id = aws_vpc.vpc.id
5 | cidr_block = var.cidr_subnet
6 | map_public_ip_on_launch = "true"
7 | availability_zone = var.availability_zone
8 | tags = {
9 | Environment = var.environment_tag
10 | }
11 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.sg_22
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_007_customVPC_igw_sbnt_rt_sg_kp_ec2/25-security-group.tf:4-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
4 | resource "aws_security_group" "sg_22" {
5 | name = "sg_22"
6 | vpc_id = aws_vpc.vpc.id
7 | ingress {
8 | from_port = 22
9 | to_port = 22
10 | protocol = "tcp"
11 | cidr_blocks = ["0.0.0.0/0"]
12 | }
13 | egress {
14 | from_port = 0
15 | to_port = 0
16 | protocol = "-1"
17 | cidr_blocks = ["0.0.0.0/0"]
18 | }
19 | tags = {
20 | Environment = var.environment_tag
21 | }
22 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.sg_22
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_007_customVPC_igw_sbnt_rt_sg_kp_ec2/25-security-group.tf:4-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
4 | resource "aws_security_group" "sg_22" {
5 | name = "sg_22"
6 | vpc_id = aws_vpc.vpc.id
7 | ingress {
8 | from_port = 22
9 | to_port = 22
10 | protocol = "tcp"
11 | cidr_blocks = ["0.0.0.0/0"]
12 | }
13 | egress {
14 | from_port = 0
15 | to_port = 0
16 | protocol = "-1"
17 | cidr_blocks = ["0.0.0.0/0"]
18 | }
19 | tags = {
20 | Environment = var.environment_tag
21 | }
22 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.testInstance
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_007_customVPC_igw_sbnt_rt_sg_kp_ec2/35-ec2-instance.tf:4-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
4 | resource "aws_instance" "testInstance" {
5 | ami = var.instance_ami
6 | instance_type = var.instance_type
7 | subnet_id = aws_subnet.subnet_public.id
8 | vpc_security_group_ids = [aws_security_group.sg_22.id]
9 | key_name = aws_key_pair.ec2key.key_name
10 | tags = {
11 | Environment = var.environment_tag
12 | }
13 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.testInstance
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_007_customVPC_igw_sbnt_rt_sg_kp_ec2/35-ec2-instance.tf:4-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
4 | resource "aws_instance" "testInstance" {
5 | ami = var.instance_ami
6 | instance_type = var.instance_type
7 | subnet_id = aws_subnet.subnet_public.id
8 | vpc_security_group_ids = [aws_security_group.sg_22.id]
9 | key_name = aws_key_pair.ec2key.key_name
10 | tags = {
11 | Environment = var.environment_tag
12 | }
13 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.testInstance
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_007_customVPC_igw_sbnt_rt_sg_kp_ec2/35-ec2-instance.tf:4-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
4 | resource "aws_instance" "testInstance" {
5 | ami = var.instance_ami
6 | instance_type = var.instance_type
7 | subnet_id = aws_subnet.subnet_public.id
8 | vpc_security_group_ids = [aws_security_group.sg_22.id]
9 | key_name = aws_key_pair.ec2key.key_name
10 | tags = {
11 | Environment = var.environment_tag
12 | }
13 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.testInstance
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_007_customVPC_igw_sbnt_rt_sg_kp_ec2/35-ec2-instance.tf:4-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
4 | resource "aws_instance" "testInstance" {
5 | ami = var.instance_ami
6 | instance_type = var.instance_type
7 | subnet_id = aws_subnet.subnet_public.id
8 | vpc_security_group_ids = [aws_security_group.sg_22.id]
9 | key_name = aws_key_pair.ec2key.key_name
10 | tags = {
11 | Environment = var.environment_tag
12 | }
13 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.main-public-1
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_008_customVPC_3PriSbnts_3PubSbnts_nat_igw_rt/15-vpc.tf:14-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
14 | resource "aws_subnet" "main-public-1" {
15 | vpc_id = aws_vpc.main.id
16 | cidr_block = "10.0.1.0/24"
17 | map_public_ip_on_launch = "true"
18 | availability_zone = "us-east-1a"
19 |
20 | tags = {
21 | Name = "main-public-1"
22 | }
23 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.main-public-2
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_008_customVPC_3PriSbnts_3PubSbnts_nat_igw_rt/15-vpc.tf:25-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
25 | resource "aws_subnet" "main-public-2" {
26 | vpc_id = aws_vpc.main.id
27 | cidr_block = "10.0.2.0/24"
28 | map_public_ip_on_launch = "true"
29 | availability_zone = "us-east-1b"
30 |
31 | tags = {
32 | Name = "main-public-2"
33 | }
34 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.main-public-3
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_008_customVPC_3PriSbnts_3PubSbnts_nat_igw_rt/15-vpc.tf:36-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
36 | resource "aws_subnet" "main-public-3" {
37 | vpc_id = aws_vpc.main.id
38 | cidr_block = "10.0.3.0/24"
39 | map_public_ip_on_launch = "true"
40 | availability_zone = "us-east-1c"
41 |
42 | tags = {
43 | Name = "main-public-3"
44 | }
45 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.main-public-1
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_009_customVPC_3PriSbnts_3PubSbnts_nat_igw_rt_ec2_ebs/15-vpc.tf:14-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
14 | resource "aws_subnet" "main-public-1" {
15 | vpc_id = aws_vpc.main.id
16 | cidr_block = "10.0.1.0/24"
17 | map_public_ip_on_launch = "true"
18 | availability_zone = "us-east-1a"
19 |
20 | tags = {
21 | Name = "main-public-1"
22 | }
23 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.main-public-2
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_009_customVPC_3PriSbnts_3PubSbnts_nat_igw_rt_ec2_ebs/15-vpc.tf:25-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
25 | resource "aws_subnet" "main-public-2" {
26 | vpc_id = aws_vpc.main.id
27 | cidr_block = "10.0.2.0/24"
28 | map_public_ip_on_launch = "true"
29 | availability_zone = "us-east-1b"
30 |
31 | tags = {
32 | Name = "main-public-2"
33 | }
34 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.main-public-3
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_009_customVPC_3PriSbnts_3PubSbnts_nat_igw_rt_ec2_ebs/15-vpc.tf:36-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
36 | resource "aws_subnet" "main-public-3" {
37 | vpc_id = aws_vpc.main.id
38 | cidr_block = "10.0.3.0/24"
39 | map_public_ip_on_launch = "true"
40 | availability_zone = "us-east-1c"
41 |
42 | tags = {
43 | Name = "main-public-3"
44 | }
45 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.allow-ssh
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_009_customVPC_3PriSbnts_3PubSbnts_nat_igw_rt_ec2_ebs/16-securitygroup.tf:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
1 | resource "aws_security_group" "allow-ssh" {
2 | vpc_id = aws_vpc.main.id
3 | name = "allow-ssh"
4 | description = "security group that allows ssh and all egress traffic"
5 | egress {
6 | from_port = 0
7 | to_port = 0
8 | protocol = "-1"
9 | cidr_blocks = ["0.0.0.0/0"]
10 | }
11 |
12 | ingress {
13 | from_port = 22
14 | to_port = 22
15 | protocol = "tcp"
16 | cidr_blocks = ["0.0.0.0/0"]
17 | }
18 | tags = {
19 | Name = "allow-ssh"
20 | }
21 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.allow-ssh
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_009_customVPC_3PriSbnts_3PubSbnts_nat_igw_rt_ec2_ebs/16-securitygroup.tf:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
1 | resource "aws_security_group" "allow-ssh" {
2 | vpc_id = aws_vpc.main.id
3 | name = "allow-ssh"
4 | description = "security group that allows ssh and all egress traffic"
5 | egress {
6 | from_port = 0
7 | to_port = 0
8 | protocol = "-1"
9 | cidr_blocks = ["0.0.0.0/0"]
10 | }
11 |
12 | ingress {
13 | from_port = 22
14 | to_port = 22
15 | protocol = "tcp"
16 | cidr_blocks = ["0.0.0.0/0"]
17 | }
18 | tags = {
19 | Name = "allow-ssh"
20 | }
21 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.example
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_009_customVPC_3PriSbnts_3PubSbnts_nat_igw_rt_ec2_ebs/25-instance.tf:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
1 | resource "aws_instance" "example" {
2 | ami = var.AMIS[var.AWS_REGION]
3 | instance_type = "t2.micro"
4 |
5 | # the VPC subnet
6 | subnet_id = aws_subnet.main-public-1.id
7 |
8 | # the security group
9 | vpc_security_group_ids = [aws_security_group.allow-ssh.id]
10 |
11 | # the public SSH key
12 | key_name = aws_key_pair.mykeypair.key_name
13 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.example
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_009_customVPC_3PriSbnts_3PubSbnts_nat_igw_rt_ec2_ebs/25-instance.tf:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
1 | resource "aws_instance" "example" {
2 | ami = var.AMIS[var.AWS_REGION]
3 | instance_type = "t2.micro"
4 |
5 | # the VPC subnet
6 | subnet_id = aws_subnet.main-public-1.id
7 |
8 | # the security group
9 | vpc_security_group_ids = [aws_security_group.allow-ssh.id]
10 |
11 | # the public SSH key
12 | key_name = aws_key_pair.mykeypair.key_name
13 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.example
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_009_customVPC_3PriSbnts_3PubSbnts_nat_igw_rt_ec2_ebs/25-instance.tf:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
1 | resource "aws_instance" "example" {
2 | ami = var.AMIS[var.AWS_REGION]
3 | instance_type = "t2.micro"
4 |
5 | # the VPC subnet
6 | subnet_id = aws_subnet.main-public-1.id
7 |
8 | # the security group
9 | vpc_security_group_ids = [aws_security_group.allow-ssh.id]
10 |
11 | # the public SSH key
12 | key_name = aws_key_pair.mykeypair.key_name
13 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.example
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_009_customVPC_3PriSbnts_3PubSbnts_nat_igw_rt_ec2_ebs/25-instance.tf:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
1 | resource "aws_instance" "example" {
2 | ami = var.AMIS[var.AWS_REGION]
3 | instance_type = "t2.micro"
4 |
5 | # the VPC subnet
6 | subnet_id = aws_subnet.main-public-1.id
7 |
8 | # the security group
9 | vpc_security_group_ids = [aws_security_group.allow-ssh.id]
10 |
11 | # the public SSH key
12 | key_name = aws_key_pair.mykeypair.key_name
13 | }
Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: aws_ebs_volume.ebs-volume-1
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_009_customVPC_3PriSbnts_3PubSbnts_nat_igw_rt_ec2_ebs/25-instance.tf:15-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-109.html
15 | resource "aws_ebs_volume" "ebs-volume-1" {
16 | availability_zone = "us-east-1a"
17 | size = 10
18 | type = "gp2"
19 |
20 | tags = {
21 | Name = "custom ebs volume"
22 | }
23 | }
Check: CKV_AWS_3: "Ensure all data stored in the EBS is securely encrypted"
FAILED for resource: aws_ebs_volume.ebs-volume-1
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_009_customVPC_3PriSbnts_3PubSbnts_nat_igw_rt_ec2_ebs/25-instance.tf:15-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-3-encrypt-ebs-volume.html
15 | resource "aws_ebs_volume" "ebs-volume-1" {
16 | availability_zone = "us-east-1a"
17 | size = 10
18 | type = "gp2"
19 |
20 | tags = {
21 | Name = "custom ebs volume"
22 | }
23 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.main-public-1
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_010_customVPC_3PriSbnts_3PubSbnts_nat_igw_rt_ec2_ebs_withMount/15-vpc.tf:14-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
14 | resource "aws_subnet" "main-public-1" {
15 | vpc_id = aws_vpc.main.id
16 | cidr_block = "10.0.1.0/24"
17 | map_public_ip_on_launch = "true"
18 | availability_zone = "us-east-1a"
19 |
20 | tags = {
21 | Name = "main-public-1"
22 | }
23 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.main-public-2
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_010_customVPC_3PriSbnts_3PubSbnts_nat_igw_rt_ec2_ebs_withMount/15-vpc.tf:25-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
25 | resource "aws_subnet" "main-public-2" {
26 | vpc_id = aws_vpc.main.id
27 | cidr_block = "10.0.2.0/24"
28 | map_public_ip_on_launch = "true"
29 | availability_zone = "us-east-1b"
30 |
31 | tags = {
32 | Name = "main-public-2"
33 | }
34 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.main-public-3
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_010_customVPC_3PriSbnts_3PubSbnts_nat_igw_rt_ec2_ebs_withMount/15-vpc.tf:36-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
36 | resource "aws_subnet" "main-public-3" {
37 | vpc_id = aws_vpc.main.id
38 | cidr_block = "10.0.3.0/24"
39 | map_public_ip_on_launch = "true"
40 | availability_zone = "us-east-1c"
41 |
42 | tags = {
43 | Name = "main-public-3"
44 | }
45 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.allow-ssh
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_010_customVPC_3PriSbnts_3PubSbnts_nat_igw_rt_ec2_ebs_withMount/16-securitygroup.tf:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
1 | resource "aws_security_group" "allow-ssh" {
2 | vpc_id = aws_vpc.main.id
3 | name = "allow-ssh"
4 | description = "security group that allows ssh and all egress traffic"
5 | egress {
6 | from_port = 0
7 | to_port = 0
8 | protocol = "-1"
9 | cidr_blocks = ["0.0.0.0/0"]
10 | }
11 |
12 | ingress {
13 | from_port = 22
14 | to_port = 22
15 | protocol = "tcp"
16 | cidr_blocks = ["0.0.0.0/0"]
17 | }
18 | tags = {
19 | Name = "allow-ssh"
20 | }
21 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.allow-ssh
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_010_customVPC_3PriSbnts_3PubSbnts_nat_igw_rt_ec2_ebs_withMount/16-securitygroup.tf:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
1 | resource "aws_security_group" "allow-ssh" {
2 | vpc_id = aws_vpc.main.id
3 | name = "allow-ssh"
4 | description = "security group that allows ssh and all egress traffic"
5 | egress {
6 | from_port = 0
7 | to_port = 0
8 | protocol = "-1"
9 | cidr_blocks = ["0.0.0.0/0"]
10 | }
11 |
12 | ingress {
13 | from_port = 22
14 | to_port = 22
15 | protocol = "tcp"
16 | cidr_blocks = ["0.0.0.0/0"]
17 | }
18 | tags = {
19 | Name = "allow-ssh"
20 | }
21 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.example
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_010_customVPC_3PriSbnts_3PubSbnts_nat_igw_rt_ec2_ebs_withMount/25-instance.tf:1-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
1 | resource "aws_instance" "example" {
2 | ami = var.AMIS[var.AWS_REGION]
3 | instance_type = "t2.micro"
4 |
5 | # the VPC subnet
6 | subnet_id = aws_subnet.main-public-1.id
7 |
8 | # the security group
9 | vpc_security_group_ids = [aws_security_group.allow-ssh.id]
10 |
11 | # the public SSH key
12 | key_name = aws_key_pair.mykeypair.key_name
13 |
14 | # user data
15 | user_data = data.template_cloudinit_config.cloudinit-example.rendered
16 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.example
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_010_customVPC_3PriSbnts_3PubSbnts_nat_igw_rt_ec2_ebs_withMount/25-instance.tf:1-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
1 | resource "aws_instance" "example" {
2 | ami = var.AMIS[var.AWS_REGION]
3 | instance_type = "t2.micro"
4 |
5 | # the VPC subnet
6 | subnet_id = aws_subnet.main-public-1.id
7 |
8 | # the security group
9 | vpc_security_group_ids = [aws_security_group.allow-ssh.id]
10 |
11 | # the public SSH key
12 | key_name = aws_key_pair.mykeypair.key_name
13 |
14 | # user data
15 | user_data = data.template_cloudinit_config.cloudinit-example.rendered
16 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.example
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_010_customVPC_3PriSbnts_3PubSbnts_nat_igw_rt_ec2_ebs_withMount/25-instance.tf:1-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
1 | resource "aws_instance" "example" {
2 | ami = var.AMIS[var.AWS_REGION]
3 | instance_type = "t2.micro"
4 |
5 | # the VPC subnet
6 | subnet_id = aws_subnet.main-public-1.id
7 |
8 | # the security group
9 | vpc_security_group_ids = [aws_security_group.allow-ssh.id]
10 |
11 | # the public SSH key
12 | key_name = aws_key_pair.mykeypair.key_name
13 |
14 | # user data
15 | user_data = data.template_cloudinit_config.cloudinit-example.rendered
16 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.example
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_010_customVPC_3PriSbnts_3PubSbnts_nat_igw_rt_ec2_ebs_withMount/25-instance.tf:1-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
1 | resource "aws_instance" "example" {
2 | ami = var.AMIS[var.AWS_REGION]
3 | instance_type = "t2.micro"
4 |
5 | # the VPC subnet
6 | subnet_id = aws_subnet.main-public-1.id
7 |
8 | # the security group
9 | vpc_security_group_ids = [aws_security_group.allow-ssh.id]
10 |
11 | # the public SSH key
12 | key_name = aws_key_pair.mykeypair.key_name
13 |
14 | # user data
15 | user_data = data.template_cloudinit_config.cloudinit-example.rendered
16 | }
Check: CKV_AWS_189: "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)"
FAILED for resource: aws_ebs_volume.ebs-volume-1
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_010_customVPC_3PriSbnts_3PubSbnts_nat_igw_rt_ec2_ebs_withMount/25-instance.tf:18-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-109.html
18 | resource "aws_ebs_volume" "ebs-volume-1" {
19 | availability_zone = "us-east-1a"
20 | size = 10
21 | type = "gp2"
22 |
23 | tags = {
24 | Name = "custom ebs volume"
25 | }
26 | }
Check: CKV_AWS_3: "Ensure all data stored in the EBS is securely encrypted"
FAILED for resource: aws_ebs_volume.ebs-volume-1
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_010_customVPC_3PriSbnts_3PubSbnts_nat_igw_rt_ec2_ebs_withMount/25-instance.tf:18-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-3-encrypt-ebs-volume.html
18 | resource "aws_ebs_volume" "ebs-volume-1" {
19 | availability_zone = "us-east-1a"
20 | size = 10
21 | type = "gp2"
22 |
23 | tags = {
24 | Name = "custom ebs volume"
25 | }
26 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.main-public-1
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_012_rds_vpc_ec2/15-vpc.tf:14-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
14 | resource "aws_subnet" "main-public-1" {
15 | vpc_id = aws_vpc.main.id
16 | cidr_block = "10.0.1.0/24"
17 | map_public_ip_on_launch = "true"
18 | availability_zone = "us-east-1a"
19 |
20 | tags = {
21 | Name = "main-public-1"
22 | }
23 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.main-public-2
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_012_rds_vpc_ec2/15-vpc.tf:25-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
25 | resource "aws_subnet" "main-public-2" {
26 | vpc_id = aws_vpc.main.id
27 | cidr_block = "10.0.2.0/24"
28 | map_public_ip_on_launch = "true"
29 | availability_zone = "us-east-1b"
30 |
31 | tags = {
32 | Name = "main-public-2"
33 | }
34 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.main-public-3
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_012_rds_vpc_ec2/15-vpc.tf:36-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
36 | resource "aws_subnet" "main-public-3" {
37 | vpc_id = aws_vpc.main.id
38 | cidr_block = "10.0.3.0/24"
39 | map_public_ip_on_launch = "true"
40 | availability_zone = "us-east-1c"
41 |
42 | tags = {
43 | Name = "main-public-3"
44 | }
45 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.example-instance
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_012_rds_vpc_ec2/18-securitygroup.tf:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
1 | resource "aws_security_group" "example-instance" {
2 | vpc_id = aws_vpc.main.id
3 | name = "allow-ssh"
4 | description = "security group that allows ssh and all egress traffic"
5 | egress {
6 | from_port = 0
7 | to_port = 0
8 | protocol = "-1"
9 | cidr_blocks = ["0.0.0.0/0"]
10 | }
11 |
12 | ingress {
13 | from_port = 22
14 | to_port = 22
15 | protocol = "tcp"
16 | cidr_blocks = ["0.0.0.0/0"]
17 | }
18 | tags = {
19 | Name = "example-instance"
20 | }
21 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.example-instance
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_012_rds_vpc_ec2/18-securitygroup.tf:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
1 | resource "aws_security_group" "example-instance" {
2 | vpc_id = aws_vpc.main.id
3 | name = "allow-ssh"
4 | description = "security group that allows ssh and all egress traffic"
5 | egress {
6 | from_port = 0
7 | to_port = 0
8 | protocol = "-1"
9 | cidr_blocks = ["0.0.0.0/0"]
10 | }
11 |
12 | ingress {
13 | from_port = 22
14 | to_port = 22
15 | protocol = "tcp"
16 | cidr_blocks = ["0.0.0.0/0"]
17 | }
18 | tags = {
19 | Name = "example-instance"
20 | }
21 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.allow-mariadb
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_012_rds_vpc_ec2/18-securitygroup.tf:23-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
23 | resource "aws_security_group" "allow-mariadb" {
24 | vpc_id = aws_vpc.main.id
25 | name = "allow-mariadb"
26 | description = "allow-mariadb"
27 | ingress {
28 | from_port = 3306
29 | to_port = 3306
30 | protocol = "tcp"
31 | // If the connection comes from an instance that has the following securiy group attached , it will be allowed
32 | security_groups = [aws_security_group.example-instance.id] # allowing access from our example instance
33 | }
34 | egress {
35 | from_port = 0
36 | to_port = 0
37 | protocol = "-1"
38 | cidr_blocks = ["0.0.0.0/0"]
39 | self = true
40 | }
41 | tags = {
42 | Name = "allow-mariadb"
43 | }
44 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.example
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_012_rds_vpc_ec2/20-instance.tf:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
1 | resource "aws_instance" "example" {
2 | ami = var.AMIS[var.AWS_REGION]
3 | instance_type = "t2.micro"
4 |
5 | # the VPC subnet
6 | subnet_id = aws_subnet.main-public-1.id
7 |
8 | # the security group
9 | vpc_security_group_ids = [aws_security_group.example-instance.id]
10 |
11 | # the public SSH key
12 | key_name = aws_key_pair.mykeypair.key_name
13 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.example
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_012_rds_vpc_ec2/20-instance.tf:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
1 | resource "aws_instance" "example" {
2 | ami = var.AMIS[var.AWS_REGION]
3 | instance_type = "t2.micro"
4 |
5 | # the VPC subnet
6 | subnet_id = aws_subnet.main-public-1.id
7 |
8 | # the security group
9 | vpc_security_group_ids = [aws_security_group.example-instance.id]
10 |
11 | # the public SSH key
12 | key_name = aws_key_pair.mykeypair.key_name
13 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.example
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_012_rds_vpc_ec2/20-instance.tf:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
1 | resource "aws_instance" "example" {
2 | ami = var.AMIS[var.AWS_REGION]
3 | instance_type = "t2.micro"
4 |
5 | # the VPC subnet
6 | subnet_id = aws_subnet.main-public-1.id
7 |
8 | # the security group
9 | vpc_security_group_ids = [aws_security_group.example-instance.id]
10 |
11 | # the public SSH key
12 | key_name = aws_key_pair.mykeypair.key_name
13 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.example
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_012_rds_vpc_ec2/20-instance.tf:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
1 | resource "aws_instance" "example" {
2 | ami = var.AMIS[var.AWS_REGION]
3 | instance_type = "t2.micro"
4 |
5 | # the VPC subnet
6 | subnet_id = aws_subnet.main-public-1.id
7 |
8 | # the security group
9 | vpc_security_group_ids = [aws_security_group.example-instance.id]
10 |
11 | # the public SSH key
12 | key_name = aws_key_pair.mykeypair.key_name
13 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: aws_db_instance.mariadb
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_012_rds_vpc_ec2/25-rds.tf:19-39
19 | resource "aws_db_instance" "mariadb" {
20 | allocated_storage = 100 # 100 GB of storage, gives us more IOPS than a lower number
21 | engine = "mariadb"
22 | engine_version = "10.1.14"
23 | instance_class = "db.t2.small" # use micro if you want to use the free tier
24 | identifier = "mariadb"
25 | name = "mariadb"
26 | username = "root" # username
27 | password = var.RDS_PASSWORD # password
28 | db_subnet_group_name = aws_db_subnet_group.mariadb-subnet.name
29 | parameter_group_name = aws_db_parameter_group.mariadb-parameters.name
30 | multi_az = "false" # set to true to have high availability: 2 instances synchronized with each other
31 | vpc_security_group_ids = [aws_security_group.allow-mariadb.id]
32 | storage_type = "gp2"
33 | backup_retention_period = 30 # how long you’re going to keep your backups
34 | availability_zone = aws_subnet.main-private-1.availability_zone # prefered AZ
35 | skip_final_snapshot = true # skip final snapshot when doing terraform destroy
36 | tags = {
37 | Name = "mariadb-instance"
38 | }
39 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: aws_db_instance.mariadb
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_012_rds_vpc_ec2/25-rds.tf:19-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
19 | resource "aws_db_instance" "mariadb" {
20 | allocated_storage = 100 # 100 GB of storage, gives us more IOPS than a lower number
21 | engine = "mariadb"
22 | engine_version = "10.1.14"
23 | instance_class = "db.t2.small" # use micro if you want to use the free tier
24 | identifier = "mariadb"
25 | name = "mariadb"
26 | username = "root" # username
27 | password = var.RDS_PASSWORD # password
28 | db_subnet_group_name = aws_db_subnet_group.mariadb-subnet.name
29 | parameter_group_name = aws_db_parameter_group.mariadb-parameters.name
30 | multi_az = "false" # set to true to have high availability: 2 instances synchronized with each other
31 | vpc_security_group_ids = [aws_security_group.allow-mariadb.id]
32 | storage_type = "gp2"
33 | backup_retention_period = 30 # how long you’re going to keep your backups
34 | availability_zone = aws_subnet.main-private-1.availability_zone # prefered AZ
35 | skip_final_snapshot = true # skip final snapshot when doing terraform destroy
36 | tags = {
37 | Name = "mariadb-instance"
38 | }
39 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: aws_db_instance.mariadb
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_012_rds_vpc_ec2/25-rds.tf:19-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
19 | resource "aws_db_instance" "mariadb" {
20 | allocated_storage = 100 # 100 GB of storage, gives us more IOPS than a lower number
21 | engine = "mariadb"
22 | engine_version = "10.1.14"
23 | instance_class = "db.t2.small" # use micro if you want to use the free tier
24 | identifier = "mariadb"
25 | name = "mariadb"
26 | username = "root" # username
27 | password = var.RDS_PASSWORD # password
28 | db_subnet_group_name = aws_db_subnet_group.mariadb-subnet.name
29 | parameter_group_name = aws_db_parameter_group.mariadb-parameters.name
30 | multi_az = "false" # set to true to have high availability: 2 instances synchronized with each other
31 | vpc_security_group_ids = [aws_security_group.allow-mariadb.id]
32 | storage_type = "gp2"
33 | backup_retention_period = 30 # how long you’re going to keep your backups
34 | availability_zone = aws_subnet.main-private-1.availability_zone # prefered AZ
35 | skip_final_snapshot = true # skip final snapshot when doing terraform destroy
36 | tags = {
37 | Name = "mariadb-instance"
38 | }
39 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: aws_db_instance.mariadb
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_012_rds_vpc_ec2/25-rds.tf:19-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
19 | resource "aws_db_instance" "mariadb" {
20 | allocated_storage = 100 # 100 GB of storage, gives us more IOPS than a lower number
21 | engine = "mariadb"
22 | engine_version = "10.1.14"
23 | instance_class = "db.t2.small" # use micro if you want to use the free tier
24 | identifier = "mariadb"
25 | name = "mariadb"
26 | username = "root" # username
27 | password = var.RDS_PASSWORD # password
28 | db_subnet_group_name = aws_db_subnet_group.mariadb-subnet.name
29 | parameter_group_name = aws_db_parameter_group.mariadb-parameters.name
30 | multi_az = "false" # set to true to have high availability: 2 instances synchronized with each other
31 | vpc_security_group_ids = [aws_security_group.allow-mariadb.id]
32 | storage_type = "gp2"
33 | backup_retention_period = 30 # how long you’re going to keep your backups
34 | availability_zone = aws_subnet.main-private-1.availability_zone # prefered AZ
35 | skip_final_snapshot = true # skip final snapshot when doing terraform destroy
36 | tags = {
37 | Name = "mariadb-instance"
38 | }
39 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: aws_db_instance.mariadb
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_012_rds_vpc_ec2/25-rds.tf:19-39
19 | resource "aws_db_instance" "mariadb" {
20 | allocated_storage = 100 # 100 GB of storage, gives us more IOPS than a lower number
21 | engine = "mariadb"
22 | engine_version = "10.1.14"
23 | instance_class = "db.t2.small" # use micro if you want to use the free tier
24 | identifier = "mariadb"
25 | name = "mariadb"
26 | username = "root" # username
27 | password = var.RDS_PASSWORD # password
28 | db_subnet_group_name = aws_db_subnet_group.mariadb-subnet.name
29 | parameter_group_name = aws_db_parameter_group.mariadb-parameters.name
30 | multi_az = "false" # set to true to have high availability: 2 instances synchronized with each other
31 | vpc_security_group_ids = [aws_security_group.allow-mariadb.id]
32 | storage_type = "gp2"
33 | backup_retention_period = 30 # how long you’re going to keep your backups
34 | availability_zone = aws_subnet.main-private-1.availability_zone # prefered AZ
35 | skip_final_snapshot = true # skip final snapshot when doing terraform destroy
36 | tags = {
37 | Name = "mariadb-instance"
38 | }
39 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: aws_db_instance.mariadb
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_012_rds_vpc_ec2/25-rds.tf:19-39
19 | resource "aws_db_instance" "mariadb" {
20 | allocated_storage = 100 # 100 GB of storage, gives us more IOPS than a lower number
21 | engine = "mariadb"
22 | engine_version = "10.1.14"
23 | instance_class = "db.t2.small" # use micro if you want to use the free tier
24 | identifier = "mariadb"
25 | name = "mariadb"
26 | username = "root" # username
27 | password = var.RDS_PASSWORD # password
28 | db_subnet_group_name = aws_db_subnet_group.mariadb-subnet.name
29 | parameter_group_name = aws_db_parameter_group.mariadb-parameters.name
30 | multi_az = "false" # set to true to have high availability: 2 instances synchronized with each other
31 | vpc_security_group_ids = [aws_security_group.allow-mariadb.id]
32 | storage_type = "gp2"
33 | backup_retention_period = 30 # how long you’re going to keep your backups
34 | availability_zone = aws_subnet.main-private-1.availability_zone # prefered AZ
35 | skip_final_snapshot = true # skip final snapshot when doing terraform destroy
36 | tags = {
37 | Name = "mariadb-instance"
38 | }
39 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: aws_db_instance.mariadb
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_012_rds_vpc_ec2/25-rds.tf:19-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
19 | resource "aws_db_instance" "mariadb" {
20 | allocated_storage = 100 # 100 GB of storage, gives us more IOPS than a lower number
21 | engine = "mariadb"
22 | engine_version = "10.1.14"
23 | instance_class = "db.t2.small" # use micro if you want to use the free tier
24 | identifier = "mariadb"
25 | name = "mariadb"
26 | username = "root" # username
27 | password = var.RDS_PASSWORD # password
28 | db_subnet_group_name = aws_db_subnet_group.mariadb-subnet.name
29 | parameter_group_name = aws_db_parameter_group.mariadb-parameters.name
30 | multi_az = "false" # set to true to have high availability: 2 instances synchronized with each other
31 | vpc_security_group_ids = [aws_security_group.allow-mariadb.id]
32 | storage_type = "gp2"
33 | backup_retention_period = 30 # how long you’re going to keep your backups
34 | availability_zone = aws_subnet.main-private-1.availability_zone # prefered AZ
35 | skip_final_snapshot = true # skip final snapshot when doing terraform destroy
36 | tags = {
37 | Name = "mariadb-instance"
38 | }
39 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: aws_db_instance.mariadb
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_012_rds_vpc_ec2/25-rds.tf:19-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
19 | resource "aws_db_instance" "mariadb" {
20 | allocated_storage = 100 # 100 GB of storage, gives us more IOPS than a lower number
21 | engine = "mariadb"
22 | engine_version = "10.1.14"
23 | instance_class = "db.t2.small" # use micro if you want to use the free tier
24 | identifier = "mariadb"
25 | name = "mariadb"
26 | username = "root" # username
27 | password = var.RDS_PASSWORD # password
28 | db_subnet_group_name = aws_db_subnet_group.mariadb-subnet.name
29 | parameter_group_name = aws_db_parameter_group.mariadb-parameters.name
30 | multi_az = "false" # set to true to have high availability: 2 instances synchronized with each other
31 | vpc_security_group_ids = [aws_security_group.allow-mariadb.id]
32 | storage_type = "gp2"
33 | backup_retention_period = 30 # how long you’re going to keep your backups
34 | availability_zone = aws_subnet.main-private-1.availability_zone # prefered AZ
35 | skip_final_snapshot = true # skip final snapshot when doing terraform destroy
36 | tags = {
37 | Name = "mariadb-instance"
38 | }
39 | }
Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
FAILED for resource: aws_iam_policy_attachment.administrators-attach
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_013_IAM/10-iam.tf:6-10
6 | resource "aws_iam_policy_attachment" "administrators-attach" {
7 | name = "administrators-attach"
8 | groups = [aws_iam_group.administrators.name]
9 | policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
10 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin1
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_013_IAM/10-iam.tf:13-15
13 | resource "aws_iam_user" "admin1" {
14 | name = "admin1"
15 | }
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
FAILED for resource: aws_iam_user.admin2
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_013_IAM/10-iam.tf:17-19
17 | resource "aws_iam_user" "admin2" {
18 | name = "admin2"
19 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.main-public-1
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_014_IAM_roles_s3_upload_to_s3/15-vpc.tf:14-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
14 | resource "aws_subnet" "main-public-1" {
15 | vpc_id = aws_vpc.main.id
16 | cidr_block = "10.0.1.0/24"
17 | map_public_ip_on_launch = "true"
18 | availability_zone = "us-east-1a"
19 |
20 | tags = {
21 | Name = "main-public-1"
22 | }
23 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.main-public-2
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_014_IAM_roles_s3_upload_to_s3/15-vpc.tf:25-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
25 | resource "aws_subnet" "main-public-2" {
26 | vpc_id = aws_vpc.main.id
27 | cidr_block = "10.0.2.0/24"
28 | map_public_ip_on_launch = "true"
29 | availability_zone = "us-east-1b"
30 |
31 | tags = {
32 | Name = "main-public-2"
33 | }
34 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.main-public-3
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_014_IAM_roles_s3_upload_to_s3/15-vpc.tf:36-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
36 | resource "aws_subnet" "main-public-3" {
37 | vpc_id = aws_vpc.main.id
38 | cidr_block = "10.0.3.0/24"
39 | map_public_ip_on_launch = "true"
40 | availability_zone = "us-east-1c"
41 |
42 | tags = {
43 | Name = "main-public-3"
44 | }
45 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.example-instance
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_014_IAM_roles_s3_upload_to_s3/18-securitygroup.tf:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
1 | resource "aws_security_group" "example-instance" {
2 | vpc_id = aws_vpc.main.id
3 | name = "allow-ssh"
4 | description = "security group that allows ssh and all egress traffic"
5 | egress {
6 | from_port = 0
7 | to_port = 0
8 | protocol = "-1"
9 | cidr_blocks = ["0.0.0.0/0"]
10 | }
11 |
12 | ingress {
13 | from_port = 22
14 | to_port = 22
15 | protocol = "tcp"
16 | cidr_blocks = ["0.0.0.0/0"]
17 | }
18 | tags = {
19 | Name = "example-instance"
20 | }
21 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.example-instance
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_014_IAM_roles_s3_upload_to_s3/18-securitygroup.tf:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
1 | resource "aws_security_group" "example-instance" {
2 | vpc_id = aws_vpc.main.id
3 | name = "allow-ssh"
4 | description = "security group that allows ssh and all egress traffic"
5 | egress {
6 | from_port = 0
7 | to_port = 0
8 | protocol = "-1"
9 | cidr_blocks = ["0.0.0.0/0"]
10 | }
11 |
12 | ingress {
13 | from_port = 22
14 | to_port = 22
15 | protocol = "tcp"
16 | cidr_blocks = ["0.0.0.0/0"]
17 | }
18 | tags = {
19 | Name = "example-instance"
20 | }
21 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.example
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_014_IAM_roles_s3_upload_to_s3/20-instance.tf:1-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
1 | resource "aws_instance" "example" {
2 | ami = var.AMIS[var.AWS_REGION]
3 | instance_type = "t2.micro"
4 |
5 | # the VPC subnet
6 | subnet_id = aws_subnet.main-public-1.id
7 |
8 | # the security group
9 | vpc_security_group_ids = [aws_security_group.example-instance.id]
10 |
11 | # the public SSH key
12 | key_name = aws_key_pair.mykeypair.key_name
13 |
14 | # role:
15 | iam_instance_profile = aws_iam_instance_profile.s3-mybucket-role-instanceprofile.name
16 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.example
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_014_IAM_roles_s3_upload_to_s3/20-instance.tf:1-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
1 | resource "aws_instance" "example" {
2 | ami = var.AMIS[var.AWS_REGION]
3 | instance_type = "t2.micro"
4 |
5 | # the VPC subnet
6 | subnet_id = aws_subnet.main-public-1.id
7 |
8 | # the security group
9 | vpc_security_group_ids = [aws_security_group.example-instance.id]
10 |
11 | # the public SSH key
12 | key_name = aws_key_pair.mykeypair.key_name
13 |
14 | # role:
15 | iam_instance_profile = aws_iam_instance_profile.s3-mybucket-role-instanceprofile.name
16 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.example
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_014_IAM_roles_s3_upload_to_s3/20-instance.tf:1-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
1 | resource "aws_instance" "example" {
2 | ami = var.AMIS[var.AWS_REGION]
3 | instance_type = "t2.micro"
4 |
5 | # the VPC subnet
6 | subnet_id = aws_subnet.main-public-1.id
7 |
8 | # the security group
9 | vpc_security_group_ids = [aws_security_group.example-instance.id]
10 |
11 | # the public SSH key
12 | key_name = aws_key_pair.mykeypair.key_name
13 |
14 | # role:
15 | iam_instance_profile = aws_iam_instance_profile.s3-mybucket-role-instanceprofile.name
16 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.example
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_014_IAM_roles_s3_upload_to_s3/20-instance.tf:1-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
1 | resource "aws_instance" "example" {
2 | ami = var.AMIS[var.AWS_REGION]
3 | instance_type = "t2.micro"
4 |
5 | # the VPC subnet
6 | subnet_id = aws_subnet.main-public-1.id
7 |
8 | # the security group
9 | vpc_security_group_ids = [aws_security_group.example-instance.id]
10 |
11 | # the public SSH key
12 | key_name = aws_key_pair.mykeypair.key_name
13 |
14 | # role:
15 | iam_instance_profile = aws_iam_instance_profile.s3-mybucket-role-instanceprofile.name
16 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.main-public-1
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_015_autoscaling_cloudwatchAlarm_ec2_launchConfiguration/15-vpc.tf:14-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
14 | resource "aws_subnet" "main-public-1" {
15 | vpc_id = aws_vpc.main.id
16 | cidr_block = "10.0.1.0/24"
17 | map_public_ip_on_launch = "true"
18 | availability_zone = "us-east-1a"
19 |
20 | tags = {
21 | Name = "main-public-1"
22 | }
23 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.main-public-2
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_015_autoscaling_cloudwatchAlarm_ec2_launchConfiguration/15-vpc.tf:25-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
25 | resource "aws_subnet" "main-public-2" {
26 | vpc_id = aws_vpc.main.id
27 | cidr_block = "10.0.2.0/24"
28 | map_public_ip_on_launch = "true"
29 | availability_zone = "us-east-1b"
30 |
31 | tags = {
32 | Name = "main-public-2"
33 | }
34 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.main-public-3
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_015_autoscaling_cloudwatchAlarm_ec2_launchConfiguration/15-vpc.tf:36-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
36 | resource "aws_subnet" "main-public-3" {
37 | vpc_id = aws_vpc.main.id
38 | cidr_block = "10.0.3.0/24"
39 | map_public_ip_on_launch = "true"
40 | availability_zone = "us-east-1c"
41 |
42 | tags = {
43 | Name = "main-public-3"
44 | }
45 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.allow-ssh
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_015_autoscaling_cloudwatchAlarm_ec2_launchConfiguration/18-securitygroup.tf:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
1 | resource "aws_security_group" "allow-ssh" {
2 | vpc_id = aws_vpc.main.id
3 | name = "allow-ssh"
4 | description = "security group that allows ssh and all egress traffic"
5 | egress {
6 | from_port = 0
7 | to_port = 0
8 | protocol = "-1"
9 | cidr_blocks = ["0.0.0.0/0"]
10 | }
11 |
12 | ingress {
13 | from_port = 22
14 | to_port = 22
15 | protocol = "tcp"
16 | cidr_blocks = ["0.0.0.0/0"]
17 | }
18 | tags = {
19 | Name = "allow-ssh"
20 | }
21 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.allow-ssh
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_015_autoscaling_cloudwatchAlarm_ec2_launchConfiguration/18-securitygroup.tf:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
1 | resource "aws_security_group" "allow-ssh" {
2 | vpc_id = aws_vpc.main.id
3 | name = "allow-ssh"
4 | description = "security group that allows ssh and all egress traffic"
5 | egress {
6 | from_port = 0
7 | to_port = 0
8 | protocol = "-1"
9 | cidr_blocks = ["0.0.0.0/0"]
10 | }
11 |
12 | ingress {
13 | from_port = 22
14 | to_port = 22
15 | protocol = "tcp"
16 | cidr_blocks = ["0.0.0.0/0"]
17 | }
18 | tags = {
19 | Name = "allow-ssh"
20 | }
21 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_launch_configuration.example-launchconfig
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_015_autoscaling_cloudwatchAlarm_ec2_launchConfiguration/25-autoscaling.tf:2-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
2 | resource "aws_launch_configuration" "example-launchconfig" {
3 | name_prefix = "example-launchconfig"
4 | image_id = var.AMIS[var.AWS_REGION]
5 | instance_type = "t2.micro"
6 | key_name = aws_key_pair.mykeypair.key_name
7 | security_groups = [aws_security_group.allow-ssh.id]
8 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_launch_configuration.example-launchconfig
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_015_autoscaling_cloudwatchAlarm_ec2_launchConfiguration/25-autoscaling.tf:2-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
2 | resource "aws_launch_configuration" "example-launchconfig" {
3 | name_prefix = "example-launchconfig"
4 | image_id = var.AMIS[var.AWS_REGION]
5 | instance_type = "t2.micro"
6 | key_name = aws_key_pair.mykeypair.key_name
7 | security_groups = [aws_security_group.allow-ssh.id]
8 | }
Check: CKV_AWS_315: "Ensure EC2 Auto Scaling groups use EC2 launch templates"
FAILED for resource: aws_autoscaling_group.example-autoscaling
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_015_autoscaling_cloudwatchAlarm_ec2_launchConfiguration/25-autoscaling.tf:11-26
11 | resource "aws_autoscaling_group" "example-autoscaling" {
12 | name = "example-autoscaling"
13 | vpc_zone_identifier = [aws_subnet.main-public-1.id, aws_subnet.main-public-2.id]
14 | launch_configuration = aws_launch_configuration.example-launchconfig.name
15 | min_size = 1
16 | max_size = 2
17 | health_check_grace_period = 300
18 | health_check_type = "EC2"
19 | force_delete = true
20 |
21 | tag {
22 | key = "Name"
23 | value = "ec2 instance"
24 | propagate_at_launch = true
25 | }
26 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.example-sns
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_015_autoscaling_cloudwatchAlarm_ec2_launchConfiguration/30-sns.tf:3-6
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-15.html
3 | resource "aws_sns_topic" "example-sns" {
4 | name = "sg-sns"
5 | display_name = "example ASG SNS topic"
6 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.main-public-1
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_016_ELB_autoscaling/15-vpc.tf:14-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
14 | resource "aws_subnet" "main-public-1" {
15 | vpc_id = aws_vpc.main.id
16 | cidr_block = "10.0.1.0/24"
17 | map_public_ip_on_launch = "true"
18 | availability_zone = "us-east-1a"
19 |
20 | tags = {
21 | Name = "main-public-1"
22 | }
23 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.main-public-2
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_016_ELB_autoscaling/15-vpc.tf:25-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
25 | resource "aws_subnet" "main-public-2" {
26 | vpc_id = aws_vpc.main.id
27 | cidr_block = "10.0.2.0/24"
28 | map_public_ip_on_launch = "true"
29 | availability_zone = "us-east-1b"
30 |
31 | tags = {
32 | Name = "main-public-2"
33 | }
34 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.main-public-3
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_016_ELB_autoscaling/15-vpc.tf:36-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
36 | resource "aws_subnet" "main-public-3" {
37 | vpc_id = aws_vpc.main.id
38 | cidr_block = "10.0.3.0/24"
39 | map_public_ip_on_launch = "true"
40 | availability_zone = "us-east-1c"
41 |
42 | tags = {
43 | Name = "main-public-3"
44 | }
45 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.myinstance
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_016_ELB_autoscaling/18-securitygroup.tf:1-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
1 | resource "aws_security_group" "myinstance" {
2 | vpc_id = aws_vpc.main.id
3 | name = "myinstance"
4 | description = "security group for my instance"
5 | egress {
6 | from_port = 0
7 | to_port = 0
8 | protocol = "-1"
9 | cidr_blocks = ["0.0.0.0/0"]
10 | }
11 |
12 | ingress {
13 | from_port = 22
14 | to_port = 22
15 | protocol = "tcp"
16 | cidr_blocks = ["0.0.0.0/0"]
17 | }
18 |
19 | ingress {
20 | from_port = 80
21 | to_port = 80
22 | protocol = "tcp"
23 | security_groups = [aws_security_group.elb-securitygroup.id]
24 | }
25 |
26 | tags = {
27 | Name = "myinstance"
28 | }
29 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.myinstance
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_016_ELB_autoscaling/18-securitygroup.tf:1-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
1 | resource "aws_security_group" "myinstance" {
2 | vpc_id = aws_vpc.main.id
3 | name = "myinstance"
4 | description = "security group for my instance"
5 | egress {
6 | from_port = 0
7 | to_port = 0
8 | protocol = "-1"
9 | cidr_blocks = ["0.0.0.0/0"]
10 | }
11 |
12 | ingress {
13 | from_port = 22
14 | to_port = 22
15 | protocol = "tcp"
16 | cidr_blocks = ["0.0.0.0/0"]
17 | }
18 |
19 | ingress {
20 | from_port = 80
21 | to_port = 80
22 | protocol = "tcp"
23 | security_groups = [aws_security_group.elb-securitygroup.id]
24 | }
25 |
26 | tags = {
27 | Name = "myinstance"
28 | }
29 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.elb-securitygroup
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_016_ELB_autoscaling/18-securitygroup.tf:31-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
31 | resource "aws_security_group" "elb-securitygroup" {
32 | vpc_id = aws_vpc.main.id
33 | name = "elb"
34 | description = "security group for load balancer"
35 | egress {
36 | from_port = 0
37 | to_port = 0
38 | protocol = "-1"
39 | cidr_blocks = ["0.0.0.0/0"]
40 | }
41 |
42 | ingress {
43 | from_port = 80
44 | to_port = 80
45 | protocol = "tcp"
46 | cidr_blocks = ["0.0.0.0/0"]
47 | }
48 | tags = {
49 | Name = "elb"
50 | }
51 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.elb-securitygroup
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_016_ELB_autoscaling/18-securitygroup.tf:31-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
31 | resource "aws_security_group" "elb-securitygroup" {
32 | vpc_id = aws_vpc.main.id
33 | name = "elb"
34 | description = "security group for load balancer"
35 | egress {
36 | from_port = 0
37 | to_port = 0
38 | protocol = "-1"
39 | cidr_blocks = ["0.0.0.0/0"]
40 | }
41 |
42 | ingress {
43 | from_port = 80
44 | to_port = 80
45 | protocol = "tcp"
46 | cidr_blocks = ["0.0.0.0/0"]
47 | }
48 | tags = {
49 | Name = "elb"
50 | }
51 | }
Check: CKV_AWS_92: "Ensure the ELB has access logging enabled"
FAILED for resource: aws_elb.my-elb
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_016_ELB_autoscaling/19-elb.tf:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-23.html
1 | resource "aws_elb" "my-elb" {
2 | name = "my-elb"
3 | subnets = [aws_subnet.main-public-1.id, aws_subnet.main-public-2.id]
4 | security_groups = [aws_security_group.elb-securitygroup.id]
5 | listener {
6 | instance_port = 80
7 | instance_protocol = "http"
8 | lb_port = 80
9 | lb_protocol = "http"
10 | }
11 | health_check {
12 | healthy_threshold = 2
13 | unhealthy_threshold = 2
14 | timeout = 3
15 | target = "HTTP:80/"
16 | interval = 30
17 | }
18 |
19 | cross_zone_load_balancing = true
20 | connection_draining = true
21 | connection_draining_timeout = 400
22 | tags = {
23 | Name = "my-elb"
24 | }
25 | }
Check: CKV_AWS_127: "Ensure that Elastic Load Balancer(s) uses SSL certificates provided by AWS Certificate Manager"
FAILED for resource: aws_elb.my-elb
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_016_ELB_autoscaling/19-elb.tf:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-load-balancers-uses-ssl-certificates-provided-by-aws-certificate-manager.html
1 | resource "aws_elb" "my-elb" {
2 | name = "my-elb"
3 | subnets = [aws_subnet.main-public-1.id, aws_subnet.main-public-2.id]
4 | security_groups = [aws_security_group.elb-securitygroup.id]
5 | listener {
6 | instance_port = 80
7 | instance_protocol = "http"
8 | lb_port = 80
9 | lb_protocol = "http"
10 | }
11 | health_check {
12 | healthy_threshold = 2
13 | unhealthy_threshold = 2
14 | timeout = 3
15 | target = "HTTP:80/"
16 | interval = 30
17 | }
18 |
19 | cross_zone_load_balancing = true
20 | connection_draining = true
21 | connection_draining_timeout = 400
22 | tags = {
23 | Name = "my-elb"
24 | }
25 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_launch_configuration.example-launchconfig
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_016_ELB_autoscaling/20-autoscaling.tf:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
1 | resource "aws_launch_configuration" "example-launchconfig" {
2 | name_prefix = "example-launchconfig"
3 | image_id = var.AMIS[var.AWS_REGION]
4 | instance_type = "t2.micro"
5 | key_name = aws_key_pair.mykeypair.key_name
6 | security_groups = [aws_security_group.myinstance.id]
7 | user_data = "#!/bin/bash\napt-get update\napt-get -y install nginx\nMYIP=`ifconfig | grep 'addr:10' | awk '{ print $2 }' | cut -d ':' -f2`\necho 'this is: '$MYIP > /var/www/html/index.html\nservice nginx start"
8 | lifecycle {
9 | create_before_destroy = true
10 | }
11 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_launch_configuration.example-launchconfig
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_016_ELB_autoscaling/20-autoscaling.tf:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
1 | resource "aws_launch_configuration" "example-launchconfig" {
2 | name_prefix = "example-launchconfig"
3 | image_id = var.AMIS[var.AWS_REGION]
4 | instance_type = "t2.micro"
5 | key_name = aws_key_pair.mykeypair.key_name
6 | security_groups = [aws_security_group.myinstance.id]
7 | user_data = "#!/bin/bash\napt-get update\napt-get -y install nginx\nMYIP=`ifconfig | grep 'addr:10' | awk '{ print $2 }' | cut -d ':' -f2`\necho 'this is: '$MYIP > /var/www/html/index.html\nservice nginx start"
8 | lifecycle {
9 | create_before_destroy = true
10 | }
11 | }
Check: CKV_AWS_315: "Ensure EC2 Auto Scaling groups use EC2 launch templates"
FAILED for resource: aws_autoscaling_group.example-autoscaling
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_016_ELB_autoscaling/20-autoscaling.tf:13-29
13 | resource "aws_autoscaling_group" "example-autoscaling" {
14 | name = "example-autoscaling"
15 | vpc_zone_identifier = [aws_subnet.main-public-1.id, aws_subnet.main-public-2.id]
16 | launch_configuration = aws_launch_configuration.example-launchconfig.name
17 | min_size = 2
18 | max_size = 2
19 | health_check_grace_period = 300
20 | health_check_type = "ELB"
21 | load_balancers = [aws_elb.my-elb.name]
22 | force_delete = true
23 |
24 | tag {
25 | key = "Name"
26 | value = "ec2 instance"
27 | propagate_at_launch = true
28 | }
29 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.main-public-1
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_017_Elastic_Beanstalk/15-vpc.tf:14-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
14 | resource "aws_subnet" "main-public-1" {
15 | vpc_id = aws_vpc.main.id
16 | cidr_block = "10.0.1.0/24"
17 | map_public_ip_on_launch = "true"
18 | availability_zone = "us-east-1a"
19 |
20 | tags = {
21 | Name = "main-public-1"
22 | }
23 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.main-public-2
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_017_Elastic_Beanstalk/15-vpc.tf:25-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
25 | resource "aws_subnet" "main-public-2" {
26 | vpc_id = aws_vpc.main.id
27 | cidr_block = "10.0.2.0/24"
28 | map_public_ip_on_launch = "true"
29 | availability_zone = "us-east-1b"
30 |
31 | tags = {
32 | Name = "main-public-2"
33 | }
34 | }
Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
FAILED for resource: aws_subnet.main-public-3
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_017_Elastic_Beanstalk/15-vpc.tf:36-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
36 | resource "aws_subnet" "main-public-3" {
37 | vpc_id = aws_vpc.main.id
38 | cidr_block = "10.0.3.0/24"
39 | map_public_ip_on_launch = "true"
40 | availability_zone = "us-east-1c"
41 |
42 | tags = {
43 | Name = "main-public-3"
44 | }
45 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.app-prod
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_017_Elastic_Beanstalk/18-securitygroup.tf:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
1 | resource "aws_security_group" "app-prod" {
2 | vpc_id = aws_vpc.main.id
3 | name = "application - production"
4 | description = "security group for my app"
5 | egress {
6 | from_port = 0
7 | to_port = 0
8 | protocol = "-1"
9 | cidr_blocks = ["0.0.0.0/0"]
10 | }
11 |
12 | ingress {
13 | from_port = 22
14 | to_port = 22
15 | protocol = "tcp"
16 | cidr_blocks = ["0.0.0.0/0"]
17 | }
18 |
19 | tags = {
20 | Name = "myinstance"
21 | }
22 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.app-prod
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_017_Elastic_Beanstalk/18-securitygroup.tf:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
1 | resource "aws_security_group" "app-prod" {
2 | vpc_id = aws_vpc.main.id
3 | name = "application - production"
4 | description = "security group for my app"
5 | egress {
6 | from_port = 0
7 | to_port = 0
8 | protocol = "-1"
9 | cidr_blocks = ["0.0.0.0/0"]
10 | }
11 |
12 | ingress {
13 | from_port = 22
14 | to_port = 22
15 | protocol = "tcp"
16 | cidr_blocks = ["0.0.0.0/0"]
17 | }
18 |
19 | tags = {
20 | Name = "myinstance"
21 | }
22 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.allow-mariadb
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_017_Elastic_Beanstalk/18-securitygroup.tf:24-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
24 | resource "aws_security_group" "allow-mariadb" {
25 | vpc_id = aws_vpc.main.id
26 | name = "allow-mariadb"
27 | description = "allow-mariadb"
28 | ingress {
29 | from_port = 3306
30 | to_port = 3306
31 | protocol = "tcp"
32 | security_groups = [aws_security_group.app-prod.id] # allowing access from our example instance
33 | }
34 | egress {
35 | from_port = 0
36 | to_port = 0
37 | protocol = "-1"
38 | cidr_blocks = ["0.0.0.0/0"]
39 | self = true
40 | }
41 | tags = {
42 | Name = "allow-mariadb"
43 | }
44 | }
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
FAILED for resource: aws_db_instance.mariadb
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_017_Elastic_Beanstalk/25-rds.tf:18-38
18 | resource "aws_db_instance" "mariadb" {
19 | allocated_storage = 100 # 100 GB of storage, gives us more IOPS than a lower number
20 | engine = "mariadb"
21 | engine_version = "10.1.14"
22 | instance_class = "db.t2.small" # use micro if you want to use the free tier
23 | identifier = "mariadb"
24 | name = "mydatabase" # database name
25 | username = "root" # username
26 | password = var.RDS_PASSWORD # password
27 | db_subnet_group_name = aws_db_subnet_group.mariadb-subnet.name
28 | parameter_group_name = aws_db_parameter_group.mariadb-parameters.name
29 | multi_az = "false" # set to true to have high availability: 2 instances synchronized with each other
30 | vpc_security_group_ids = [aws_security_group.allow-mariadb.id]
31 | storage_type = "gp2"
32 | backup_retention_period = 30 # how long you’re going to keep your backups
33 | availability_zone = aws_subnet.main-private-1.availability_zone # prefered AZ
34 | final_snapshot_identifier = "mariadb-final-snapshot" # final snapshot when executing terraform destroy
35 | tags = {
36 | Name = "mariadb-instance"
37 | }
38 | }
Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
FAILED for resource: aws_db_instance.mariadb
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_017_Elastic_Beanstalk/25-rds.tf:18-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html
18 | resource "aws_db_instance" "mariadb" {
19 | allocated_storage = 100 # 100 GB of storage, gives us more IOPS than a lower number
20 | engine = "mariadb"
21 | engine_version = "10.1.14"
22 | instance_class = "db.t2.small" # use micro if you want to use the free tier
23 | identifier = "mariadb"
24 | name = "mydatabase" # database name
25 | username = "root" # username
26 | password = var.RDS_PASSWORD # password
27 | db_subnet_group_name = aws_db_subnet_group.mariadb-subnet.name
28 | parameter_group_name = aws_db_parameter_group.mariadb-parameters.name
29 | multi_az = "false" # set to true to have high availability: 2 instances synchronized with each other
30 | vpc_security_group_ids = [aws_security_group.allow-mariadb.id]
31 | storage_type = "gp2"
32 | backup_retention_period = 30 # how long you’re going to keep your backups
33 | availability_zone = aws_subnet.main-private-1.availability_zone # prefered AZ
34 | final_snapshot_identifier = "mariadb-final-snapshot" # final snapshot when executing terraform destroy
35 | tags = {
36 | Name = "mariadb-instance"
37 | }
38 | }
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
FAILED for resource: aws_db_instance.mariadb
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_017_Elastic_Beanstalk/25-rds.tf:18-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html
18 | resource "aws_db_instance" "mariadb" {
19 | allocated_storage = 100 # 100 GB of storage, gives us more IOPS than a lower number
20 | engine = "mariadb"
21 | engine_version = "10.1.14"
22 | instance_class = "db.t2.small" # use micro if you want to use the free tier
23 | identifier = "mariadb"
24 | name = "mydatabase" # database name
25 | username = "root" # username
26 | password = var.RDS_PASSWORD # password
27 | db_subnet_group_name = aws_db_subnet_group.mariadb-subnet.name
28 | parameter_group_name = aws_db_parameter_group.mariadb-parameters.name
29 | multi_az = "false" # set to true to have high availability: 2 instances synchronized with each other
30 | vpc_security_group_ids = [aws_security_group.allow-mariadb.id]
31 | storage_type = "gp2"
32 | backup_retention_period = 30 # how long you’re going to keep your backups
33 | availability_zone = aws_subnet.main-private-1.availability_zone # prefered AZ
34 | final_snapshot_identifier = "mariadb-final-snapshot" # final snapshot when executing terraform destroy
35 | tags = {
36 | Name = "mariadb-instance"
37 | }
38 | }
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
FAILED for resource: aws_db_instance.mariadb
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_017_Elastic_Beanstalk/25-rds.tf:18-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html
18 | resource "aws_db_instance" "mariadb" {
19 | allocated_storage = 100 # 100 GB of storage, gives us more IOPS than a lower number
20 | engine = "mariadb"
21 | engine_version = "10.1.14"
22 | instance_class = "db.t2.small" # use micro if you want to use the free tier
23 | identifier = "mariadb"
24 | name = "mydatabase" # database name
25 | username = "root" # username
26 | password = var.RDS_PASSWORD # password
27 | db_subnet_group_name = aws_db_subnet_group.mariadb-subnet.name
28 | parameter_group_name = aws_db_parameter_group.mariadb-parameters.name
29 | multi_az = "false" # set to true to have high availability: 2 instances synchronized with each other
30 | vpc_security_group_ids = [aws_security_group.allow-mariadb.id]
31 | storage_type = "gp2"
32 | backup_retention_period = 30 # how long you’re going to keep your backups
33 | availability_zone = aws_subnet.main-private-1.availability_zone # prefered AZ
34 | final_snapshot_identifier = "mariadb-final-snapshot" # final snapshot when executing terraform destroy
35 | tags = {
36 | Name = "mariadb-instance"
37 | }
38 | }
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
FAILED for resource: aws_db_instance.mariadb
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_017_Elastic_Beanstalk/25-rds.tf:18-38
18 | resource "aws_db_instance" "mariadb" {
19 | allocated_storage = 100 # 100 GB of storage, gives us more IOPS than a lower number
20 | engine = "mariadb"
21 | engine_version = "10.1.14"
22 | instance_class = "db.t2.small" # use micro if you want to use the free tier
23 | identifier = "mariadb"
24 | name = "mydatabase" # database name
25 | username = "root" # username
26 | password = var.RDS_PASSWORD # password
27 | db_subnet_group_name = aws_db_subnet_group.mariadb-subnet.name
28 | parameter_group_name = aws_db_parameter_group.mariadb-parameters.name
29 | multi_az = "false" # set to true to have high availability: 2 instances synchronized with each other
30 | vpc_security_group_ids = [aws_security_group.allow-mariadb.id]
31 | storage_type = "gp2"
32 | backup_retention_period = 30 # how long you’re going to keep your backups
33 | availability_zone = aws_subnet.main-private-1.availability_zone # prefered AZ
34 | final_snapshot_identifier = "mariadb-final-snapshot" # final snapshot when executing terraform destroy
35 | tags = {
36 | Name = "mariadb-instance"
37 | }
38 | }
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
FAILED for resource: aws_db_instance.mariadb
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_017_Elastic_Beanstalk/25-rds.tf:18-38
18 | resource "aws_db_instance" "mariadb" {
19 | allocated_storage = 100 # 100 GB of storage, gives us more IOPS than a lower number
20 | engine = "mariadb"
21 | engine_version = "10.1.14"
22 | instance_class = "db.t2.small" # use micro if you want to use the free tier
23 | identifier = "mariadb"
24 | name = "mydatabase" # database name
25 | username = "root" # username
26 | password = var.RDS_PASSWORD # password
27 | db_subnet_group_name = aws_db_subnet_group.mariadb-subnet.name
28 | parameter_group_name = aws_db_parameter_group.mariadb-parameters.name
29 | multi_az = "false" # set to true to have high availability: 2 instances synchronized with each other
30 | vpc_security_group_ids = [aws_security_group.allow-mariadb.id]
31 | storage_type = "gp2"
32 | backup_retention_period = 30 # how long you’re going to keep your backups
33 | availability_zone = aws_subnet.main-private-1.availability_zone # prefered AZ
34 | final_snapshot_identifier = "mariadb-final-snapshot" # final snapshot when executing terraform destroy
35 | tags = {
36 | Name = "mariadb-instance"
37 | }
38 | }
Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
FAILED for resource: aws_db_instance.mariadb
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_017_Elastic_Beanstalk/25-rds.tf:18-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html
18 | resource "aws_db_instance" "mariadb" {
19 | allocated_storage = 100 # 100 GB of storage, gives us more IOPS than a lower number
20 | engine = "mariadb"
21 | engine_version = "10.1.14"
22 | instance_class = "db.t2.small" # use micro if you want to use the free tier
23 | identifier = "mariadb"
24 | name = "mydatabase" # database name
25 | username = "root" # username
26 | password = var.RDS_PASSWORD # password
27 | db_subnet_group_name = aws_db_subnet_group.mariadb-subnet.name
28 | parameter_group_name = aws_db_parameter_group.mariadb-parameters.name
29 | multi_az = "false" # set to true to have high availability: 2 instances synchronized with each other
30 | vpc_security_group_ids = [aws_security_group.allow-mariadb.id]
31 | storage_type = "gp2"
32 | backup_retention_period = 30 # how long you’re going to keep your backups
33 | availability_zone = aws_subnet.main-private-1.availability_zone # prefered AZ
34 | final_snapshot_identifier = "mariadb-final-snapshot" # final snapshot when executing terraform destroy
35 | tags = {
36 | Name = "mariadb-instance"
37 | }
38 | }
Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
FAILED for resource: aws_db_instance.mariadb
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_017_Elastic_Beanstalk/25-rds.tf:18-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html
18 | resource "aws_db_instance" "mariadb" {
19 | allocated_storage = 100 # 100 GB of storage, gives us more IOPS than a lower number
20 | engine = "mariadb"
21 | engine_version = "10.1.14"
22 | instance_class = "db.t2.small" # use micro if you want to use the free tier
23 | identifier = "mariadb"
24 | name = "mydatabase" # database name
25 | username = "root" # username
26 | password = var.RDS_PASSWORD # password
27 | db_subnet_group_name = aws_db_subnet_group.mariadb-subnet.name
28 | parameter_group_name = aws_db_parameter_group.mariadb-parameters.name
29 | multi_az = "false" # set to true to have high availability: 2 instances synchronized with each other
30 | vpc_security_group_ids = [aws_security_group.allow-mariadb.id]
31 | storage_type = "gp2"
32 | backup_retention_period = 30 # how long you’re going to keep your backups
33 | availability_zone = aws_subnet.main-private-1.availability_zone # prefered AZ
34 | final_snapshot_identifier = "mariadb-final-snapshot" # final snapshot when executing terraform destroy
35 | tags = {
36 | Name = "mariadb-instance"
37 | }
38 | }
Check: CKV_AWS_340: "Ensure Elastic Beanstalk managed platform updates are enabled"
FAILED for resource: aws_elastic_beanstalk_environment.app-prod
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_017_Elastic_Beanstalk/28-elasticbeanstalk.tf:9-113
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_312: "Ensure Elastic Beanstalk environments have enhanced health reporting enabled"
FAILED for resource: aws_elastic_beanstalk_environment.app-prod
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_017_Elastic_Beanstalk/28-elasticbeanstalk.tf:9-113
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
FAILED for resource: aws_ecr_repository.myapp
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_018_create_ECR_repo/15-ecr.tf:1-3
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-8.html
1 | resource "aws_ecr_repository" "myapp" {
2 | name = "myapp"
3 | }
Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
FAILED for resource: aws_ecr_repository.myapp
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_018_create_ECR_repo/15-ecr.tf:1-3
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-24.html
1 | resource "aws_ecr_repository" "myapp" {
2 | name = "myapp"
3 | }
Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
FAILED for resource: aws_ecr_repository.myapp
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_018_create_ECR_repo/15-ecr.tf:1-3
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted.html
1 | resource "aws_ecr_repository" "myapp" {
2 | name = "myapp"
3 | }
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_role_policy.ecs-ec2-role-policy
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_019_ECS/10-iam.tf:47-90
47 | resource "aws_iam_role_policy" "ecs-ec2-role-policy" {
48 | name = "ecs-ec2-role-policy"
49 | role = aws_iam_role.ecs-ec2-role.id
50 | policy = <",
49 | google_compute_address.gcp-ip.address,
50 | ),
51 | "",
52 | var.gcp_vm_address,
53 | )
54 |
55 | tags = {
56 | Name = "aws-vm-${var.aws_region}"
57 | }
58 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.aws-vm
File: /home/infrastructure_as_code/terraform/gcp/taskset_gcp_terraform_infrastructure_as_code/task_008_building_a_vpn_between_gcp_and_aws/autonetdeploy-multicloudvpn/terraform/aws_compute.tf:29-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
29 | resource "aws_instance" "aws-vm" {
30 | ami = data.aws_ami.ubuntu.id
31 | instance_type = var.aws_instance_type
32 | subnet_id = aws_subnet.aws-subnet1.id
33 | key_name = "vm-ssh-key"
34 |
35 | associate_public_ip_address = true
36 | private_ip = var.aws_vm_address
37 |
38 | vpc_security_group_ids = [
39 | aws_security_group.aws-allow-icmp.id,
40 | aws_security_group.aws-allow-ssh.id,
41 | aws_security_group.aws-allow-vpn.id,
42 | aws_security_group.aws-allow-internet.id,
43 | ]
44 |
45 | user_data = replace(
46 | replace(
47 | file("vm_userdata.sh"),
48 | "",
49 | google_compute_address.gcp-ip.address,
50 | ),
51 | "",
52 | var.gcp_vm_address,
53 | )
54 |
55 | tags = {
56 | Name = "aws-vm-${var.aws_region}"
57 | }
58 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.aws-vm
File: /home/infrastructure_as_code/terraform/gcp/taskset_gcp_terraform_infrastructure_as_code/task_008_building_a_vpn_between_gcp_and_aws/autonetdeploy-multicloudvpn/terraform/aws_compute.tf:29-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
29 | resource "aws_instance" "aws-vm" {
30 | ami = data.aws_ami.ubuntu.id
31 | instance_type = var.aws_instance_type
32 | subnet_id = aws_subnet.aws-subnet1.id
33 | key_name = "vm-ssh-key"
34 |
35 | associate_public_ip_address = true
36 | private_ip = var.aws_vm_address
37 |
38 | vpc_security_group_ids = [
39 | aws_security_group.aws-allow-icmp.id,
40 | aws_security_group.aws-allow-ssh.id,
41 | aws_security_group.aws-allow-vpn.id,
42 | aws_security_group.aws-allow-internet.id,
43 | ]
44 |
45 | user_data = replace(
46 | replace(
47 | file("vm_userdata.sh"),
48 | "",
49 | google_compute_address.gcp-ip.address,
50 | ),
51 | "",
52 | var.gcp_vm_address,
53 | )
54 |
55 | tags = {
56 | Name = "aws-vm-${var.aws_region}"
57 | }
58 | }
Check: CKV_AWS_88: "EC2 instance should not have public IP."
FAILED for resource: aws_instance.aws-vm
File: /home/infrastructure_as_code/terraform/gcp/taskset_gcp_terraform_infrastructure_as_code/task_008_building_a_vpn_between_gcp_and_aws/autonetdeploy-multicloudvpn/terraform/aws_compute.tf:29-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-12.html
29 | resource "aws_instance" "aws-vm" {
30 | ami = data.aws_ami.ubuntu.id
31 | instance_type = var.aws_instance_type
32 | subnet_id = aws_subnet.aws-subnet1.id
33 | key_name = "vm-ssh-key"
34 |
35 | associate_public_ip_address = true
36 | private_ip = var.aws_vm_address
37 |
38 | vpc_security_group_ids = [
39 | aws_security_group.aws-allow-icmp.id,
40 | aws_security_group.aws-allow-ssh.id,
41 | aws_security_group.aws-allow-vpn.id,
42 | aws_security_group.aws-allow-internet.id,
43 | ]
44 |
45 | user_data = replace(
46 | replace(
47 | file("vm_userdata.sh"),
48 | "",
49 | google_compute_address.gcp-ip.address,
50 | ),
51 | "",
52 | var.gcp_vm_address,
53 | )
54 |
55 | tags = {
56 | Name = "aws-vm-${var.aws_region}"
57 | }
58 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.aws-vm
File: /home/infrastructure_as_code/terraform/gcp/taskset_gcp_terraform_infrastructure_as_code/task_008_building_a_vpn_between_gcp_and_aws/autonetdeploy-multicloudvpn/terraform/aws_compute.tf:29-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
29 | resource "aws_instance" "aws-vm" {
30 | ami = data.aws_ami.ubuntu.id
31 | instance_type = var.aws_instance_type
32 | subnet_id = aws_subnet.aws-subnet1.id
33 | key_name = "vm-ssh-key"
34 |
35 | associate_public_ip_address = true
36 | private_ip = var.aws_vm_address
37 |
38 | vpc_security_group_ids = [
39 | aws_security_group.aws-allow-icmp.id,
40 | aws_security_group.aws-allow-ssh.id,
41 | aws_security_group.aws-allow-vpn.id,
42 | aws_security_group.aws-allow-internet.id,
43 | ]
44 |
45 | user_data = replace(
46 | replace(
47 | file("vm_userdata.sh"),
48 | "",
49 | google_compute_address.gcp-ip.address,
50 | ),
51 | "",
52 | var.gcp_vm_address,
53 | )
54 |
55 | tags = {
56 | Name = "aws-vm-${var.aws_region}"
57 | }
58 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.aws-allow-icmp
File: /home/infrastructure_as_code/terraform/gcp/taskset_gcp_terraform_infrastructure_as_code/task_008_building_a_vpn_between_gcp_and_aws/autonetdeploy-multicloudvpn/terraform/aws_security.tf:8-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
8 | resource "aws_security_group" "aws-allow-icmp" {
9 | name = "aws-allow-icmp"
10 | description = "Allow icmp access from anywhere"
11 | vpc_id = aws_vpc.aws-vpc.id
12 |
13 | ingress {
14 | from_port = 8
15 | to_port = 0
16 | protocol = "icmp"
17 | cidr_blocks = ["0.0.0.0/0"]
18 | }
19 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.aws-allow-ssh
File: /home/infrastructure_as_code/terraform/gcp/taskset_gcp_terraform_infrastructure_as_code/task_008_building_a_vpn_between_gcp_and_aws/autonetdeploy-multicloudvpn/terraform/aws_security.tf:22-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
22 | resource "aws_security_group" "aws-allow-ssh" {
23 | name = "aws-allow-ssh"
24 | description = "Allow ssh access from anywhere"
25 | vpc_id = aws_vpc.aws-vpc.id
26 |
27 | ingress {
28 | from_port = 22
29 | to_port = 22
30 | protocol = "tcp"
31 | cidr_blocks = ["0.0.0.0/0"]
32 | }
33 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group.aws-allow-ssh
File: /home/infrastructure_as_code/terraform/gcp/taskset_gcp_terraform_infrastructure_as_code/task_008_building_a_vpn_between_gcp_and_aws/autonetdeploy-multicloudvpn/terraform/aws_security.tf:22-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-1-port-security.html
22 | resource "aws_security_group" "aws-allow-ssh" {
23 | name = "aws-allow-ssh"
24 | description = "Allow ssh access from anywhere"
25 | vpc_id = aws_vpc.aws-vpc.id
26 |
27 | ingress {
28 | from_port = 22
29 | to_port = 22
30 | protocol = "tcp"
31 | cidr_blocks = ["0.0.0.0/0"]
32 | }
33 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.aws-allow-vpn
File: /home/infrastructure_as_code/terraform/gcp/taskset_gcp_terraform_infrastructure_as_code/task_008_building_a_vpn_between_gcp_and_aws/autonetdeploy-multicloudvpn/terraform/aws_security.tf:36-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
36 | resource "aws_security_group" "aws-allow-vpn" {
37 | name = "aws-allow-vpn"
38 | description = "Allow all traffic from vpn resources"
39 | vpc_id = aws_vpc.aws-vpc.id
40 |
41 | ingress {
42 | from_port = 0
43 | to_port = 0
44 | protocol = "-1"
45 | cidr_blocks = [var.gcp_subnet1_cidr]
46 | }
47 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.aws-allow-internet
File: /home/infrastructure_as_code/terraform/gcp/taskset_gcp_terraform_infrastructure_as_code/task_008_building_a_vpn_between_gcp_and_aws/autonetdeploy-multicloudvpn/terraform/aws_security.tf:50-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
50 | resource "aws_security_group" "aws-allow-internet" {
51 | name = "aws-allow-internet"
52 | description = "Allow http traffic from the internet"
53 | vpc_id = aws_vpc.aws-vpc.id
54 |
55 | ingress {
56 | from_port = 80
57 | to_port = 80
58 | protocol = "tcp"
59 | cidr_blocks = ["0.0.0.0/0"]
60 | }
61 |
62 | egress {
63 | from_port = 0
64 | to_port = 0
65 | protocol = "-1"
66 | cidr_blocks = ["0.0.0.0/0"]
67 | }
68 | }
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
FAILED for resource: aws_security_group.aws-allow-internet
File: /home/infrastructure_as_code/terraform/gcp/taskset_gcp_terraform_infrastructure_as_code/task_008_building_a_vpn_between_gcp_and_aws/autonetdeploy-multicloudvpn/terraform/aws_security.tf:50-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80.html
50 | resource "aws_security_group" "aws-allow-internet" {
51 | name = "aws-allow-internet"
52 | description = "Allow http traffic from the internet"
53 | vpc_id = aws_vpc.aws-vpc.id
54 |
55 | ingress {
56 | from_port = 80
57 | to_port = 80
58 | protocol = "tcp"
59 | cidr_blocks = ["0.0.0.0/0"]
60 | }
61 |
62 | egress {
63 | from_port = 0
64 | to_port = 0
65 | protocol = "-1"
66 | cidr_blocks = ["0.0.0.0/0"]
67 | }
68 | }
Check: CKV_GCP_39: "Ensure Compute instances are launched with Shielded VM enabled"
FAILED for resource: google_compute_instance.gcp-vm
File: /home/infrastructure_as_code/terraform/gcp/taskset_gcp_terraform_infrastructure_as_code/task_008_building_a_vpn_between_gcp_and_aws/autonetdeploy-multicloudvpn/terraform/gcp_compute.tf:17-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/bc-gcp-general-y.html
17 | resource "google_compute_instance" "gcp-vm" {
18 | name = "gcp-vm-${var.gcp_region}"
19 | machine_type = var.gcp_instance_type
20 | zone = data.google_compute_zones.available.names[0]
21 |
22 | boot_disk {
23 | initialize_params {
24 | image = var.gcp_disk_image
25 | }
26 | }
27 |
28 | network_interface {
29 | subnetwork = google_compute_subnetwork.gcp-subnet1.name
30 | network_ip = var.gcp_vm_address
31 |
32 | access_config {
33 | # Static IP
34 | nat_ip = google_compute_address.gcp-ip.address
35 | }
36 | }
37 |
38 | # Cannot pre-load both gcp and aws since that creates a circular dependency.
39 | # Can pre-populate the AWS IPs to make it easier to run tests.
40 | metadata_startup_script = replace(
41 | replace(file("vm_userdata.sh"), "", aws_eip.aws-ip.public_ip),
42 | "",
43 | var.aws_vm_address,
44 | )
45 | }
Check: CKV_GCP_40: "Ensure that Compute instances do not have public IP addresses"
FAILED for resource: google_compute_instance.gcp-vm
File: /home/infrastructure_as_code/terraform/gcp/taskset_gcp_terraform_infrastructure_as_code/task_008_building_a_vpn_between_gcp_and_aws/autonetdeploy-multicloudvpn/terraform/gcp_compute.tf:17-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-public-policies/bc-gcp-public-2.html
17 | resource "google_compute_instance" "gcp-vm" {
18 | name = "gcp-vm-${var.gcp_region}"
19 | machine_type = var.gcp_instance_type
20 | zone = data.google_compute_zones.available.names[0]
21 |
22 | boot_disk {
23 | initialize_params {
24 | image = var.gcp_disk_image
25 | }
26 | }
27 |
28 | network_interface {
29 | subnetwork = google_compute_subnetwork.gcp-subnet1.name
30 | network_ip = var.gcp_vm_address
31 |
32 | access_config {
33 | # Static IP
34 | nat_ip = google_compute_address.gcp-ip.address
35 | }
36 | }
37 |
38 | # Cannot pre-load both gcp and aws since that creates a circular dependency.
39 | # Can pre-populate the AWS IPs to make it easier to run tests.
40 | metadata_startup_script = replace(
41 | replace(file("vm_userdata.sh"), "", aws_eip.aws-ip.public_ip),
42 | "",
43 | var.aws_vm_address,
44 | )
45 | }
Check: CKV_GCP_32: "Ensure 'Block Project-wide SSH keys' is enabled for VM instances"
FAILED for resource: google_compute_instance.gcp-vm
File: /home/infrastructure_as_code/terraform/gcp/taskset_gcp_terraform_infrastructure_as_code/task_008_building_a_vpn_between_gcp_and_aws/autonetdeploy-multicloudvpn/terraform/gcp_compute.tf:17-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-8.html
17 | resource "google_compute_instance" "gcp-vm" {
18 | name = "gcp-vm-${var.gcp_region}"
19 | machine_type = var.gcp_instance_type
20 | zone = data.google_compute_zones.available.names[0]
21 |
22 | boot_disk {
23 | initialize_params {
24 | image = var.gcp_disk_image
25 | }
26 | }
27 |
28 | network_interface {
29 | subnetwork = google_compute_subnetwork.gcp-subnet1.name
30 | network_ip = var.gcp_vm_address
31 |
32 | access_config {
33 | # Static IP
34 | nat_ip = google_compute_address.gcp-ip.address
35 | }
36 | }
37 |
38 | # Cannot pre-load both gcp and aws since that creates a circular dependency.
39 | # Can pre-populate the AWS IPs to make it easier to run tests.
40 | metadata_startup_script = replace(
41 | replace(file("vm_userdata.sh"), "", aws_eip.aws-ip.public_ip),
42 | "",
43 | var.aws_vm_address,
44 | )
45 | }
Check: CKV_GCP_38: "Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK)"
FAILED for resource: google_compute_instance.gcp-vm
File: /home/infrastructure_as_code/terraform/gcp/taskset_gcp_terraform_infrastructure_as_code/task_008_building_a_vpn_between_gcp_and_aws/autonetdeploy-multicloudvpn/terraform/gcp_compute.tf:17-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/encrypt-boot-disks-for-instances-with-cseks.html
17 | resource "google_compute_instance" "gcp-vm" {
18 | name = "gcp-vm-${var.gcp_region}"
19 | machine_type = var.gcp_instance_type
20 | zone = data.google_compute_zones.available.names[0]
21 |
22 | boot_disk {
23 | initialize_params {
24 | image = var.gcp_disk_image
25 | }
26 | }
27 |
28 | network_interface {
29 | subnetwork = google_compute_subnetwork.gcp-subnet1.name
30 | network_ip = var.gcp_vm_address
31 |
32 | access_config {
33 | # Static IP
34 | nat_ip = google_compute_address.gcp-ip.address
35 | }
36 | }
37 |
38 | # Cannot pre-load both gcp and aws since that creates a circular dependency.
39 | # Can pre-populate the AWS IPs to make it easier to run tests.
40 | metadata_startup_script = replace(
41 | replace(file("vm_userdata.sh"), "", aws_eip.aws-ip.public_ip),
42 | "",
43 | var.aws_vm_address,
44 | )
45 | }
Check: CKV_GCP_30: "Ensure that instances are not configured to use the default service account"
FAILED for resource: google_compute_instance.gcp-vm
File: /home/infrastructure_as_code/terraform/gcp/taskset_gcp_terraform_infrastructure_as_code/task_008_building_a_vpn_between_gcp_and_aws/autonetdeploy-multicloudvpn/terraform/gcp_compute.tf:17-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-iam-policies/bc-gcp-iam-1.html
17 | resource "google_compute_instance" "gcp-vm" {
18 | name = "gcp-vm-${var.gcp_region}"
19 | machine_type = var.gcp_instance_type
20 | zone = data.google_compute_zones.available.names[0]
21 |
22 | boot_disk {
23 | initialize_params {
24 | image = var.gcp_disk_image
25 | }
26 | }
27 |
28 | network_interface {
29 | subnetwork = google_compute_subnetwork.gcp-subnet1.name
30 | network_ip = var.gcp_vm_address
31 |
32 | access_config {
33 | # Static IP
34 | nat_ip = google_compute_address.gcp-ip.address
35 | }
36 | }
37 |
38 | # Cannot pre-load both gcp and aws since that creates a circular dependency.
39 | # Can pre-populate the AWS IPs to make it easier to run tests.
40 | metadata_startup_script = replace(
41 | replace(file("vm_userdata.sh"), "", aws_eip.aws-ip.public_ip),
42 | "",
43 | var.aws_vm_address,
44 | )
45 | }
Check: CKV_GCP_26: "Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network"
FAILED for resource: google_compute_subnetwork.gcp-subnet1
File: /home/infrastructure_as_code/terraform/gcp/taskset_gcp_terraform_infrastructure_as_code/task_008_building_a_vpn_between_gcp_and_aws/autonetdeploy-multicloudvpn/terraform/gcp_networking.tf:12-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/logging-policies-1/bc-gcp-logging-1.html
12 | resource "google_compute_subnetwork" "gcp-subnet1" {
13 | name = "gcp-subnet1"
14 | ip_cidr_range = var.gcp_subnet1_cidr
15 | network = google_compute_network.gcp-network.name
16 | region = var.gcp_region
17 | }
Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
FAILED for resource: google_compute_subnetwork.gcp-subnet1
File: /home/infrastructure_as_code/terraform/gcp/taskset_gcp_terraform_infrastructure_as_code/task_008_building_a_vpn_between_gcp_and_aws/autonetdeploy-multicloudvpn/terraform/gcp_networking.tf:12-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6.html
12 | resource "google_compute_subnetwork" "gcp-subnet1" {
13 | name = "gcp-subnet1"
14 | ip_cidr_range = var.gcp_subnet1_cidr
15 | network = google_compute_network.gcp-network.name
16 | region = var.gcp_region
17 | }
Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
FAILED for resource: google_compute_subnetwork.gcp-subnet1
File: /home/infrastructure_as_code/terraform/gcp/taskset_gcp_terraform_infrastructure_as_code/task_008_building_a_vpn_between_gcp_and_aws/autonetdeploy-multicloudvpn/terraform/gcp_networking.tf:12-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-general-policies/ensure-gcp-subnet-has-a-private-ip-google-access.html
12 | resource "google_compute_subnetwork" "gcp-subnet1" {
13 | name = "gcp-subnet1"
14 | ip_cidr_range = var.gcp_subnet1_cidr
15 | network = google_compute_network.gcp-network.name
16 | region = var.gcp_region
17 | }
Check: CKV_GCP_2: "Ensure Google compute firewall ingress does not allow unrestricted ssh access"
FAILED for resource: google_compute_firewall.gcp-allow-ssh
File: /home/infrastructure_as_code/terraform/gcp/taskset_gcp_terraform_infrastructure_as_code/task_008_building_a_vpn_between_gcp_and_aws/autonetdeploy-multicloudvpn/terraform/gcp_security.tf:22-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/bc-gcp-networking-1.html
22 | resource "google_compute_firewall" "gcp-allow-ssh" {
23 | name = "${google_compute_network.gcp-network.name}-gcp-allow-ssh"
24 | network = google_compute_network.gcp-network.name
25 |
26 | allow {
27 | protocol = "tcp"
28 | ports = ["22"]
29 | }
30 |
31 | source_ranges = [
32 | "0.0.0.0/0",
33 | ]
34 | }
Check: CKV_GCP_106: "Ensure Google compute firewall ingress does not allow unrestricted http port 80 access"
FAILED for resource: google_compute_firewall.gcp-allow-internet
File: /home/infrastructure_as_code/terraform/gcp/taskset_gcp_terraform_infrastructure_as_code/task_008_building_a_vpn_between_gcp_and_aws/autonetdeploy-multicloudvpn/terraform/gcp_security.tf:57-69
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-google-compute-firewall-ingress-does-not-allow-unrestricted-http-port-80-access.html
57 | resource "google_compute_firewall" "gcp-allow-internet" {
58 | name = "${google_compute_network.gcp-network.name}-gcp-allow-internet"
59 | network = google_compute_network.gcp-network.name
60 |
61 | allow {
62 | protocol = "tcp"
63 | ports = ["80"]
64 | }
65 |
66 | source_ranges = [
67 | "0.0.0.0/0",
68 | ]
69 | }
Check: CKV_OCI_17: "Ensure VCN inbound security lists are stateless"
FAILED for resource: oci_core_security_list.private-security-list
File: /home/infrastructure_as_code/terraform/oci/taskset_oci_terraform_infrastructure_as_code/task_002_create_vcn/05-private-security-list.tf:3-59
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/oci-policies/networking/ensure-vcn-inbound-security-lists-are-stateless.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_OCI_19: "Ensure no security list allow ingress from 0.0.0.0:0 to port 22."
FAILED for resource: oci_core_security_list.public-security-list
File: /home/infrastructure_as_code/terraform/oci/taskset_oci_terraform_infrastructure_as_code/task_002_create_vcn/06-public-security-list.tf:3-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/oci-policies/networking/ensure-oci-security-list-does-not-allow-ingress-from-00000-to-port-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_OCI_17: "Ensure VCN inbound security lists are stateless"
FAILED for resource: oci_core_security_list.public-security-list
File: /home/infrastructure_as_code/terraform/oci/taskset_oci_terraform_infrastructure_as_code/task_002_create_vcn/06-public-security-list.tf:3-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/oci-policies/networking/ensure-vcn-inbound-security-lists-are-stateless.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_OCI_5: "Ensure OCI Compute Instance has Legacy MetaData service endpoint disabled"
FAILED for resource: oci_core_instance.ubuntu_instance
File: /home/infrastructure_as_code/terraform/oci/taskset_oci_terraform_infrastructure_as_code/task_003_create_instance/04-compute.tf:3-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/oci-policies/compute/ensure-oci-compute-instance-has-legacy-metadata-service-endpoint-disabled.html
3 | resource "oci_core_instance" "ubuntu_instance" {
4 | # Required
5 | availability_domain = data.oci_identity_availability_domains.ads.availability_domains[0].name
6 | compartment_id = var.TF_VAR_COMPARTMENT_SANDBOX_TF_V1_OCI_ID
7 | shape = var.VAR_UBUNTU_SHAPE
8 | source_details {
9 | source_id = var.TF_VAR_UBUNTU_MUMBAI_SOURCE_OCI_ID
10 | source_type = "image"
11 | }
12 |
13 | # Optional
14 | display_name = var.VAR_INSTANCE_DISPLAY_NAME
15 | create_vnic_details {
16 | assign_public_ip = true
17 | subnet_id = var.TF_VAR_COMPARTMENT_SANDBOX_TF_V1_PUBLIC_SUBNET_OCI_ID
18 | }
19 | metadata = {
20 | ssh_authorized_keys = file(var.TF_VAR_SSH_PUBLIC_KEY_PATH)
21 | }
22 | preserve_boot_volume = false
23 | }
Check: CKV_OCI_4: "Ensure OCI Compute Instance boot volume has in-transit data encryption enabled"
FAILED for resource: oci_core_instance.ubuntu_instance
File: /home/infrastructure_as_code/terraform/oci/taskset_oci_terraform_infrastructure_as_code/task_003_create_instance/04-compute.tf:3-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/oci-policies/compute/ensure-oci-compute-instance-boot-volume-has-in-transit-data-encryption-enabled.html
3 | resource "oci_core_instance" "ubuntu_instance" {
4 | # Required
5 | availability_domain = data.oci_identity_availability_domains.ads.availability_domains[0].name
6 | compartment_id = var.TF_VAR_COMPARTMENT_SANDBOX_TF_V1_OCI_ID
7 | shape = var.VAR_UBUNTU_SHAPE
8 | source_details {
9 | source_id = var.TF_VAR_UBUNTU_MUMBAI_SOURCE_OCI_ID
10 | source_type = "image"
11 | }
12 |
13 | # Optional
14 | display_name = var.VAR_INSTANCE_DISPLAY_NAME
15 | create_vnic_details {
16 | assign_public_ip = true
17 | subnet_id = var.TF_VAR_COMPARTMENT_SANDBOX_TF_V1_PUBLIC_SUBNET_OCI_ID
18 | }
19 | metadata = {
20 | ssh_authorized_keys = file(var.TF_VAR_SSH_PUBLIC_KEY_PATH)
21 | }
22 | preserve_boot_volume = false
23 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.worker_group_mgmt_one
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_007_eks_on_demand/security-groups.tf:2-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
2 | resource "aws_security_group" "worker_group_mgmt_one" {
3 | name_prefix = "worker_group_mgmt_one"
4 | vpc_id = module.vpc.vpc_id
5 |
6 | ingress {
7 | from_port = 22
8 | to_port = 22
9 | protocol = "tcp"
10 |
11 | cidr_blocks = [
12 | "10.0.0.0/8",
13 | ]
14 | }
15 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.worker_group_mgmt_two
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_007_eks_on_demand/security-groups.tf:17-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
17 | resource "aws_security_group" "worker_group_mgmt_two" {
18 | name_prefix = "worker_group_mgmt_two"
19 | vpc_id = module.vpc.vpc_id
20 |
21 | ingress {
22 | from_port = 22
23 | to_port = 22
24 | protocol = "tcp"
25 |
26 | cidr_blocks = [
27 | "192.168.0.0/16",
28 | ]
29 | }
30 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.all_worker_mgmt
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_007_eks_on_demand/security-groups.tf:32-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
32 | resource "aws_security_group" "all_worker_mgmt" {
33 | name_prefix = "all_worker_management"
34 | vpc_id = module.vpc.vpc_id
35 |
36 | ingress {
37 | from_port = 22
38 | to_port = 22
39 | protocol = "tcp"
40 |
41 | cidr_blocks = [
42 | "10.0.0.0/8",
43 | "172.16.0.0/12",
44 | "192.168.0.0/16",
45 | ]
46 | }
47 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.worker_group_mgmt_one
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_009_eks_spot_and_on_demand/security-groups.tf:2-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
2 | resource "aws_security_group" "worker_group_mgmt_one" {
3 | name_prefix = "worker_group_mgmt_one"
4 | vpc_id = module.vpc.vpc_id
5 |
6 | ingress {
7 | from_port = 22
8 | to_port = 22
9 | protocol = "tcp"
10 |
11 | cidr_blocks = [
12 | "10.0.0.0/8",
13 | ]
14 | }
15 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.worker_group_mgmt_two
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_009_eks_spot_and_on_demand/security-groups.tf:17-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
17 | resource "aws_security_group" "worker_group_mgmt_two" {
18 | name_prefix = "worker_group_mgmt_two"
19 | vpc_id = module.vpc.vpc_id
20 |
21 | ingress {
22 | from_port = 22
23 | to_port = 22
24 | protocol = "tcp"
25 |
26 | cidr_blocks = [
27 | "192.168.0.0/16",
28 | ]
29 | }
30 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.all_worker_mgmt
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_009_eks_spot_and_on_demand/security-groups.tf:32-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
32 | resource "aws_security_group" "all_worker_mgmt" {
33 | name_prefix = "all_worker_management"
34 | vpc_id = module.vpc.vpc_id
35 |
36 | ingress {
37 | from_port = 22
38 | to_port = 22
39 | protocol = "tcp"
40 |
41 | cidr_blocks = [
42 | "10.0.0.0/8",
43 | "172.16.0.0/12",
44 | "192.168.0.0/16",
45 | ]
46 | }
47 | }
Check: CKV2_GCP_12: "Ensure GCP compute firewall ingress does not allow unrestricted access to all ports"
FAILED for resource: google_compute_firewall.gcp-allow-all
File: /home/infrastructure_as_code/terraform/gcp/taskset_gcp_terraform_infrastructure_as_code/task_008_building_a_vpn_between_gcp_and_aws/autonetdeploy-multicloudvpn/terraform/gcp_security.tf:82-90
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-google-compute-firewall-ingress-does-not-allow-unrestricted-access-to-all-ports.html
82 | resource "google_compute_firewall" "gcp-allow-all" {
83 | name = "gcp-network-allow-all"
84 | network = google_compute_network.gcp-network.name
85 | allow {
86 | protocol = "all"
87 | }
88 | direction = "INGRESS"
89 | source_ranges = ["0.0.0.0/0"]
90 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: google_compute_network.default
File: /home/infrastructure_as_code/terraform/gcp/taskset_gcp_terraform_infrastructure_as_code/task_005_deploy_k8s_loadbalancer_service/main.tf:23-27
23 | resource "google_compute_network" "default" {
24 | name = var.network_name
25 | # is set to false, which means that we'll create subnets explicitly.
26 | auto_create_subnetworks = false
27 | }
Check: CKV2_GCP_18: "Ensure GCP network defines a firewall and does not use the default firewall"
FAILED for resource: google_compute_network.network
File: /home/infrastructure_as_code/terraform/gcp/taskset_gcp_terraform_infrastructure_as_code/task_006_modular_load_balancing_regional_load_balancer/terraform-google-lb/examples/basic/network.tf:3-6
3 | resource "google_compute_network" "network" {
4 | name = "load-balancer-module-network"
5 | auto_create_subnetworks = "false"
6 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.b
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_014_IAM_roles_s3_upload_to_s3/25-s3.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
1 | resource "aws_s3_bucket" "b" {
2 | bucket = "mybucket-codeaprendiz-26071994"
3 | acl = "private"
4 |
5 | tags = {
6 | Name = "mybucket-codeaprendiz-26071994"
7 | }
8 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.b
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_014_IAM_roles_s3_upload_to_s3/25-s3.tf:1-8
1 | resource "aws_s3_bucket" "b" {
2 | bucket = "mybucket-codeaprendiz-26071994"
3 | acl = "private"
4 |
5 | tags = {
6 | Name = "mybucket-codeaprendiz-26071994"
7 | }
8 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: aws_db_instance.mariadb
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_012_rds_vpc_ec2/25-rds.tf:19-39
19 | resource "aws_db_instance" "mariadb" {
20 | allocated_storage = 100 # 100 GB of storage, gives us more IOPS than a lower number
21 | engine = "mariadb"
22 | engine_version = "10.1.14"
23 | instance_class = "db.t2.small" # use micro if you want to use the free tier
24 | identifier = "mariadb"
25 | name = "mariadb"
26 | username = "root" # username
27 | password = var.RDS_PASSWORD # password
28 | db_subnet_group_name = aws_db_subnet_group.mariadb-subnet.name
29 | parameter_group_name = aws_db_parameter_group.mariadb-parameters.name
30 | multi_az = "false" # set to true to have high availability: 2 instances synchronized with each other
31 | vpc_security_group_ids = [aws_security_group.allow-mariadb.id]
32 | storage_type = "gp2"
33 | backup_retention_period = 30 # how long you’re going to keep your backups
34 | availability_zone = aws_subnet.main-private-1.availability_zone # prefered AZ
35 | skip_final_snapshot = true # skip final snapshot when doing terraform destroy
36 | tags = {
37 | Name = "mariadb-instance"
38 | }
39 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
FAILED for resource: aws_db_instance.mariadb
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_017_Elastic_Beanstalk/25-rds.tf:18-38
18 | resource "aws_db_instance" "mariadb" {
19 | allocated_storage = 100 # 100 GB of storage, gives us more IOPS than a lower number
20 | engine = "mariadb"
21 | engine_version = "10.1.14"
22 | instance_class = "db.t2.small" # use micro if you want to use the free tier
23 | identifier = "mariadb"
24 | name = "mydatabase" # database name
25 | username = "root" # username
26 | password = var.RDS_PASSWORD # password
27 | db_subnet_group_name = aws_db_subnet_group.mariadb-subnet.name
28 | parameter_group_name = aws_db_parameter_group.mariadb-parameters.name
29 | multi_az = "false" # set to true to have high availability: 2 instances synchronized with each other
30 | vpc_security_group_ids = [aws_security_group.allow-mariadb.id]
31 | storage_type = "gp2"
32 | backup_retention_period = 30 # how long you’re going to keep your backups
33 | availability_zone = aws_subnet.main-private-1.availability_zone # prefered AZ
34 | final_snapshot_identifier = "mariadb-final-snapshot" # final snapshot when executing terraform destroy
35 | tags = {
36 | Name = "mariadb-instance"
37 | }
38 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.aws-vpc
File: /home/infrastructure_as_code/terraform/gcp/taskset_gcp_terraform_infrastructure_as_code/task_008_building_a_vpn_between_gcp_and_aws/autonetdeploy-multicloudvpn/terraform/aws_networking.tf:7-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
7 | resource "aws_vpc" "aws-vpc" {
8 | cidr_block = var.aws_network_cidr
9 | enable_dns_support = true
10 | enable_dns_hostnames = true
11 | tags = {
12 | "Name" = "aws-vpc"
13 | }
14 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.vpc
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_007_customVPC_igw_sbnt_rt_sg_kp_ec2/05-vpc.tf:5-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
5 | resource "aws_vpc" "vpc" {
6 | cidr_block = var.cidr_vpc
7 | enable_dns_support = true
8 | enable_dns_hostnames = true
9 | tags = {
10 | Environment = var.environment_tag
11 | }
12 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_008_customVPC_3PriSbnts_3PubSbnts_nat_igw_rt/15-vpc.tf:2-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
2 | resource "aws_vpc" "main" {
3 | cidr_block = "10.0.0.0/16"
4 | instance_tenancy = "default"
5 | enable_dns_support = "true"
6 | enable_dns_hostnames = "true"
7 | enable_classiclink = "false"
8 | tags = {
9 | Name = "main"
10 | }
11 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_009_customVPC_3PriSbnts_3PubSbnts_nat_igw_rt_ec2_ebs/15-vpc.tf:2-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
2 | resource "aws_vpc" "main" {
3 | cidr_block = "10.0.0.0/16"
4 | instance_tenancy = "default"
5 | enable_dns_support = "true"
6 | enable_dns_hostnames = "true"
7 | enable_classiclink = "false"
8 | tags = {
9 | Name = "main"
10 | }
11 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_010_customVPC_3PriSbnts_3PubSbnts_nat_igw_rt_ec2_ebs_withMount/15-vpc.tf:2-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
2 | resource "aws_vpc" "main" {
3 | cidr_block = "10.0.0.0/16"
4 | instance_tenancy = "default"
5 | enable_dns_support = "true"
6 | enable_dns_hostnames = "true"
7 | enable_classiclink = "false"
8 | tags = {
9 | Name = "main"
10 | }
11 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_012_rds_vpc_ec2/15-vpc.tf:2-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
2 | resource "aws_vpc" "main" {
3 | cidr_block = "10.0.0.0/16"
4 | instance_tenancy = "default"
5 | enable_dns_support = "true"
6 | enable_dns_hostnames = "true"
7 | enable_classiclink = "false"
8 | tags = {
9 | Name = "main"
10 | }
11 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_014_IAM_roles_s3_upload_to_s3/15-vpc.tf:2-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
2 | resource "aws_vpc" "main" {
3 | cidr_block = "10.0.0.0/16"
4 | instance_tenancy = "default"
5 | enable_dns_support = "true"
6 | enable_dns_hostnames = "true"
7 | enable_classiclink = "false"
8 | tags = {
9 | Name = "main"
10 | }
11 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_015_autoscaling_cloudwatchAlarm_ec2_launchConfiguration/15-vpc.tf:2-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
2 | resource "aws_vpc" "main" {
3 | cidr_block = "10.0.0.0/16"
4 | instance_tenancy = "default"
5 | enable_dns_support = "true"
6 | enable_dns_hostnames = "true"
7 | enable_classiclink = "false"
8 | tags = {
9 | Name = "main"
10 | }
11 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_016_ELB_autoscaling/15-vpc.tf:2-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
2 | resource "aws_vpc" "main" {
3 | cidr_block = "10.0.0.0/16"
4 | instance_tenancy = "default"
5 | enable_dns_support = "true"
6 | enable_dns_hostnames = "true"
7 | enable_classiclink = "false"
8 | tags = {
9 | Name = "main"
10 | }
11 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_017_Elastic_Beanstalk/15-vpc.tf:2-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
2 | resource "aws_vpc" "main" {
3 | cidr_block = "10.0.0.0/16"
4 | instance_tenancy = "default"
5 | enable_dns_support = "true"
6 | enable_dns_hostnames = "true"
7 | enable_classiclink = "false"
8 | tags = {
9 | Name = "main"
10 | }
11 | }
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: aws_vpc.main
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_019_ECS/15-vpc.tf:2-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-4.html
2 | resource "aws_vpc" "main" {
3 | cidr_block = "10.0.0.0/16"
4 | instance_tenancy = "default"
5 | enable_dns_support = "true"
6 | enable_dns_hostnames = "true"
7 | enable_classiclink = "false"
8 | tags = {
9 | Name = "main"
10 | }
11 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.b
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_014_IAM_roles_s3_upload_to_s3/25-s3.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
1 | resource "aws_s3_bucket" "b" {
2 | bucket = "mybucket-codeaprendiz-26071994"
3 | acl = "private"
4 |
5 | tags = {
6 | Name = "mybucket-codeaprendiz-26071994"
7 | }
8 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: aws_security_group.worker_group_mgmt_one
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_030_creating_eks/security-groups.tf:2-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
2 | resource "aws_security_group" "worker_group_mgmt_one" {
3 | name_prefix = "worker_group_mgmt_one"
4 | vpc_id = module.vpc.vpc_id
5 |
6 | ingress {
7 | from_port = 22
8 | to_port = 22
9 | protocol = "tcp"
10 |
11 | cidr_blocks = [
12 | "10.0.0.0/8",
13 | ]
14 | }
15 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: aws_security_group.worker_group_mgmt_two
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_030_creating_eks/security-groups.tf:17-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
17 | resource "aws_security_group" "worker_group_mgmt_two" {
18 | name_prefix = "worker_group_mgmt_two"
19 | vpc_id = module.vpc.vpc_id
20 |
21 | ingress {
22 | from_port = 22
23 | to_port = 22
24 | protocol = "tcp"
25 |
26 | cidr_blocks = [
27 | "192.168.0.0/16",
28 | ]
29 | }
30 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: aws_security_group.all_worker_mgmt
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_030_creating_eks/security-groups.tf:32-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
32 | resource "aws_security_group" "all_worker_mgmt" {
33 | name_prefix = "all_worker_management"
34 | vpc_id = module.vpc.vpc_id
35 |
36 | ingress {
37 | from_port = 22
38 | to_port = 22
39 | protocol = "tcp"
40 |
41 | cidr_blocks = [
42 | "10.0.0.0/8",
43 | "172.16.0.0/12",
44 | "192.168.0.0/16",
45 | ]
46 | }
47 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: aws_security_group.worker_group_mgmt_one
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_031_creating_eks_spot/security-groups.tf:2-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
2 | resource "aws_security_group" "worker_group_mgmt_one" {
3 | name_prefix = "worker_group_mgmt_one"
4 | vpc_id = module.vpc.vpc_id
5 |
6 | ingress {
7 | from_port = 22
8 | to_port = 22
9 | protocol = "tcp"
10 |
11 | cidr_blocks = [
12 | "10.0.0.0/8",
13 | ]
14 | }
15 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: aws_security_group.worker_group_mgmt_two
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_031_creating_eks_spot/security-groups.tf:17-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
17 | resource "aws_security_group" "worker_group_mgmt_two" {
18 | name_prefix = "worker_group_mgmt_two"
19 | vpc_id = module.vpc.vpc_id
20 |
21 | ingress {
22 | from_port = 22
23 | to_port = 22
24 | protocol = "tcp"
25 |
26 | cidr_blocks = [
27 | "192.168.0.0/16",
28 | ]
29 | }
30 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: aws_security_group.all_worker_mgmt
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_031_creating_eks_spot/security-groups.tf:32-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
32 | resource "aws_security_group" "all_worker_mgmt" {
33 | name_prefix = "all_worker_management"
34 | vpc_id = module.vpc.vpc_id
35 |
36 | ingress {
37 | from_port = 22
38 | to_port = 22
39 | protocol = "tcp"
40 |
41 | cidr_blocks = [
42 | "10.0.0.0/8",
43 | "172.16.0.0/12",
44 | "192.168.0.0/16",
45 | ]
46 | }
47 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: aws_security_group.worker_group_mgmt_one
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_007_eks_on_demand/security-groups.tf:2-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
2 | resource "aws_security_group" "worker_group_mgmt_one" {
3 | name_prefix = "worker_group_mgmt_one"
4 | vpc_id = module.vpc.vpc_id
5 |
6 | ingress {
7 | from_port = 22
8 | to_port = 22
9 | protocol = "tcp"
10 |
11 | cidr_blocks = [
12 | "10.0.0.0/8",
13 | ]
14 | }
15 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: aws_security_group.worker_group_mgmt_two
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_007_eks_on_demand/security-groups.tf:17-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
17 | resource "aws_security_group" "worker_group_mgmt_two" {
18 | name_prefix = "worker_group_mgmt_two"
19 | vpc_id = module.vpc.vpc_id
20 |
21 | ingress {
22 | from_port = 22
23 | to_port = 22
24 | protocol = "tcp"
25 |
26 | cidr_blocks = [
27 | "192.168.0.0/16",
28 | ]
29 | }
30 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: aws_security_group.all_worker_mgmt
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_007_eks_on_demand/security-groups.tf:32-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
32 | resource "aws_security_group" "all_worker_mgmt" {
33 | name_prefix = "all_worker_management"
34 | vpc_id = module.vpc.vpc_id
35 |
36 | ingress {
37 | from_port = 22
38 | to_port = 22
39 | protocol = "tcp"
40 |
41 | cidr_blocks = [
42 | "10.0.0.0/8",
43 | "172.16.0.0/12",
44 | "192.168.0.0/16",
45 | ]
46 | }
47 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: aws_security_group.worker_group_mgmt_one
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_009_eks_spot_and_on_demand/security-groups.tf:2-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
2 | resource "aws_security_group" "worker_group_mgmt_one" {
3 | name_prefix = "worker_group_mgmt_one"
4 | vpc_id = module.vpc.vpc_id
5 |
6 | ingress {
7 | from_port = 22
8 | to_port = 22
9 | protocol = "tcp"
10 |
11 | cidr_blocks = [
12 | "10.0.0.0/8",
13 | ]
14 | }
15 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: aws_security_group.worker_group_mgmt_two
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_009_eks_spot_and_on_demand/security-groups.tf:17-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
17 | resource "aws_security_group" "worker_group_mgmt_two" {
18 | name_prefix = "worker_group_mgmt_two"
19 | vpc_id = module.vpc.vpc_id
20 |
21 | ingress {
22 | from_port = 22
23 | to_port = 22
24 | protocol = "tcp"
25 |
26 | cidr_blocks = [
27 | "192.168.0.0/16",
28 | ]
29 | }
30 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: aws_security_group.all_worker_mgmt
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_009_eks_spot_and_on_demand/security-groups.tf:32-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
32 | resource "aws_security_group" "all_worker_mgmt" {
33 | name_prefix = "all_worker_management"
34 | vpc_id = module.vpc.vpc_id
35 |
36 | ingress {
37 | from_port = 22
38 | to_port = 22
39 | protocol = "tcp"
40 |
41 | cidr_blocks = [
42 | "10.0.0.0/8",
43 | "172.16.0.0/12",
44 | "192.168.0.0/16",
45 | ]
46 | }
47 | }
Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
FAILED for resource: aws_route53_zone.devopslink-public-zone
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_011_route53/250-r53-devopslink_zone.tf:7-11
7 | resource "aws_route53_zone" "devopslink-public-zone" {
8 | name = var.domain_mydevops_link
9 | comment = "${var.domain_mydevops_link} public zone"
10 | provider = aws
11 | }
Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
FAILED for resource: aws_route53_zone.devopslink-public-zone
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_022_route53_ec2/250-r53-devopslink_zone.tf:7-11
7 | resource "aws_route53_zone" "devopslink-public-zone" {
8 | name = var.domain_mydevops_link
9 | comment = "${var.domain_mydevops_link} public zone"
10 | provider = aws
11 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.b
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_014_IAM_roles_s3_upload_to_s3/25-s3.tf:1-8
1 | resource "aws_s3_bucket" "b" {
2 | bucket = "mybucket-codeaprendiz-26071994"
3 | acl = "private"
4 |
5 | tags = {
6 | Name = "mybucket-codeaprendiz-26071994"
7 | }
8 | }
Check: CKV2_AWS_2: "Ensure that only encrypted EBS volumes are attached to EC2 instances"
FAILED for resource: aws_ebs_volume.ebs-volume-1
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_009_customVPC_3PriSbnts_3PubSbnts_nat_igw_rt_ec2_ebs/25-instance.tf:15-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-only-encrypted-ebs-volumes-are-attached-to-ec2-instances.html
15 | resource "aws_ebs_volume" "ebs-volume-1" {
16 | availability_zone = "us-east-1a"
17 | size = 10
18 | type = "gp2"
19 |
20 | tags = {
21 | Name = "custom ebs volume"
22 | }
23 | }
Check: CKV2_AWS_2: "Ensure that only encrypted EBS volumes are attached to EC2 instances"
FAILED for resource: aws_ebs_volume.ebs-volume-1
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_010_customVPC_3PriSbnts_3PubSbnts_nat_igw_rt_ec2_ebs_withMount/25-instance.tf:18-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-only-encrypted-ebs-volumes-are-attached-to-ec2-instances.html
18 | resource "aws_ebs_volume" "ebs-volume-1" {
19 | availability_zone = "us-east-1a"
20 | size = 10
21 | type = "gp2"
22 |
23 | tags = {
24 | Name = "custom ebs volume"
25 | }
26 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.vpc
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_007_customVPC_igw_sbnt_rt_sg_kp_ec2/05-vpc.tf:5-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
5 | resource "aws_vpc" "vpc" {
6 | cidr_block = var.cidr_vpc
7 | enable_dns_support = true
8 | enable_dns_hostnames = true
9 | tags = {
10 | Environment = var.environment_tag
11 | }
12 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_008_customVPC_3PriSbnts_3PubSbnts_nat_igw_rt/15-vpc.tf:2-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
2 | resource "aws_vpc" "main" {
3 | cidr_block = "10.0.0.0/16"
4 | instance_tenancy = "default"
5 | enable_dns_support = "true"
6 | enable_dns_hostnames = "true"
7 | enable_classiclink = "false"
8 | tags = {
9 | Name = "main"
10 | }
11 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_009_customVPC_3PriSbnts_3PubSbnts_nat_igw_rt_ec2_ebs/15-vpc.tf:2-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
2 | resource "aws_vpc" "main" {
3 | cidr_block = "10.0.0.0/16"
4 | instance_tenancy = "default"
5 | enable_dns_support = "true"
6 | enable_dns_hostnames = "true"
7 | enable_classiclink = "false"
8 | tags = {
9 | Name = "main"
10 | }
11 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_010_customVPC_3PriSbnts_3PubSbnts_nat_igw_rt_ec2_ebs_withMount/15-vpc.tf:2-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
2 | resource "aws_vpc" "main" {
3 | cidr_block = "10.0.0.0/16"
4 | instance_tenancy = "default"
5 | enable_dns_support = "true"
6 | enable_dns_hostnames = "true"
7 | enable_classiclink = "false"
8 | tags = {
9 | Name = "main"
10 | }
11 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_012_rds_vpc_ec2/15-vpc.tf:2-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
2 | resource "aws_vpc" "main" {
3 | cidr_block = "10.0.0.0/16"
4 | instance_tenancy = "default"
5 | enable_dns_support = "true"
6 | enable_dns_hostnames = "true"
7 | enable_classiclink = "false"
8 | tags = {
9 | Name = "main"
10 | }
11 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_014_IAM_roles_s3_upload_to_s3/15-vpc.tf:2-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
2 | resource "aws_vpc" "main" {
3 | cidr_block = "10.0.0.0/16"
4 | instance_tenancy = "default"
5 | enable_dns_support = "true"
6 | enable_dns_hostnames = "true"
7 | enable_classiclink = "false"
8 | tags = {
9 | Name = "main"
10 | }
11 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_015_autoscaling_cloudwatchAlarm_ec2_launchConfiguration/15-vpc.tf:2-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
2 | resource "aws_vpc" "main" {
3 | cidr_block = "10.0.0.0/16"
4 | instance_tenancy = "default"
5 | enable_dns_support = "true"
6 | enable_dns_hostnames = "true"
7 | enable_classiclink = "false"
8 | tags = {
9 | Name = "main"
10 | }
11 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_016_ELB_autoscaling/15-vpc.tf:2-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
2 | resource "aws_vpc" "main" {
3 | cidr_block = "10.0.0.0/16"
4 | instance_tenancy = "default"
5 | enable_dns_support = "true"
6 | enable_dns_hostnames = "true"
7 | enable_classiclink = "false"
8 | tags = {
9 | Name = "main"
10 | }
11 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_017_Elastic_Beanstalk/15-vpc.tf:2-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
2 | resource "aws_vpc" "main" {
3 | cidr_block = "10.0.0.0/16"
4 | instance_tenancy = "default"
5 | enable_dns_support = "true"
6 | enable_dns_hostnames = "true"
7 | enable_classiclink = "false"
8 | tags = {
9 | Name = "main"
10 | }
11 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.main
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_019_ECS/15-vpc.tf:2-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
2 | resource "aws_vpc" "main" {
3 | cidr_block = "10.0.0.0/16"
4 | instance_tenancy = "default"
5 | enable_dns_support = "true"
6 | enable_dns_hostnames = "true"
7 | enable_classiclink = "false"
8 | tags = {
9 | Name = "main"
10 | }
11 | }
Check: CKV2_AWS_11: "Ensure VPC flow logging is enabled in all VPCs"
FAILED for resource: aws_vpc.aws-vpc
File: /home/infrastructure_as_code/terraform/gcp/taskset_gcp_terraform_infrastructure_as_code/task_008_building_a_vpn_between_gcp_and_aws/autonetdeploy-multicloudvpn/terraform/aws_networking.tf:7-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/logging-9-enable-vpc-flow-logging.html
7 | resource "aws_vpc" "aws-vpc" {
8 | cidr_block = var.aws_network_cidr
9 | enable_dns_support = true
10 | enable_dns_hostnames = true
11 | tags = {
12 | "Name" = "aws-vpc"
13 | }
14 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.b
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_014_IAM_roles_s3_upload_to_s3/25-s3.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
1 | resource "aws_s3_bucket" "b" {
2 | bucket = "mybucket-codeaprendiz-26071994"
3 | acl = "private"
4 |
5 | tags = {
6 | Name = "mybucket-codeaprendiz-26071994"
7 | }
8 | }
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: aws_s3_bucket.b
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_014_IAM_roles_s3_upload_to_s3/25-s3.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
1 | resource "aws_s3_bucket" "b" {
2 | bucket = "mybucket-codeaprendiz-26071994"
3 | acl = "private"
4 |
5 | tags = {
6 | Name = "mybucket-codeaprendiz-26071994"
7 | }
8 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.web
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_001_vars_provider_ec2_dataSources/05-instance.tf:17-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
17 | resource "aws_instance" "web" {
18 | ami = data.aws_ami.ubuntu.id
19 | instance_type = "t2.micro"
20 |
21 | tags = {
22 | Name = "HelloWorld"
23 | }
24 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.web
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_002_defaultVPC_sbnt_sg_kp_ec2/35-ec2-instance.tf:23-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
23 | resource "aws_instance" "web" {
24 | ami = data.aws_ami.ubuntu-bionic-latest.id
25 | instance_type = var.instance_type
26 | subnet_id = aws_default_subnet.default_az1.id
27 | vpc_security_group_ids = [aws_security_group.sg_22.id]
28 | key_name = aws_key_pair.ec2key.key_name
29 |
30 | tags = {
31 | Name = "DroneCI"
32 | }
33 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.web
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_003_defaultVPC_kp_sbnt_sg_ec2_script/25-instance.tf:17-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
17 | resource "aws_instance" "web" {
18 | ami = data.aws_ami.ubuntu.id
19 | instance_type = "t2.micro"
20 | key_name = aws_key_pair.mykey.key_name
21 | subnet_id = aws_default_subnet.default_az1.id
22 | vpc_security_group_ids = [aws_security_group.sg_22.id]
23 | provisioner "file" {
24 | source = "script.sh"
25 | destination = "/tmp/script.sh"
26 | }
27 |
28 | provisioner "remote-exec" {
29 | inline = [
30 | "chmod +x /tmp/script.sh",
31 | "sudo /tmp/script.sh",
32 | ]
33 | }
34 | connection {
35 | host = coalesce(self.public_ip, self.private_ip)
36 | type = "ssh"
37 | user = var.INSTANCE_USERNAME
38 | private_key = file(var.PATH_TO_PRIVATE_KEY)
39 | }
40 | tags = {
41 | Name = "HelloWorld"
42 | }
43 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.web
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_004_vars_provider_ec2_output/10-instance.tf:17-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
17 | resource "aws_instance" "web" {
18 | ami = data.aws_ami.ubuntu.id
19 | instance_type = "t2.micro"
20 |
21 | provisioner "local-exec" {
22 | command = "echo ${aws_instance.web.private_ip} >> private_ips.txt"
23 | }
24 | tags = {
25 | Name = "HelloWorld"
26 | }
27 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.web
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_005_vars_provider_ec2_remoteStateInS3/10-instance.tf:17-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
17 | resource "aws_instance" "web" {
18 | ami = data.aws_ami.ubuntu.id
19 | instance_type = "t2.micro"
20 |
21 | tags = {
22 | Name = "HelloWorld"
23 | }
24 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.testInstance
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_007_customVPC_igw_sbnt_rt_sg_kp_ec2/35-ec2-instance.tf:4-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
4 | resource "aws_instance" "testInstance" {
5 | ami = var.instance_ami
6 | instance_type = var.instance_type
7 | subnet_id = aws_subnet.subnet_public.id
8 | vpc_security_group_ids = [aws_security_group.sg_22.id]
9 | key_name = aws_key_pair.ec2key.key_name
10 | tags = {
11 | Environment = var.environment_tag
12 | }
13 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.example
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_009_customVPC_3PriSbnts_3PubSbnts_nat_igw_rt_ec2_ebs/25-instance.tf:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
1 | resource "aws_instance" "example" {
2 | ami = var.AMIS[var.AWS_REGION]
3 | instance_type = "t2.micro"
4 |
5 | # the VPC subnet
6 | subnet_id = aws_subnet.main-public-1.id
7 |
8 | # the security group
9 | vpc_security_group_ids = [aws_security_group.allow-ssh.id]
10 |
11 | # the public SSH key
12 | key_name = aws_key_pair.mykeypair.key_name
13 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.example
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_010_customVPC_3PriSbnts_3PubSbnts_nat_igw_rt_ec2_ebs_withMount/25-instance.tf:1-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
1 | resource "aws_instance" "example" {
2 | ami = var.AMIS[var.AWS_REGION]
3 | instance_type = "t2.micro"
4 |
5 | # the VPC subnet
6 | subnet_id = aws_subnet.main-public-1.id
7 |
8 | # the security group
9 | vpc_security_group_ids = [aws_security_group.allow-ssh.id]
10 |
11 | # the public SSH key
12 | key_name = aws_key_pair.mykeypair.key_name
13 |
14 | # user data
15 | user_data = data.template_cloudinit_config.cloudinit-example.rendered
16 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.example
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_012_rds_vpc_ec2/20-instance.tf:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
1 | resource "aws_instance" "example" {
2 | ami = var.AMIS[var.AWS_REGION]
3 | instance_type = "t2.micro"
4 |
5 | # the VPC subnet
6 | subnet_id = aws_subnet.main-public-1.id
7 |
8 | # the security group
9 | vpc_security_group_ids = [aws_security_group.example-instance.id]
10 |
11 | # the public SSH key
12 | key_name = aws_key_pair.mykeypair.key_name
13 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.web
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_022_route53_ec2/05-instance.tf:17-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
17 | resource "aws_instance" "web" {
18 | ami = data.aws_ami.ubuntu.id
19 | instance_type = "t2.micro"
20 |
21 | tags = {
22 | Name = "HelloWorld"
23 | }
24 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.web
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_023_terragrunt_ec2/10-ec2.tf:17-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
17 | resource "aws_instance" "web" {
18 | ami = data.aws_ami.ubuntu.id
19 | instance_type = "t2.micro"
20 |
21 | tags = {
22 | Name = "HelloWorld"
23 | }
24 | }
Check: CKV2_AWS_41: "Ensure an IAM role is attached to EC2 instance"
FAILED for resource: aws_instance.aws-vm
File: /home/infrastructure_as_code/terraform/gcp/taskset_gcp_terraform_infrastructure_as_code/task_008_building_a_vpn_between_gcp_and_aws/autonetdeploy-multicloudvpn/terraform/aws_compute.tf:29-58
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-an-iam-role-is-attached-to-ec2-instance.html
29 | resource "aws_instance" "aws-vm" {
30 | ami = data.aws_ami.ubuntu.id
31 | instance_type = var.aws_instance_type
32 | subnet_id = aws_subnet.aws-subnet1.id
33 | key_name = "vm-ssh-key"
34 |
35 | associate_public_ip_address = true
36 | private_ip = var.aws_vm_address
37 |
38 | vpc_security_group_ids = [
39 | aws_security_group.aws-allow-icmp.id,
40 | aws_security_group.aws-allow-ssh.id,
41 | aws_security_group.aws-allow-vpn.id,
42 | aws_security_group.aws-allow-internet.id,
43 | ]
44 |
45 | user_data = replace(
46 | replace(
47 | file("vm_userdata.sh"),
48 | "",
49 | google_compute_address.gcp-ip.address,
50 | ),
51 | "",
52 | var.gcp_vm_address,
53 | )
54 |
55 | tags = {
56 | Name = "aws-vm-${var.aws_region}"
57 | }
58 | }
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: aws_route53_zone.devopslink-public-zone
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_011_route53/250-r53-devopslink_zone.tf:7-11
7 | resource "aws_route53_zone" "devopslink-public-zone" {
8 | name = var.domain_mydevops_link
9 | comment = "${var.domain_mydevops_link} public zone"
10 | provider = aws
11 | }
Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
FAILED for resource: aws_route53_zone.devopslink-public-zone
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_022_route53_ec2/250-r53-devopslink_zone.tf:7-11
7 | resource "aws_route53_zone" "devopslink-public-zone" {
8 | name = var.domain_mydevops_link
9 | comment = "${var.domain_mydevops_link} public zone"
10 | provider = aws
11 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.b
File: /home/infrastructure_as_code/terraform/aws/taskset_aws_terraform_infrastructure_as_code/task_014_IAM_roles_s3_upload_to_s3/25-s3.tf:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
1 | resource "aws_s3_bucket" "b" {
2 | bucket = "mybucket-codeaprendiz-26071994"
3 | acl = "private"
4 |
5 | tags = {
6 | Name = "mybucket-codeaprendiz-26071994"
7 | }
8 | }
cloudformation scan results:
Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 5
kubernetes scan results:
Passed checks: 10868, Failed checks: 2226, Skipped checks: 0
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nginx-dep
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_008_k8s_nginx/dep.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: nginx-dep
7 | name: nginx-dep
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx-dep
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: nginx-dep
19 | spec:
20 | containers:
21 | - image: dubizzledotcom/demo-nginx
22 | name: demo-nginx
23 | resources: {}
24 | status: {}
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx-dep
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_008_k8s_nginx/dep.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: nginx-dep
7 | name: nginx-dep
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx-dep
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: nginx-dep
19 | spec:
20 | containers:
21 | - image: dubizzledotcom/demo-nginx
22 | name: demo-nginx
23 | resources: {}
24 | status: {}
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx-dep
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_008_k8s_nginx/dep.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: nginx-dep
7 | name: nginx-dep
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx-dep
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: nginx-dep
19 | spec:
20 | containers:
21 | - image: dubizzledotcom/demo-nginx
22 | name: demo-nginx
23 | resources: {}
24 | status: {}
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx-dep
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_008_k8s_nginx/dep.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: nginx-dep
7 | name: nginx-dep
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx-dep
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: nginx-dep
19 | spec:
20 | containers:
21 | - image: dubizzledotcom/demo-nginx
22 | name: demo-nginx
23 | resources: {}
24 | status: {}
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx-dep
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_008_k8s_nginx/dep.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: nginx-dep
7 | name: nginx-dep
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx-dep
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: nginx-dep
19 | spec:
20 | containers:
21 | - image: dubizzledotcom/demo-nginx
22 | name: demo-nginx
23 | resources: {}
24 | status: {}
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-dep
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_008_k8s_nginx/dep.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: nginx-dep
7 | name: nginx-dep
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx-dep
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: nginx-dep
19 | spec:
20 | containers:
21 | - image: dubizzledotcom/demo-nginx
22 | name: demo-nginx
23 | resources: {}
24 | status: {}
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx-dep
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_008_k8s_nginx/dep.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: nginx-dep
7 | name: nginx-dep
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx-dep
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: nginx-dep
19 | spec:
20 | containers:
21 | - image: dubizzledotcom/demo-nginx
22 | name: demo-nginx
23 | resources: {}
24 | status: {}
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx-dep
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_008_k8s_nginx/dep.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: nginx-dep
7 | name: nginx-dep
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx-dep
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: nginx-dep
19 | spec:
20 | containers:
21 | - image: dubizzledotcom/demo-nginx
22 | name: demo-nginx
23 | resources: {}
24 | status: {}
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx-dep
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_008_k8s_nginx/dep.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: nginx-dep
7 | name: nginx-dep
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx-dep
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: nginx-dep
19 | spec:
20 | containers:
21 | - image: dubizzledotcom/demo-nginx
22 | name: demo-nginx
23 | resources: {}
24 | status: {}
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-dep
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_008_k8s_nginx/dep.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: nginx-dep
7 | name: nginx-dep
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx-dep
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: nginx-dep
19 | spec:
20 | containers:
21 | - image: dubizzledotcom/demo-nginx
22 | name: demo-nginx
23 | resources: {}
24 | status: {}
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx-dep
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_008_k8s_nginx/dep.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: nginx-dep
7 | name: nginx-dep
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx-dep
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: nginx-dep
19 | spec:
20 | containers:
21 | - image: dubizzledotcom/demo-nginx
22 | name: demo-nginx
23 | resources: {}
24 | status: {}
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nginx-dep
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_008_k8s_nginx/dep.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: nginx-dep
7 | name: nginx-dep
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx-dep
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: nginx-dep
19 | spec:
20 | containers:
21 | - image: dubizzledotcom/demo-nginx
22 | name: demo-nginx
23 | resources: {}
24 | status: {}
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx-dep
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_008_k8s_nginx/dep.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: nginx-dep
7 | name: nginx-dep
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx-dep
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: nginx-dep
19 | spec:
20 | containers:
21 | - image: dubizzledotcom/demo-nginx
22 | name: demo-nginx
23 | resources: {}
24 | status: {}
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx-dep
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_008_k8s_nginx/dep.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: nginx-dep
7 | name: nginx-dep
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx-dep
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: nginx-dep
19 | spec:
20 | containers:
21 | - image: dubizzledotcom/demo-nginx
22 | name: demo-nginx
23 | resources: {}
24 | status: {}
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx-dep
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_008_k8s_nginx/dep.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: nginx-dep
7 | name: nginx-dep
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx-dep
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: nginx-dep
19 | spec:
20 | containers:
21 | - image: dubizzledotcom/demo-nginx
22 | name: demo-nginx
23 | resources: {}
24 | status: {}
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.nginx-dep
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_008_k8s_nginx/dep.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: nginx-dep
7 | name: nginx-dep
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx-dep
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: nginx-dep
19 | spec:
20 | containers:
21 | - image: dubizzledotcom/demo-nginx
22 | name: demo-nginx
23 | resources: {}
24 | status: {}
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx-dep
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_008_k8s_nginx/dep.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: nginx-dep
7 | name: nginx-dep
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx-dep
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: nginx-dep
19 | spec:
20 | containers:
21 | - image: dubizzledotcom/demo-nginx
22 | name: demo-nginx
23 | resources: {}
24 | status: {}
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.nginx-dep-svc-nodeport
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_008_k8s_nginx/nginx-svc-nodeport.yaml:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: nginx-dep
7 | name: nginx-dep-svc-nodeport
8 | spec:
9 | ports:
10 | - port: 8080
11 | protocol: TCP
12 | targetPort: 80
13 | selector:
14 | app: nginx-dep
15 | type: NodePort
16 | status:
17 | loadBalancer: {}
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.ingress-wildcard-host
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_008_k8s_nginx/ingress.yaml:1-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: networking.k8s.io/v1
2 | kind: Ingress
3 | metadata:
4 | name: ingress-wildcard-host
5 | spec:
6 | rules:
7 | - host: "testingress.com"
8 | http:
9 | paths:
10 | - pathType: Prefix
11 | path: "/check.txt"
12 | backend:
13 | service:
14 | name: nginx-dep-svc-nodeport
15 | port:
16 | number: 8080
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.nodejs-env
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/nodejs-env-configmap.yaml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | data:
3 | MONGO_DB: sharkinfo
4 | MONGO_PORT: "27017"
5 | kind: ConfigMap
6 | metadata:
7 | labels:
8 | io.kompose.service: nodejs-env
9 | name: nodejs-env
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Secret.default.mongo-secret
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/secret.yaml:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | data:
3 | MONGO_PASSWORD: cGFzc3dvcmQ=
4 | MONGO_USERNAME: YWRtaW4=
5 | kind: Secret
6 | metadata:
7 | name: mongo-secret
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.nodejs
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/nodejs-service.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | annotations:
5 | kompose.cmd: kompose convert
6 | kompose.version: 1.18.0 (06a2e56)
7 | labels:
8 | io.kompose.service: nodejs
9 | name: nodejs
10 | spec:
11 | type: LoadBalancer
12 | ports:
13 | - name: "80"
14 | port: 80
15 | targetPort: 8080
16 | selector:
17 | io.kompose.service: nodejs
18 | status:
19 | loadBalancer: {}
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.db
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/db-service.yaml:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | annotations:
5 | kompose.cmd: kompose convert
6 | kompose.version: 1.18.0 (06a2e56)
7 | labels:
8 | io.kompose.service: db
9 | name: db
10 | spec:
11 | ports:
12 | - port: 27017
13 | targetPort: 27017
14 | selector:
15 | io.kompose.service: db
16 | status:
17 | loadBalancer: {}
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.db
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/db-deployment.yaml:1-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | annotations:
5 | kompose.cmd: kompose convert
6 | kompose.version: 1.18.0 (06a2e56)
7 | labels:
8 | io.kompose.service: db
9 | name: db
10 | spec:
11 | replicas: 1
12 | strategy:
13 | type: Recreate
14 | template:
15 | metadata:
16 | labels:
17 | io.kompose.service: db
18 | spec:
19 | containers:
20 | - env:
21 | - name: MONGO_INITDB_ROOT_PASSWORD
22 | # value: "password"
23 | valueFrom:
24 | secretKeyRef:
25 | name: mongo-secret
26 | key: MONGO_PASSWORD
27 | - name: MONGO_INITDB_ROOT_USERNAME
28 | # value: "admin"
29 | valueFrom:
30 | secretKeyRef:
31 | name: mongo-secret
32 | key: MONGO_USERNAME
33 | image: mongo:4.1.8-xenial
34 | name: db
35 | resources: {}
36 | volumeMounts:
37 | - mountPath: /data/db
38 | name: dbdata
39 | restartPolicy: Always
40 | volumes:
41 | - name: dbdata
42 | persistentVolumeClaim:
43 | claimName: dbdata
44 | selector:
45 | matchLabels:
46 | io.kompose.service: db
47 | status: {}
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.db
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/db-deployment.yaml:1-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | annotations:
5 | kompose.cmd: kompose convert
6 | kompose.version: 1.18.0 (06a2e56)
7 | labels:
8 | io.kompose.service: db
9 | name: db
10 | spec:
11 | replicas: 1
12 | strategy:
13 | type: Recreate
14 | template:
15 | metadata:
16 | labels:
17 | io.kompose.service: db
18 | spec:
19 | containers:
20 | - env:
21 | - name: MONGO_INITDB_ROOT_PASSWORD
22 | # value: "password"
23 | valueFrom:
24 | secretKeyRef:
25 | name: mongo-secret
26 | key: MONGO_PASSWORD
27 | - name: MONGO_INITDB_ROOT_USERNAME
28 | # value: "admin"
29 | valueFrom:
30 | secretKeyRef:
31 | name: mongo-secret
32 | key: MONGO_USERNAME
33 | image: mongo:4.1.8-xenial
34 | name: db
35 | resources: {}
36 | volumeMounts:
37 | - mountPath: /data/db
38 | name: dbdata
39 | restartPolicy: Always
40 | volumes:
41 | - name: dbdata
42 | persistentVolumeClaim:
43 | claimName: dbdata
44 | selector:
45 | matchLabels:
46 | io.kompose.service: db
47 | status: {}
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.db
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/db-deployment.yaml:1-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | annotations:
5 | kompose.cmd: kompose convert
6 | kompose.version: 1.18.0 (06a2e56)
7 | labels:
8 | io.kompose.service: db
9 | name: db
10 | spec:
11 | replicas: 1
12 | strategy:
13 | type: Recreate
14 | template:
15 | metadata:
16 | labels:
17 | io.kompose.service: db
18 | spec:
19 | containers:
20 | - env:
21 | - name: MONGO_INITDB_ROOT_PASSWORD
22 | # value: "password"
23 | valueFrom:
24 | secretKeyRef:
25 | name: mongo-secret
26 | key: MONGO_PASSWORD
27 | - name: MONGO_INITDB_ROOT_USERNAME
28 | # value: "admin"
29 | valueFrom:
30 | secretKeyRef:
31 | name: mongo-secret
32 | key: MONGO_USERNAME
33 | image: mongo:4.1.8-xenial
34 | name: db
35 | resources: {}
36 | volumeMounts:
37 | - mountPath: /data/db
38 | name: dbdata
39 | restartPolicy: Always
40 | volumes:
41 | - name: dbdata
42 | persistentVolumeClaim:
43 | claimName: dbdata
44 | selector:
45 | matchLabels:
46 | io.kompose.service: db
47 | status: {}
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.db
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/db-deployment.yaml:1-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | annotations:
5 | kompose.cmd: kompose convert
6 | kompose.version: 1.18.0 (06a2e56)
7 | labels:
8 | io.kompose.service: db
9 | name: db
10 | spec:
11 | replicas: 1
12 | strategy:
13 | type: Recreate
14 | template:
15 | metadata:
16 | labels:
17 | io.kompose.service: db
18 | spec:
19 | containers:
20 | - env:
21 | - name: MONGO_INITDB_ROOT_PASSWORD
22 | # value: "password"
23 | valueFrom:
24 | secretKeyRef:
25 | name: mongo-secret
26 | key: MONGO_PASSWORD
27 | - name: MONGO_INITDB_ROOT_USERNAME
28 | # value: "admin"
29 | valueFrom:
30 | secretKeyRef:
31 | name: mongo-secret
32 | key: MONGO_USERNAME
33 | image: mongo:4.1.8-xenial
34 | name: db
35 | resources: {}
36 | volumeMounts:
37 | - mountPath: /data/db
38 | name: dbdata
39 | restartPolicy: Always
40 | volumes:
41 | - name: dbdata
42 | persistentVolumeClaim:
43 | claimName: dbdata
44 | selector:
45 | matchLabels:
46 | io.kompose.service: db
47 | status: {}
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.db
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/db-deployment.yaml:1-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | annotations:
5 | kompose.cmd: kompose convert
6 | kompose.version: 1.18.0 (06a2e56)
7 | labels:
8 | io.kompose.service: db
9 | name: db
10 | spec:
11 | replicas: 1
12 | strategy:
13 | type: Recreate
14 | template:
15 | metadata:
16 | labels:
17 | io.kompose.service: db
18 | spec:
19 | containers:
20 | - env:
21 | - name: MONGO_INITDB_ROOT_PASSWORD
22 | # value: "password"
23 | valueFrom:
24 | secretKeyRef:
25 | name: mongo-secret
26 | key: MONGO_PASSWORD
27 | - name: MONGO_INITDB_ROOT_USERNAME
28 | # value: "admin"
29 | valueFrom:
30 | secretKeyRef:
31 | name: mongo-secret
32 | key: MONGO_USERNAME
33 | image: mongo:4.1.8-xenial
34 | name: db
35 | resources: {}
36 | volumeMounts:
37 | - mountPath: /data/db
38 | name: dbdata
39 | restartPolicy: Always
40 | volumes:
41 | - name: dbdata
42 | persistentVolumeClaim:
43 | claimName: dbdata
44 | selector:
45 | matchLabels:
46 | io.kompose.service: db
47 | status: {}
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.db
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/db-deployment.yaml:1-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | annotations:
5 | kompose.cmd: kompose convert
6 | kompose.version: 1.18.0 (06a2e56)
7 | labels:
8 | io.kompose.service: db
9 | name: db
10 | spec:
11 | replicas: 1
12 | strategy:
13 | type: Recreate
14 | template:
15 | metadata:
16 | labels:
17 | io.kompose.service: db
18 | spec:
19 | containers:
20 | - env:
21 | - name: MONGO_INITDB_ROOT_PASSWORD
22 | # value: "password"
23 | valueFrom:
24 | secretKeyRef:
25 | name: mongo-secret
26 | key: MONGO_PASSWORD
27 | - name: MONGO_INITDB_ROOT_USERNAME
28 | # value: "admin"
29 | valueFrom:
30 | secretKeyRef:
31 | name: mongo-secret
32 | key: MONGO_USERNAME
33 | image: mongo:4.1.8-xenial
34 | name: db
35 | resources: {}
36 | volumeMounts:
37 | - mountPath: /data/db
38 | name: dbdata
39 | restartPolicy: Always
40 | volumes:
41 | - name: dbdata
42 | persistentVolumeClaim:
43 | claimName: dbdata
44 | selector:
45 | matchLabels:
46 | io.kompose.service: db
47 | status: {}
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.db
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/db-deployment.yaml:1-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | annotations:
5 | kompose.cmd: kompose convert
6 | kompose.version: 1.18.0 (06a2e56)
7 | labels:
8 | io.kompose.service: db
9 | name: db
10 | spec:
11 | replicas: 1
12 | strategy:
13 | type: Recreate
14 | template:
15 | metadata:
16 | labels:
17 | io.kompose.service: db
18 | spec:
19 | containers:
20 | - env:
21 | - name: MONGO_INITDB_ROOT_PASSWORD
22 | # value: "password"
23 | valueFrom:
24 | secretKeyRef:
25 | name: mongo-secret
26 | key: MONGO_PASSWORD
27 | - name: MONGO_INITDB_ROOT_USERNAME
28 | # value: "admin"
29 | valueFrom:
30 | secretKeyRef:
31 | name: mongo-secret
32 | key: MONGO_USERNAME
33 | image: mongo:4.1.8-xenial
34 | name: db
35 | resources: {}
36 | volumeMounts:
37 | - mountPath: /data/db
38 | name: dbdata
39 | restartPolicy: Always
40 | volumes:
41 | - name: dbdata
42 | persistentVolumeClaim:
43 | claimName: dbdata
44 | selector:
45 | matchLabels:
46 | io.kompose.service: db
47 | status: {}
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.db
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/db-deployment.yaml:1-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | annotations:
5 | kompose.cmd: kompose convert
6 | kompose.version: 1.18.0 (06a2e56)
7 | labels:
8 | io.kompose.service: db
9 | name: db
10 | spec:
11 | replicas: 1
12 | strategy:
13 | type: Recreate
14 | template:
15 | metadata:
16 | labels:
17 | io.kompose.service: db
18 | spec:
19 | containers:
20 | - env:
21 | - name: MONGO_INITDB_ROOT_PASSWORD
22 | # value: "password"
23 | valueFrom:
24 | secretKeyRef:
25 | name: mongo-secret
26 | key: MONGO_PASSWORD
27 | - name: MONGO_INITDB_ROOT_USERNAME
28 | # value: "admin"
29 | valueFrom:
30 | secretKeyRef:
31 | name: mongo-secret
32 | key: MONGO_USERNAME
33 | image: mongo:4.1.8-xenial
34 | name: db
35 | resources: {}
36 | volumeMounts:
37 | - mountPath: /data/db
38 | name: dbdata
39 | restartPolicy: Always
40 | volumes:
41 | - name: dbdata
42 | persistentVolumeClaim:
43 | claimName: dbdata
44 | selector:
45 | matchLabels:
46 | io.kompose.service: db
47 | status: {}
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.db
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/db-deployment.yaml:1-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | annotations:
5 | kompose.cmd: kompose convert
6 | kompose.version: 1.18.0 (06a2e56)
7 | labels:
8 | io.kompose.service: db
9 | name: db
10 | spec:
11 | replicas: 1
12 | strategy:
13 | type: Recreate
14 | template:
15 | metadata:
16 | labels:
17 | io.kompose.service: db
18 | spec:
19 | containers:
20 | - env:
21 | - name: MONGO_INITDB_ROOT_PASSWORD
22 | # value: "password"
23 | valueFrom:
24 | secretKeyRef:
25 | name: mongo-secret
26 | key: MONGO_PASSWORD
27 | - name: MONGO_INITDB_ROOT_USERNAME
28 | # value: "admin"
29 | valueFrom:
30 | secretKeyRef:
31 | name: mongo-secret
32 | key: MONGO_USERNAME
33 | image: mongo:4.1.8-xenial
34 | name: db
35 | resources: {}
36 | volumeMounts:
37 | - mountPath: /data/db
38 | name: dbdata
39 | restartPolicy: Always
40 | volumes:
41 | - name: dbdata
42 | persistentVolumeClaim:
43 | claimName: dbdata
44 | selector:
45 | matchLabels:
46 | io.kompose.service: db
47 | status: {}
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.db
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/db-deployment.yaml:1-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | annotations:
5 | kompose.cmd: kompose convert
6 | kompose.version: 1.18.0 (06a2e56)
7 | labels:
8 | io.kompose.service: db
9 | name: db
10 | spec:
11 | replicas: 1
12 | strategy:
13 | type: Recreate
14 | template:
15 | metadata:
16 | labels:
17 | io.kompose.service: db
18 | spec:
19 | containers:
20 | - env:
21 | - name: MONGO_INITDB_ROOT_PASSWORD
22 | # value: "password"
23 | valueFrom:
24 | secretKeyRef:
25 | name: mongo-secret
26 | key: MONGO_PASSWORD
27 | - name: MONGO_INITDB_ROOT_USERNAME
28 | # value: "admin"
29 | valueFrom:
30 | secretKeyRef:
31 | name: mongo-secret
32 | key: MONGO_USERNAME
33 | image: mongo:4.1.8-xenial
34 | name: db
35 | resources: {}
36 | volumeMounts:
37 | - mountPath: /data/db
38 | name: dbdata
39 | restartPolicy: Always
40 | volumes:
41 | - name: dbdata
42 | persistentVolumeClaim:
43 | claimName: dbdata
44 | selector:
45 | matchLabels:
46 | io.kompose.service: db
47 | status: {}
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.db
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/db-deployment.yaml:1-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | annotations:
5 | kompose.cmd: kompose convert
6 | kompose.version: 1.18.0 (06a2e56)
7 | labels:
8 | io.kompose.service: db
9 | name: db
10 | spec:
11 | replicas: 1
12 | strategy:
13 | type: Recreate
14 | template:
15 | metadata:
16 | labels:
17 | io.kompose.service: db
18 | spec:
19 | containers:
20 | - env:
21 | - name: MONGO_INITDB_ROOT_PASSWORD
22 | # value: "password"
23 | valueFrom:
24 | secretKeyRef:
25 | name: mongo-secret
26 | key: MONGO_PASSWORD
27 | - name: MONGO_INITDB_ROOT_USERNAME
28 | # value: "admin"
29 | valueFrom:
30 | secretKeyRef:
31 | name: mongo-secret
32 | key: MONGO_USERNAME
33 | image: mongo:4.1.8-xenial
34 | name: db
35 | resources: {}
36 | volumeMounts:
37 | - mountPath: /data/db
38 | name: dbdata
39 | restartPolicy: Always
40 | volumes:
41 | - name: dbdata
42 | persistentVolumeClaim:
43 | claimName: dbdata
44 | selector:
45 | matchLabels:
46 | io.kompose.service: db
47 | status: {}
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: Deployment.default.db
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/db-deployment.yaml:1-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | annotations:
5 | kompose.cmd: kompose convert
6 | kompose.version: 1.18.0 (06a2e56)
7 | labels:
8 | io.kompose.service: db
9 | name: db
10 | spec:
11 | replicas: 1
12 | strategy:
13 | type: Recreate
14 | template:
15 | metadata:
16 | labels:
17 | io.kompose.service: db
18 | spec:
19 | containers:
20 | - env:
21 | - name: MONGO_INITDB_ROOT_PASSWORD
22 | # value: "password"
23 | valueFrom:
24 | secretKeyRef:
25 | name: mongo-secret
26 | key: MONGO_PASSWORD
27 | - name: MONGO_INITDB_ROOT_USERNAME
28 | # value: "admin"
29 | valueFrom:
30 | secretKeyRef:
31 | name: mongo-secret
32 | key: MONGO_USERNAME
33 | image: mongo:4.1.8-xenial
34 | name: db
35 | resources: {}
36 | volumeMounts:
37 | - mountPath: /data/db
38 | name: dbdata
39 | restartPolicy: Always
40 | volumes:
41 | - name: dbdata
42 | persistentVolumeClaim:
43 | claimName: dbdata
44 | selector:
45 | matchLabels:
46 | io.kompose.service: db
47 | status: {}
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.db
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/db-deployment.yaml:1-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | annotations:
5 | kompose.cmd: kompose convert
6 | kompose.version: 1.18.0 (06a2e56)
7 | labels:
8 | io.kompose.service: db
9 | name: db
10 | spec:
11 | replicas: 1
12 | strategy:
13 | type: Recreate
14 | template:
15 | metadata:
16 | labels:
17 | io.kompose.service: db
18 | spec:
19 | containers:
20 | - env:
21 | - name: MONGO_INITDB_ROOT_PASSWORD
22 | # value: "password"
23 | valueFrom:
24 | secretKeyRef:
25 | name: mongo-secret
26 | key: MONGO_PASSWORD
27 | - name: MONGO_INITDB_ROOT_USERNAME
28 | # value: "admin"
29 | valueFrom:
30 | secretKeyRef:
31 | name: mongo-secret
32 | key: MONGO_USERNAME
33 | image: mongo:4.1.8-xenial
34 | name: db
35 | resources: {}
36 | volumeMounts:
37 | - mountPath: /data/db
38 | name: dbdata
39 | restartPolicy: Always
40 | volumes:
41 | - name: dbdata
42 | persistentVolumeClaim:
43 | claimName: dbdata
44 | selector:
45 | matchLabels:
46 | io.kompose.service: db
47 | status: {}
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.db
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/db-deployment.yaml:1-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | annotations:
5 | kompose.cmd: kompose convert
6 | kompose.version: 1.18.0 (06a2e56)
7 | labels:
8 | io.kompose.service: db
9 | name: db
10 | spec:
11 | replicas: 1
12 | strategy:
13 | type: Recreate
14 | template:
15 | metadata:
16 | labels:
17 | io.kompose.service: db
18 | spec:
19 | containers:
20 | - env:
21 | - name: MONGO_INITDB_ROOT_PASSWORD
22 | # value: "password"
23 | valueFrom:
24 | secretKeyRef:
25 | name: mongo-secret
26 | key: MONGO_PASSWORD
27 | - name: MONGO_INITDB_ROOT_USERNAME
28 | # value: "admin"
29 | valueFrom:
30 | secretKeyRef:
31 | name: mongo-secret
32 | key: MONGO_USERNAME
33 | image: mongo:4.1.8-xenial
34 | name: db
35 | resources: {}
36 | volumeMounts:
37 | - mountPath: /data/db
38 | name: dbdata
39 | restartPolicy: Always
40 | volumes:
41 | - name: dbdata
42 | persistentVolumeClaim:
43 | claimName: dbdata
44 | selector:
45 | matchLabels:
46 | io.kompose.service: db
47 | status: {}
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.db
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/db-deployment.yaml:1-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | annotations:
5 | kompose.cmd: kompose convert
6 | kompose.version: 1.18.0 (06a2e56)
7 | labels:
8 | io.kompose.service: db
9 | name: db
10 | spec:
11 | replicas: 1
12 | strategy:
13 | type: Recreate
14 | template:
15 | metadata:
16 | labels:
17 | io.kompose.service: db
18 | spec:
19 | containers:
20 | - env:
21 | - name: MONGO_INITDB_ROOT_PASSWORD
22 | # value: "password"
23 | valueFrom:
24 | secretKeyRef:
25 | name: mongo-secret
26 | key: MONGO_PASSWORD
27 | - name: MONGO_INITDB_ROOT_USERNAME
28 | # value: "admin"
29 | valueFrom:
30 | secretKeyRef:
31 | name: mongo-secret
32 | key: MONGO_USERNAME
33 | image: mongo:4.1.8-xenial
34 | name: db
35 | resources: {}
36 | volumeMounts:
37 | - mountPath: /data/db
38 | name: dbdata
39 | restartPolicy: Always
40 | volumes:
41 | - name: dbdata
42 | persistentVolumeClaim:
43 | claimName: dbdata
44 | selector:
45 | matchLabels:
46 | io.kompose.service: db
47 | status: {}
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.db
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/db-deployment.yaml:1-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | annotations:
5 | kompose.cmd: kompose convert
6 | kompose.version: 1.18.0 (06a2e56)
7 | labels:
8 | io.kompose.service: db
9 | name: db
10 | spec:
11 | replicas: 1
12 | strategy:
13 | type: Recreate
14 | template:
15 | metadata:
16 | labels:
17 | io.kompose.service: db
18 | spec:
19 | containers:
20 | - env:
21 | - name: MONGO_INITDB_ROOT_PASSWORD
22 | # value: "password"
23 | valueFrom:
24 | secretKeyRef:
25 | name: mongo-secret
26 | key: MONGO_PASSWORD
27 | - name: MONGO_INITDB_ROOT_USERNAME
28 | # value: "admin"
29 | valueFrom:
30 | secretKeyRef:
31 | name: mongo-secret
32 | key: MONGO_USERNAME
33 | image: mongo:4.1.8-xenial
34 | name: db
35 | resources: {}
36 | volumeMounts:
37 | - mountPath: /data/db
38 | name: dbdata
39 | restartPolicy: Always
40 | volumes:
41 | - name: dbdata
42 | persistentVolumeClaim:
43 | claimName: dbdata
44 | selector:
45 | matchLabels:
46 | io.kompose.service: db
47 | status: {}
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.db
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/db-deployment.yaml:1-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | annotations:
5 | kompose.cmd: kompose convert
6 | kompose.version: 1.18.0 (06a2e56)
7 | labels:
8 | io.kompose.service: db
9 | name: db
10 | spec:
11 | replicas: 1
12 | strategy:
13 | type: Recreate
14 | template:
15 | metadata:
16 | labels:
17 | io.kompose.service: db
18 | spec:
19 | containers:
20 | - env:
21 | - name: MONGO_INITDB_ROOT_PASSWORD
22 | # value: "password"
23 | valueFrom:
24 | secretKeyRef:
25 | name: mongo-secret
26 | key: MONGO_PASSWORD
27 | - name: MONGO_INITDB_ROOT_USERNAME
28 | # value: "admin"
29 | valueFrom:
30 | secretKeyRef:
31 | name: mongo-secret
32 | key: MONGO_USERNAME
33 | image: mongo:4.1.8-xenial
34 | name: db
35 | resources: {}
36 | volumeMounts:
37 | - mountPath: /data/db
38 | name: dbdata
39 | restartPolicy: Always
40 | volumes:
41 | - name: dbdata
42 | persistentVolumeClaim:
43 | claimName: dbdata
44 | selector:
45 | matchLabels:
46 | io.kompose.service: db
47 | status: {}
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.db
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/db-deployment.yaml:1-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | annotations:
5 | kompose.cmd: kompose convert
6 | kompose.version: 1.18.0 (06a2e56)
7 | labels:
8 | io.kompose.service: db
9 | name: db
10 | spec:
11 | replicas: 1
12 | strategy:
13 | type: Recreate
14 | template:
15 | metadata:
16 | labels:
17 | io.kompose.service: db
18 | spec:
19 | containers:
20 | - env:
21 | - name: MONGO_INITDB_ROOT_PASSWORD
22 | # value: "password"
23 | valueFrom:
24 | secretKeyRef:
25 | name: mongo-secret
26 | key: MONGO_PASSWORD
27 | - name: MONGO_INITDB_ROOT_USERNAME
28 | # value: "admin"
29 | valueFrom:
30 | secretKeyRef:
31 | name: mongo-secret
32 | key: MONGO_USERNAME
33 | image: mongo:4.1.8-xenial
34 | name: db
35 | resources: {}
36 | volumeMounts:
37 | - mountPath: /data/db
38 | name: dbdata
39 | restartPolicy: Always
40 | volumes:
41 | - name: dbdata
42 | persistentVolumeClaim:
43 | claimName: dbdata
44 | selector:
45 | matchLabels:
46 | io.kompose.service: db
47 | status: {}
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nodejs
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/nodejs-deployment.yaml:1-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nodejs
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/nodejs-deployment.yaml:1-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.nodejs
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/nodejs-deployment.yaml:1-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nodejs
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/nodejs-deployment.yaml:1-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nodejs
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/nodejs-deployment.yaml:1-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nodejs
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/nodejs-deployment.yaml:1-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nodejs
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/nodejs-deployment.yaml:1-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nodejs
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/nodejs-deployment.yaml:1-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nodejs
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/nodejs-deployment.yaml:1-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nodejs
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/nodejs-deployment.yaml:1-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nodejs
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/nodejs-deployment.yaml:1-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nodejs
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/nodejs-deployment.yaml:1-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: Deployment.default.nodejs
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/nodejs-deployment.yaml:1-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nodejs
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/nodejs-deployment.yaml:1-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nodejs
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/nodejs-deployment.yaml:1-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nodejs
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/nodejs-deployment.yaml:1-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nodejs
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/nodejs-deployment.yaml:1-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.nodejs
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/nodejs-deployment.yaml:1-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.nodejs
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/nodejs-deployment.yaml:1-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nodejs
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/nodejs-deployment.yaml:1-56
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: ReplicaSet.default.nginx
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_010_logging_and_monitoring/nginx.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: ReplicaSet
3 | metadata:
4 | name: nginx
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: webapp
9 | template:
10 | metadata:
11 | annotations:
12 | ad.datadoghq.com/nginx.logs: '[{"source":"nginx","service":"webapp"}]'
13 | labels:
14 | app: webapp
15 | name: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: ReplicaSet.default.nginx
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_010_logging_and_monitoring/nginx.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: ReplicaSet
3 | metadata:
4 | name: nginx
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: webapp
9 | template:
10 | metadata:
11 | annotations:
12 | ad.datadoghq.com/nginx.logs: '[{"source":"nginx","service":"webapp"}]'
13 | labels:
14 | app: webapp
15 | name: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: ReplicaSet.default.nginx
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_010_logging_and_monitoring/nginx.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: ReplicaSet
3 | metadata:
4 | name: nginx
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: webapp
9 | template:
10 | metadata:
11 | annotations:
12 | ad.datadoghq.com/nginx.logs: '[{"source":"nginx","service":"webapp"}]'
13 | labels:
14 | app: webapp
15 | name: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ReplicaSet.default.nginx
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_010_logging_and_monitoring/nginx.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: ReplicaSet
3 | metadata:
4 | name: nginx
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: webapp
9 | template:
10 | metadata:
11 | annotations:
12 | ad.datadoghq.com/nginx.logs: '[{"source":"nginx","service":"webapp"}]'
13 | labels:
14 | app: webapp
15 | name: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: ReplicaSet.default.nginx
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_010_logging_and_monitoring/nginx.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: ReplicaSet
3 | metadata:
4 | name: nginx
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: webapp
9 | template:
10 | metadata:
11 | annotations:
12 | ad.datadoghq.com/nginx.logs: '[{"source":"nginx","service":"webapp"}]'
13 | labels:
14 | app: webapp
15 | name: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: ReplicaSet.default.nginx
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_010_logging_and_monitoring/nginx.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: ReplicaSet
3 | metadata:
4 | name: nginx
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: webapp
9 | template:
10 | metadata:
11 | annotations:
12 | ad.datadoghq.com/nginx.logs: '[{"source":"nginx","service":"webapp"}]'
13 | labels:
14 | app: webapp
15 | name: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: ReplicaSet.default.nginx
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_010_logging_and_monitoring/nginx.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: ReplicaSet
3 | metadata:
4 | name: nginx
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: webapp
9 | template:
10 | metadata:
11 | annotations:
12 | ad.datadoghq.com/nginx.logs: '[{"source":"nginx","service":"webapp"}]'
13 | labels:
14 | app: webapp
15 | name: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: ReplicaSet.default.nginx
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_010_logging_and_monitoring/nginx.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: ReplicaSet
3 | metadata:
4 | name: nginx
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: webapp
9 | template:
10 | metadata:
11 | annotations:
12 | ad.datadoghq.com/nginx.logs: '[{"source":"nginx","service":"webapp"}]'
13 | labels:
14 | app: webapp
15 | name: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: ReplicaSet.default.nginx
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_010_logging_and_monitoring/nginx.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: ReplicaSet
3 | metadata:
4 | name: nginx
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: webapp
9 | template:
10 | metadata:
11 | annotations:
12 | ad.datadoghq.com/nginx.logs: '[{"source":"nginx","service":"webapp"}]'
13 | labels:
14 | app: webapp
15 | name: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: ReplicaSet.default.nginx
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_010_logging_and_monitoring/nginx.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: ReplicaSet
3 | metadata:
4 | name: nginx
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: webapp
9 | template:
10 | metadata:
11 | annotations:
12 | ad.datadoghq.com/nginx.logs: '[{"source":"nginx","service":"webapp"}]'
13 | labels:
14 | app: webapp
15 | name: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: ReplicaSet.default.nginx
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_010_logging_and_monitoring/nginx.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: ReplicaSet
3 | metadata:
4 | name: nginx
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: webapp
9 | template:
10 | metadata:
11 | annotations:
12 | ad.datadoghq.com/nginx.logs: '[{"source":"nginx","service":"webapp"}]'
13 | labels:
14 | app: webapp
15 | name: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: ReplicaSet.default.nginx
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_010_logging_and_monitoring/nginx.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: ReplicaSet
3 | metadata:
4 | name: nginx
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: webapp
9 | template:
10 | metadata:
11 | annotations:
12 | ad.datadoghq.com/nginx.logs: '[{"source":"nginx","service":"webapp"}]'
13 | labels:
14 | app: webapp
15 | name: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: ReplicaSet.default.nginx
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_010_logging_and_monitoring/nginx.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: ReplicaSet
3 | metadata:
4 | name: nginx
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: webapp
9 | template:
10 | metadata:
11 | annotations:
12 | ad.datadoghq.com/nginx.logs: '[{"source":"nginx","service":"webapp"}]'
13 | labels:
14 | app: webapp
15 | name: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: ReplicaSet.default.nginx
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_010_logging_and_monitoring/nginx.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: ReplicaSet
3 | metadata:
4 | name: nginx
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: webapp
9 | template:
10 | metadata:
11 | annotations:
12 | ad.datadoghq.com/nginx.logs: '[{"source":"nginx","service":"webapp"}]'
13 | labels:
14 | app: webapp
15 | name: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: ReplicaSet.default.nginx
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_010_logging_and_monitoring/nginx.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: ReplicaSet
3 | metadata:
4 | name: nginx
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: webapp
9 | template:
10 | metadata:
11 | annotations:
12 | ad.datadoghq.com/nginx.logs: '[{"source":"nginx","service":"webapp"}]'
13 | labels:
14 | app: webapp
15 | name: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: ReplicaSet.default.nginx
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_010_logging_and_monitoring/nginx.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: ReplicaSet
3 | metadata:
4 | name: nginx
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: webapp
9 | template:
10 | metadata:
11 | annotations:
12 | ad.datadoghq.com/nginx.logs: '[{"source":"nginx","service":"webapp"}]'
13 | labels:
14 | app: webapp
15 | name: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: ReplicaSet.default.nginx
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_010_logging_and_monitoring/nginx.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: ReplicaSet
3 | metadata:
4 | name: nginx
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: webapp
9 | template:
10 | metadata:
11 | annotations:
12 | ad.datadoghq.com/nginx.logs: '[{"source":"nginx","service":"webapp"}]'
13 | labels:
14 | app: webapp
15 | name: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: ReplicaSet.default.nginx
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_010_logging_and_monitoring/nginx.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | apiVersion: apps/v1
2 | kind: ReplicaSet
3 | metadata:
4 | name: nginx
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: webapp
9 | template:
10 | metadata:
11 | annotations:
12 | ad.datadoghq.com/nginx.logs: '[{"source":"nginx","service":"webapp"}]'
13 | labels:
14 | app: webapp
15 | name: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: ReplicaSet.default.nginx
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_010_logging_and_monitoring/nginx.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: ReplicaSet
3 | metadata:
4 | name: nginx
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: webapp
9 | template:
10 | metadata:
11 | annotations:
12 | ad.datadoghq.com/nginx.logs: '[{"source":"nginx","service":"webapp"}]'
13 | labels:
14 | app: webapp
15 | name: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ServiceAccount.default.mongo-mongodb
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-db.yaml:3-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
3 | apiVersion: v1
4 | kind: ServiceAccount
5 | metadata:
6 | name: mongo-mongodb
7 | namespace: default
8 | labels:
9 | app.kubernetes.io/name: mongodb
10 | helm.sh/chart: mongodb-10.7.1
11 | app.kubernetes.io/instance: mongo
12 | app.kubernetes.io/managed-by: Helm
13 | secrets:
14 | - name: mongo-mongodb
15 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.mongo-mongodb-scripts
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-db.yaml:17-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
17 | apiVersion: v1
18 | kind: ConfigMap
19 | metadata:
20 | name: mongo-mongodb-scripts
21 | namespace: default
22 | labels:
23 | app.kubernetes.io/name: mongodb
24 | helm.sh/chart: mongodb-10.7.1
25 | app.kubernetes.io/instance: mongo
26 | app.kubernetes.io/managed-by: Helm
27 | app.kubernetes.io/component: mongodb
28 | data:
29 | setup.sh: |-
30 | #!/bin/bash
31 |
32 | echo "Advertised Hostname: $MONGODB_ADVERTISED_HOSTNAME"
33 |
34 | if [[ "$MY_POD_NAME" = "mongo-mongodb-0" ]]; then
35 | echo "Pod name matches initial primary pod name, configuring node as a primary"
36 | export MONGODB_REPLICA_SET_MODE="primary"
37 | else
38 | echo "Pod name doesn't match initial primary pod name, configuring node as a secondary"
39 | export MONGODB_REPLICA_SET_MODE="secondary"
40 | export MONGODB_INITIAL_PRIMARY_ROOT_PASSWORD="$MONGODB_ROOT_PASSWORD"
41 | export MONGODB_INITIAL_PRIMARY_PORT_NUMBER="$MONGODB_PORT_NUMBER"
42 | export MONGODB_ROOT_PASSWORD="" MONGODB_USERNAME="" MONGODB_DATABASE="" MONGODB_PASSWORD=""
43 | fi
44 |
45 | exec /opt/bitnami/scripts/mongodb/entrypoint.sh /opt/bitnami/scripts/mongodb/run.sh
46 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.mongo-mongodb-arbiter-headless
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-db.yaml:48-70
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
48 | apiVersion: v1
49 | kind: Service
50 | metadata:
51 | name: mongo-mongodb-arbiter-headless
52 | namespace: default
53 | labels:
54 | app.kubernetes.io/name: mongodb
55 | helm.sh/chart: mongodb-10.7.1
56 | app.kubernetes.io/instance: mongo
57 | app.kubernetes.io/managed-by: Helm
58 | app.kubernetes.io/component: arbiter
59 | spec:
60 | type: ClusterIP
61 | clusterIP: None
62 | ports:
63 | - name: tcp-mongodb
64 | port: 27017
65 | targetPort: mongodb
66 | selector:
67 | app.kubernetes.io/name: mongodb
68 | app.kubernetes.io/instance: mongo
69 | app.kubernetes.io/component: arbiter
70 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.mongo-mongodb-headless
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-db.yaml:72-95
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
72 | apiVersion: v1
73 | kind: Service
74 | metadata:
75 | name: mongo-mongodb-headless
76 | namespace: default
77 | labels:
78 | app.kubernetes.io/name: mongodb
79 | helm.sh/chart: mongodb-10.7.1
80 | app.kubernetes.io/instance: mongo
81 | app.kubernetes.io/managed-by: Helm
82 | app.kubernetes.io/component: mongodb
83 | spec:
84 | type: ClusterIP
85 | clusterIP: None
86 | publishNotReadyAddresses: true
87 | ports:
88 | - name: mongodb
89 | port: 27017
90 | targetPort: mongodb
91 | selector:
92 | app.kubernetes.io/name: mongodb
93 | app.kubernetes.io/instance: mongo
94 | app.kubernetes.io/component: mongodb
95 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: StatefulSet.default.mongo-mongodb-arbiter
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-db.yaml:97-208
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: StatefulSet.default.mongo-mongodb-arbiter
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-db.yaml:97-208
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: StatefulSet.default.mongo-mongodb-arbiter
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-db.yaml:97-208
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: StatefulSet.default.mongo-mongodb-arbiter
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-db.yaml:97-208
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: StatefulSet.default.mongo-mongodb-arbiter
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-db.yaml:97-208
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: StatefulSet.default.mongo-mongodb-arbiter
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-db.yaml:97-208
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: StatefulSet.default.mongo-mongodb-arbiter
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-db.yaml:97-208
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: StatefulSet.default.mongo-mongodb-arbiter
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-db.yaml:97-208
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: StatefulSet.default.mongo-mongodb-arbiter
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-db.yaml:97-208
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: StatefulSet.default.mongo-mongodb-arbiter
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-db.yaml:97-208
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: StatefulSet.default.mongo-mongodb-arbiter
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-db.yaml:97-208
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: StatefulSet.default.mongo-mongodb-arbiter
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-db.yaml:97-208
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: StatefulSet.default.mongo-mongodb-arbiter
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-db.yaml:97-208
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: StatefulSet.default.mongo-mongodb-arbiter
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-db.yaml:97-208
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: StatefulSet.default.mongo-mongodb-arbiter
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-db.yaml:97-208
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: StatefulSet.default.mongo-mongodb
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-db.yaml:210-361
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: StatefulSet.default.mongo-mongodb
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-db.yaml:210-361
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: StatefulSet.default.mongo-mongodb
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-db.yaml:210-361
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: StatefulSet.default.mongo-mongodb
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-db.yaml:210-361
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: StatefulSet.default.mongo-mongodb
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-db.yaml:210-361
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: StatefulSet.default.mongo-mongodb
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-db.yaml:210-361
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: StatefulSet.default.mongo-mongodb
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-db.yaml:210-361
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: StatefulSet.default.mongo-mongodb
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-db.yaml:210-361
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: StatefulSet.default.mongo-mongodb
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-db.yaml:210-361
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: StatefulSet.default.mongo-mongodb
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-db.yaml:210-361
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: StatefulSet.default.mongo-mongodb
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-db.yaml:210-361
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: StatefulSet.default.mongo-mongodb
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-db.yaml:210-361
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: StatefulSet.default.mongo-mongodb
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-db.yaml:210-361
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: StatefulSet.default.mongo-mongodb
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-db.yaml:210-361
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: StatefulSet.default.mongo-mongodb
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-db.yaml:210-361
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ServiceAccount.default.app-nodeapp
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-app.yaml:3-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
3 | apiVersion: v1
4 | kind: ServiceAccount
5 | metadata:
6 | name: app-nodeapp
7 | labels:
8 | helm.sh/chart: nodeapp-0.1.0
9 | app.kubernetes.io/name: nodeapp
10 | app.kubernetes.io/instance: app
11 | app.kubernetes.io/version: "1.16.0"
12 | app.kubernetes.io/managed-by: Helm
13 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Secret.default.app-auth
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-app.yaml:15-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
15 | apiVersion: v1
16 | kind: Secret
17 | metadata:
18 | name: app-auth
19 | data:
20 | MONGO_PASSWORD: cGFzc3dvcmQ=
21 | MONGO_USERNAME: cm9vdA==
22 | mongodb-replica-set-key: a2V5MTIz
23 | mongodb-root-password: cGFzc3dvcmQ=
24 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.app-config
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-app.yaml:26-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
26 | apiVersion: v1
27 | kind: ConfigMap
28 | metadata:
29 | name: app-config
30 | data:
31 | MONGO_HOSTNAME: "mongo-mongodb-0.mongo-mongodb-headless.default.svc.cluster.local,mongo-mongodb-1.mongo-mongodb-headless.default.svc.cluster.local,mongo-mongodb-2.mongo-mongodb-headless.default.svc.cluster.local"
32 | MONGO_PORT: "27017"
33 | MONGO_DB: "sharkinfo"
34 | MONGO_REPLICASET: "db"
35 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.app-nodeapp
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-app.yaml:37-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
37 | apiVersion: v1
38 | kind: Service
39 | metadata:
40 | name: app-nodeapp
41 | labels:
42 | helm.sh/chart: nodeapp-0.1.0
43 | app.kubernetes.io/name: nodeapp
44 | app.kubernetes.io/instance: app
45 | app.kubernetes.io/version: "1.16.0"
46 | app.kubernetes.io/managed-by: Helm
47 | spec:
48 | type: LoadBalancer
49 | ports:
50 | - port: 80
51 | targetPort: http
52 | protocol: TCP
53 | name: http
54 | selector:
55 | app.kubernetes.io/name: nodeapp
56 | app.kubernetes.io/instance: app
57 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.app-nodeapp
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-app.yaml:59-139
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.app-nodeapp
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-app.yaml:59-139
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.app-nodeapp
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-app.yaml:59-139
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.app-nodeapp
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-app.yaml:59-139
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.app-nodeapp
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-app.yaml:59-139
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.app-nodeapp
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-app.yaml:59-139
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: Deployment.default.app-nodeapp
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-app.yaml:59-139
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app-nodeapp
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-app.yaml:59-139
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.app-nodeapp
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-app.yaml:59-139
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.app-nodeapp
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-app.yaml:59-139
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.app-nodeapp
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-app.yaml:59-139
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.app-nodeapp
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-app.yaml:59-139
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.app-nodeapp
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-app.yaml:59-139
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.default.app-nodeapp-test-connection
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-app.yaml:165-183
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
165 | apiVersion: v1
166 | kind: Pod
167 | metadata:
168 | name: "app-nodeapp-test-connection"
169 | labels:
170 | helm.sh/chart: nodeapp-0.1.0
171 | app.kubernetes.io/name: nodeapp
172 | app.kubernetes.io/instance: app
173 | app.kubernetes.io/version: "1.16.0"
174 | app.kubernetes.io/managed-by: Helm
175 | annotations:
176 | "helm.sh/hook": test
177 | spec:
178 | containers:
179 | - name: wget
180 | image: busybox
181 | command: ['wget']
182 | args: ['app-nodeapp:80']
183 | restartPolicy: Never
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.default.app-nodeapp-test-connection
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-app.yaml:165-183
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
165 | apiVersion: v1
166 | kind: Pod
167 | metadata:
168 | name: "app-nodeapp-test-connection"
169 | labels:
170 | helm.sh/chart: nodeapp-0.1.0
171 | app.kubernetes.io/name: nodeapp
172 | app.kubernetes.io/instance: app
173 | app.kubernetes.io/version: "1.16.0"
174 | app.kubernetes.io/managed-by: Helm
175 | annotations:
176 | "helm.sh/hook": test
177 | spec:
178 | containers:
179 | - name: wget
180 | image: busybox
181 | command: ['wget']
182 | args: ['app-nodeapp:80']
183 | restartPolicy: Never
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Pod.default.app-nodeapp-test-connection
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-app.yaml:165-183
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
165 | apiVersion: v1
166 | kind: Pod
167 | metadata:
168 | name: "app-nodeapp-test-connection"
169 | labels:
170 | helm.sh/chart: nodeapp-0.1.0
171 | app.kubernetes.io/name: nodeapp
172 | app.kubernetes.io/instance: app
173 | app.kubernetes.io/version: "1.16.0"
174 | app.kubernetes.io/managed-by: Helm
175 | annotations:
176 | "helm.sh/hook": test
177 | spec:
178 | containers:
179 | - name: wget
180 | image: busybox
181 | command: ['wget']
182 | args: ['app-nodeapp:80']
183 | restartPolicy: Never
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Pod.default.app-nodeapp-test-connection
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-app.yaml:165-183
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
165 | apiVersion: v1
166 | kind: Pod
167 | metadata:
168 | name: "app-nodeapp-test-connection"
169 | labels:
170 | helm.sh/chart: nodeapp-0.1.0
171 | app.kubernetes.io/name: nodeapp
172 | app.kubernetes.io/instance: app
173 | app.kubernetes.io/version: "1.16.0"
174 | app.kubernetes.io/managed-by: Helm
175 | annotations:
176 | "helm.sh/hook": test
177 | spec:
178 | containers:
179 | - name: wget
180 | image: busybox
181 | command: ['wget']
182 | args: ['app-nodeapp:80']
183 | restartPolicy: Never
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.default.app-nodeapp-test-connection
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-app.yaml:165-183
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
165 | apiVersion: v1
166 | kind: Pod
167 | metadata:
168 | name: "app-nodeapp-test-connection"
169 | labels:
170 | helm.sh/chart: nodeapp-0.1.0
171 | app.kubernetes.io/name: nodeapp
172 | app.kubernetes.io/instance: app
173 | app.kubernetes.io/version: "1.16.0"
174 | app.kubernetes.io/managed-by: Helm
175 | annotations:
176 | "helm.sh/hook": test
177 | spec:
178 | containers:
179 | - name: wget
180 | image: busybox
181 | command: ['wget']
182 | args: ['app-nodeapp:80']
183 | restartPolicy: Never
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.default.app-nodeapp-test-connection
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-app.yaml:165-183
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
165 | apiVersion: v1
166 | kind: Pod
167 | metadata:
168 | name: "app-nodeapp-test-connection"
169 | labels:
170 | helm.sh/chart: nodeapp-0.1.0
171 | app.kubernetes.io/name: nodeapp
172 | app.kubernetes.io/instance: app
173 | app.kubernetes.io/version: "1.16.0"
174 | app.kubernetes.io/managed-by: Helm
175 | annotations:
176 | "helm.sh/hook": test
177 | spec:
178 | containers:
179 | - name: wget
180 | image: busybox
181 | command: ['wget']
182 | args: ['app-nodeapp:80']
183 | restartPolicy: Never
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.default.app-nodeapp-test-connection
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-app.yaml:165-183
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
165 | apiVersion: v1
166 | kind: Pod
167 | metadata:
168 | name: "app-nodeapp-test-connection"
169 | labels:
170 | helm.sh/chart: nodeapp-0.1.0
171 | app.kubernetes.io/name: nodeapp
172 | app.kubernetes.io/instance: app
173 | app.kubernetes.io/version: "1.16.0"
174 | app.kubernetes.io/managed-by: Helm
175 | annotations:
176 | "helm.sh/hook": test
177 | spec:
178 | containers:
179 | - name: wget
180 | image: busybox
181 | command: ['wget']
182 | args: ['app-nodeapp:80']
183 | restartPolicy: Never
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.default.app-nodeapp-test-connection
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-app.yaml:165-183
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
165 | apiVersion: v1
166 | kind: Pod
167 | metadata:
168 | name: "app-nodeapp-test-connection"
169 | labels:
170 | helm.sh/chart: nodeapp-0.1.0
171 | app.kubernetes.io/name: nodeapp
172 | app.kubernetes.io/instance: app
173 | app.kubernetes.io/version: "1.16.0"
174 | app.kubernetes.io/managed-by: Helm
175 | annotations:
176 | "helm.sh/hook": test
177 | spec:
178 | containers:
179 | - name: wget
180 | image: busybox
181 | command: ['wget']
182 | args: ['app-nodeapp:80']
183 | restartPolicy: Never
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.default.app-nodeapp-test-connection
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-app.yaml:165-183
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
165 | apiVersion: v1
166 | kind: Pod
167 | metadata:
168 | name: "app-nodeapp-test-connection"
169 | labels:
170 | helm.sh/chart: nodeapp-0.1.0
171 | app.kubernetes.io/name: nodeapp
172 | app.kubernetes.io/instance: app
173 | app.kubernetes.io/version: "1.16.0"
174 | app.kubernetes.io/managed-by: Helm
175 | annotations:
176 | "helm.sh/hook": test
177 | spec:
178 | containers:
179 | - name: wget
180 | image: busybox
181 | command: ['wget']
182 | args: ['app-nodeapp:80']
183 | restartPolicy: Never
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.default.app-nodeapp-test-connection
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-app.yaml:165-183
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
165 | apiVersion: v1
166 | kind: Pod
167 | metadata:
168 | name: "app-nodeapp-test-connection"
169 | labels:
170 | helm.sh/chart: nodeapp-0.1.0
171 | app.kubernetes.io/name: nodeapp
172 | app.kubernetes.io/instance: app
173 | app.kubernetes.io/version: "1.16.0"
174 | app.kubernetes.io/managed-by: Helm
175 | annotations:
176 | "helm.sh/hook": test
177 | spec:
178 | containers:
179 | - name: wget
180 | image: busybox
181 | command: ['wget']
182 | args: ['app-nodeapp:80']
183 | restartPolicy: Never
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.default.app-nodeapp-test-connection
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-app.yaml:165-183
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
165 | apiVersion: v1
166 | kind: Pod
167 | metadata:
168 | name: "app-nodeapp-test-connection"
169 | labels:
170 | helm.sh/chart: nodeapp-0.1.0
171 | app.kubernetes.io/name: nodeapp
172 | app.kubernetes.io/instance: app
173 | app.kubernetes.io/version: "1.16.0"
174 | app.kubernetes.io/managed-by: Helm
175 | annotations:
176 | "helm.sh/hook": test
177 | spec:
178 | containers:
179 | - name: wget
180 | image: busybox
181 | command: ['wget']
182 | args: ['app-nodeapp:80']
183 | restartPolicy: Never
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.default.app-nodeapp-test-connection
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-app.yaml:165-183
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
165 | apiVersion: v1
166 | kind: Pod
167 | metadata:
168 | name: "app-nodeapp-test-connection"
169 | labels:
170 | helm.sh/chart: nodeapp-0.1.0
171 | app.kubernetes.io/name: nodeapp
172 | app.kubernetes.io/instance: app
173 | app.kubernetes.io/version: "1.16.0"
174 | app.kubernetes.io/managed-by: Helm
175 | annotations:
176 | "helm.sh/hook": test
177 | spec:
178 | containers:
179 | - name: wget
180 | image: busybox
181 | command: ['wget']
182 | args: ['app-nodeapp:80']
183 | restartPolicy: Never
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.default.app-nodeapp-test-connection
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-app.yaml:165-183
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
165 | apiVersion: v1
166 | kind: Pod
167 | metadata:
168 | name: "app-nodeapp-test-connection"
169 | labels:
170 | helm.sh/chart: nodeapp-0.1.0
171 | app.kubernetes.io/name: nodeapp
172 | app.kubernetes.io/instance: app
173 | app.kubernetes.io/version: "1.16.0"
174 | app.kubernetes.io/managed-by: Helm
175 | annotations:
176 | "helm.sh/hook": test
177 | spec:
178 | containers:
179 | - name: wget
180 | image: busybox
181 | command: ['wget']
182 | args: ['app-nodeapp:80']
183 | restartPolicy: Never
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.default.app-nodeapp-test-connection
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-app.yaml:165-183
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
165 | apiVersion: v1
166 | kind: Pod
167 | metadata:
168 | name: "app-nodeapp-test-connection"
169 | labels:
170 | helm.sh/chart: nodeapp-0.1.0
171 | app.kubernetes.io/name: nodeapp
172 | app.kubernetes.io/instance: app
173 | app.kubernetes.io/version: "1.16.0"
174 | app.kubernetes.io/managed-by: Helm
175 | annotations:
176 | "helm.sh/hook": test
177 | spec:
178 | containers:
179 | - name: wget
180 | image: busybox
181 | command: ['wget']
182 | args: ['app-nodeapp:80']
183 | restartPolicy: Never
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.default.app-nodeapp-test-connection
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-app.yaml:165-183
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
165 | apiVersion: v1
166 | kind: Pod
167 | metadata:
168 | name: "app-nodeapp-test-connection"
169 | labels:
170 | helm.sh/chart: nodeapp-0.1.0
171 | app.kubernetes.io/name: nodeapp
172 | app.kubernetes.io/instance: app
173 | app.kubernetes.io/version: "1.16.0"
174 | app.kubernetes.io/managed-by: Helm
175 | annotations:
176 | "helm.sh/hook": test
177 | spec:
178 | containers:
179 | - name: wget
180 | image: busybox
181 | command: ['wget']
182 | args: ['app-nodeapp:80']
183 | restartPolicy: Never
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.default.app-nodeapp-test-connection
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-app.yaml:165-183
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
165 | apiVersion: v1
166 | kind: Pod
167 | metadata:
168 | name: "app-nodeapp-test-connection"
169 | labels:
170 | helm.sh/chart: nodeapp-0.1.0
171 | app.kubernetes.io/name: nodeapp
172 | app.kubernetes.io/instance: app
173 | app.kubernetes.io/version: "1.16.0"
174 | app.kubernetes.io/managed-by: Helm
175 | annotations:
176 | "helm.sh/hook": test
177 | spec:
178 | containers:
179 | - name: wget
180 | image: busybox
181 | command: ['wget']
182 | args: ['app-nodeapp:80']
183 | restartPolicy: Never
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Pod.default.app-nodeapp-test-connection
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-app.yaml:165-183
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
165 | apiVersion: v1
166 | kind: Pod
167 | metadata:
168 | name: "app-nodeapp-test-connection"
169 | labels:
170 | helm.sh/chart: nodeapp-0.1.0
171 | app.kubernetes.io/name: nodeapp
172 | app.kubernetes.io/instance: app
173 | app.kubernetes.io/version: "1.16.0"
174 | app.kubernetes.io/managed-by: Helm
175 | annotations:
176 | "helm.sh/hook": test
177 | spec:
178 | containers:
179 | - name: wget
180 | image: busybox
181 | command: ['wget']
182 | args: ['app-nodeapp:80']
183 | restartPolicy: Never
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.default.app-nodeapp-test-connection
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-app.yaml:165-183
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
165 | apiVersion: v1
166 | kind: Pod
167 | metadata:
168 | name: "app-nodeapp-test-connection"
169 | labels:
170 | helm.sh/chart: nodeapp-0.1.0
171 | app.kubernetes.io/name: nodeapp
172 | app.kubernetes.io/instance: app
173 | app.kubernetes.io/version: "1.16.0"
174 | app.kubernetes.io/managed-by: Helm
175 | annotations:
176 | "helm.sh/hook": test
177 | spec:
178 | containers:
179 | - name: wget
180 | image: busybox
181 | command: ['wget']
182 | args: ['app-nodeapp:80']
183 | restartPolicy: Never
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.default.app-nodeapp-test-connection
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-app.yaml:165-183
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
165 | apiVersion: v1
166 | kind: Pod
167 | metadata:
168 | name: "app-nodeapp-test-connection"
169 | labels:
170 | helm.sh/chart: nodeapp-0.1.0
171 | app.kubernetes.io/name: nodeapp
172 | app.kubernetes.io/instance: app
173 | app.kubernetes.io/version: "1.16.0"
174 | app.kubernetes.io/managed-by: Helm
175 | annotations:
176 | "helm.sh/hook": test
177 | spec:
178 | containers:
179 | - name: wget
180 | image: busybox
181 | command: ['wget']
182 | args: ['app-nodeapp:80']
183 | restartPolicy: Never
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Secret.default.mongo-secret
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/secret.yaml:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | data:
3 | MONGO_PASSWORD: cGFzc3dvcmQ=
4 | MONGO_USERNAME: cm9vdA==
5 | mongodb-replica-set-key: a2V5MTIz
6 | mongodb-root-password: cGFzc3dvcmQ=
7 | kind: Secret
8 | metadata:
9 | creationTimestamp: null
10 | name: mongo-secret
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.default.foo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_045__local__kind__extra_port_mappings/pod.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo
5 | spec:
6 | containers:
7 | - name: foo
8 | image: nginx:latest
9 | ports:
10 | - containerPort: 80
11 | hostPort: 8080
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.default.foo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_045__local__kind__extra_port_mappings/pod.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo
5 | spec:
6 | containers:
7 | - name: foo
8 | image: nginx:latest
9 | ports:
10 | - containerPort: 80
11 | hostPort: 8080
Check: CKV_K8S_26: "Do not specify hostPort unless absolutely necessary"
FAILED for resource: Pod.default.foo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_045__local__kind__extra_port_mappings/pod.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-25.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo
5 | spec:
6 | containers:
7 | - name: foo
8 | image: nginx:latest
9 | ports:
10 | - containerPort: 80
11 | hostPort: 8080
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Pod.default.foo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_045__local__kind__extra_port_mappings/pod.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo
5 | spec:
6 | containers:
7 | - name: foo
8 | image: nginx:latest
9 | ports:
10 | - containerPort: 80
11 | hostPort: 8080
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Pod.default.foo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_045__local__kind__extra_port_mappings/pod.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo
5 | spec:
6 | containers:
7 | - name: foo
8 | image: nginx:latest
9 | ports:
10 | - containerPort: 80
11 | hostPort: 8080
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.default.foo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_045__local__kind__extra_port_mappings/pod.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo
5 | spec:
6 | containers:
7 | - name: foo
8 | image: nginx:latest
9 | ports:
10 | - containerPort: 80
11 | hostPort: 8080
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.default.foo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_045__local__kind__extra_port_mappings/pod.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo
5 | spec:
6 | containers:
7 | - name: foo
8 | image: nginx:latest
9 | ports:
10 | - containerPort: 80
11 | hostPort: 8080
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.default.foo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_045__local__kind__extra_port_mappings/pod.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo
5 | spec:
6 | containers:
7 | - name: foo
8 | image: nginx:latest
9 | ports:
10 | - containerPort: 80
11 | hostPort: 8080
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.default.foo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_045__local__kind__extra_port_mappings/pod.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo
5 | spec:
6 | containers:
7 | - name: foo
8 | image: nginx:latest
9 | ports:
10 | - containerPort: 80
11 | hostPort: 8080
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.default.foo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_045__local__kind__extra_port_mappings/pod.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo
5 | spec:
6 | containers:
7 | - name: foo
8 | image: nginx:latest
9 | ports:
10 | - containerPort: 80
11 | hostPort: 8080
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.default.foo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_045__local__kind__extra_port_mappings/pod.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo
5 | spec:
6 | containers:
7 | - name: foo
8 | image: nginx:latest
9 | ports:
10 | - containerPort: 80
11 | hostPort: 8080
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.default.foo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_045__local__kind__extra_port_mappings/pod.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo
5 | spec:
6 | containers:
7 | - name: foo
8 | image: nginx:latest
9 | ports:
10 | - containerPort: 80
11 | hostPort: 8080
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.default.foo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_045__local__kind__extra_port_mappings/pod.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo
5 | spec:
6 | containers:
7 | - name: foo
8 | image: nginx:latest
9 | ports:
10 | - containerPort: 80
11 | hostPort: 8080
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.default.foo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_045__local__kind__extra_port_mappings/pod.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo
5 | spec:
6 | containers:
7 | - name: foo
8 | image: nginx:latest
9 | ports:
10 | - containerPort: 80
11 | hostPort: 8080
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.default.foo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_045__local__kind__extra_port_mappings/pod.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo
5 | spec:
6 | containers:
7 | - name: foo
8 | image: nginx:latest
9 | ports:
10 | - containerPort: 80
11 | hostPort: 8080
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.default.foo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_045__local__kind__extra_port_mappings/pod.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo
5 | spec:
6 | containers:
7 | - name: foo
8 | image: nginx:latest
9 | ports:
10 | - containerPort: 80
11 | hostPort: 8080
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.default.foo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_045__local__kind__extra_port_mappings/pod.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo
5 | spec:
6 | containers:
7 | - name: foo
8 | image: nginx:latest
9 | ports:
10 | - containerPort: 80
11 | hostPort: 8080
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Pod.default.foo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_045__local__kind__extra_port_mappings/pod.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo
5 | spec:
6 | containers:
7 | - name: foo
8 | image: nginx:latest
9 | ports:
10 | - containerPort: 80
11 | hostPort: 8080
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.default.foo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_045__local__kind__extra_port_mappings/pod.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo
5 | spec:
6 | containers:
7 | - name: foo
8 | image: nginx:latest
9 | ports:
10 | - containerPort: 80
11 | hostPort: 8080
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.default.foo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_045__local__kind__extra_port_mappings/pod.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo
5 | spec:
6 | containers:
7 | - name: foo
8 | image: nginx:latest
9 | ports:
10 | - containerPort: 80
11 | hostPort: 8080
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.kube-system.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_021__gcp__intermediate_namespace_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: kube-system
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.kube-system.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_021__gcp__intermediate_namespace_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: kube-system
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.kube-system.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_021__gcp__intermediate_namespace_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: kube-system
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.kube-system.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_021__gcp__intermediate_namespace_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: kube-system
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.kube-system.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_021__gcp__intermediate_namespace_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: kube-system
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.kube-system.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_021__gcp__intermediate_namespace_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: kube-system
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.kube-system.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_021__gcp__intermediate_namespace_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: kube-system
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.kube-system.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_021__gcp__intermediate_namespace_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: kube-system
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.kube-system.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_021__gcp__intermediate_namespace_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: kube-system
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.kube-system.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_021__gcp__intermediate_namespace_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: kube-system
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.kube-system.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_021__gcp__intermediate_namespace_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: kube-system
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.kube-system.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_021__gcp__intermediate_namespace_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: kube-system
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.kube-system.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_021__gcp__intermediate_namespace_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: kube-system
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.kube-system.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_021__gcp__intermediate_namespace_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: kube-system
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.kube-system.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_021__gcp__intermediate_namespace_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: kube-system
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.kube-system.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_021__gcp__intermediate_namespace_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: kube-system
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.kube-system.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_021__gcp__intermediate_namespace_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: kube-system
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.kube-system.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_021__gcp__intermediate_namespace_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: kube-system
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: RoleBinding.default.rolebinding-monitoring-ns
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_021__gcp__intermediate_namespace_wide_kubeconfig/dev/default/groupQA/role-binding.yaml:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | kind: RoleBinding
2 | apiVersion: rbac.authorization.k8s.io/v1
3 | metadata:
4 | name: rolebinding-monitoring-ns
5 | namespace: default
6 | subjects:
7 | - kind: Group
8 | name: groupQA
9 | apiGroup: rbac.authorization.k8s.io
10 | roleRef:
11 | kind: Role
12 | name: role-default
13 | apiGroup: rbac.authorization.k8s.io
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Role.default.role-default
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_021__gcp__intermediate_namespace_wide_kubeconfig/dev/default/groupQA/role-readonly.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | kind: Role
2 | apiVersion: rbac.authorization.k8s.io/v1
3 | metadata:
4 | namespace: default
5 | name: role-default
6 | rules:
7 | - apiGroups: [""]
8 | resources: ["pods", "services"]
9 | verbs: ["get", "list"]
10 | - apiGroups: ["apps"]
11 | resources: ["deployments"]
12 | verbs: ["get", "list"]
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/20-traefik-service.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: Service
4 | metadata:
5 | name: traefik
6 | spec:
7 | type: LoadBalancer
8 | selector:
9 | app: traefik
10 | ports:
11 | - protocol: TCP
12 | port: 80
13 | name: web
14 | targetPort: 80
15 | - protocol: TCP
16 | port: 443
17 | name: websecure
18 | targetPort: 80
19 | - protocol: TCP
20 | port: 8080
21 | name: admin
22 | targetPort: 8080
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.traefik-config-map
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/11-traefik-configmap.yaml:1-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ServiceAccount.default.traefik-ingress-controller
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/10-service-account.yaml:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: ServiceAccount
3 | metadata:
4 | name: traefik-ingress-controller
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/30-whoami-service.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: whoami
5 |
6 | spec:
7 | ports:
8 | - protocol: TCP
9 | name: web
10 | port: 80
11 | selector:
12 | app: whoami
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/15-traefik-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | kind: Deployment
3 | apiVersion: apps/v1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | volumes:
21 | - name: config
22 | configMap:
23 | name: traefik-config-map
24 | - name: start-domain-com-ssl
25 | secret:
26 | secretName: start-domain-com-ssl
27 | containers:
28 | - name: traefik
29 | image: traefik:v2.2.1
30 | ports:
31 | - name: web
32 | containerPort: 80
33 | - name: admin
34 | containerPort: 8080
35 | - name: websecure
36 | containerPort: 443
37 | volumeMounts:
38 | - mountPath: /etc/traefik/traefik.toml
39 | name: config
40 | subPath: traefik.toml
41 | - mountPath: "/var/ssl/start-domain-com-ssl"
42 | name: start-domain-com-ssl
43 | readOnly: true
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/15-traefik-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | kind: Deployment
3 | apiVersion: apps/v1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | volumes:
21 | - name: config
22 | configMap:
23 | name: traefik-config-map
24 | - name: start-domain-com-ssl
25 | secret:
26 | secretName: start-domain-com-ssl
27 | containers:
28 | - name: traefik
29 | image: traefik:v2.2.1
30 | ports:
31 | - name: web
32 | containerPort: 80
33 | - name: admin
34 | containerPort: 8080
35 | - name: websecure
36 | containerPort: 443
37 | volumeMounts:
38 | - mountPath: /etc/traefik/traefik.toml
39 | name: config
40 | subPath: traefik.toml
41 | - mountPath: "/var/ssl/start-domain-com-ssl"
42 | name: start-domain-com-ssl
43 | readOnly: true
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/15-traefik-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | kind: Deployment
3 | apiVersion: apps/v1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | volumes:
21 | - name: config
22 | configMap:
23 | name: traefik-config-map
24 | - name: start-domain-com-ssl
25 | secret:
26 | secretName: start-domain-com-ssl
27 | containers:
28 | - name: traefik
29 | image: traefik:v2.2.1
30 | ports:
31 | - name: web
32 | containerPort: 80
33 | - name: admin
34 | containerPort: 8080
35 | - name: websecure
36 | containerPort: 443
37 | volumeMounts:
38 | - mountPath: /etc/traefik/traefik.toml
39 | name: config
40 | subPath: traefik.toml
41 | - mountPath: "/var/ssl/start-domain-com-ssl"
42 | name: start-domain-com-ssl
43 | readOnly: true
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/15-traefik-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | kind: Deployment
3 | apiVersion: apps/v1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | volumes:
21 | - name: config
22 | configMap:
23 | name: traefik-config-map
24 | - name: start-domain-com-ssl
25 | secret:
26 | secretName: start-domain-com-ssl
27 | containers:
28 | - name: traefik
29 | image: traefik:v2.2.1
30 | ports:
31 | - name: web
32 | containerPort: 80
33 | - name: admin
34 | containerPort: 8080
35 | - name: websecure
36 | containerPort: 443
37 | volumeMounts:
38 | - mountPath: /etc/traefik/traefik.toml
39 | name: config
40 | subPath: traefik.toml
41 | - mountPath: "/var/ssl/start-domain-com-ssl"
42 | name: start-domain-com-ssl
43 | readOnly: true
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/15-traefik-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | kind: Deployment
3 | apiVersion: apps/v1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | volumes:
21 | - name: config
22 | configMap:
23 | name: traefik-config-map
24 | - name: start-domain-com-ssl
25 | secret:
26 | secretName: start-domain-com-ssl
27 | containers:
28 | - name: traefik
29 | image: traefik:v2.2.1
30 | ports:
31 | - name: web
32 | containerPort: 80
33 | - name: admin
34 | containerPort: 8080
35 | - name: websecure
36 | containerPort: 443
37 | volumeMounts:
38 | - mountPath: /etc/traefik/traefik.toml
39 | name: config
40 | subPath: traefik.toml
41 | - mountPath: "/var/ssl/start-domain-com-ssl"
42 | name: start-domain-com-ssl
43 | readOnly: true
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/15-traefik-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | kind: Deployment
3 | apiVersion: apps/v1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | volumes:
21 | - name: config
22 | configMap:
23 | name: traefik-config-map
24 | - name: start-domain-com-ssl
25 | secret:
26 | secretName: start-domain-com-ssl
27 | containers:
28 | - name: traefik
29 | image: traefik:v2.2.1
30 | ports:
31 | - name: web
32 | containerPort: 80
33 | - name: admin
34 | containerPort: 8080
35 | - name: websecure
36 | containerPort: 443
37 | volumeMounts:
38 | - mountPath: /etc/traefik/traefik.toml
39 | name: config
40 | subPath: traefik.toml
41 | - mountPath: "/var/ssl/start-domain-com-ssl"
42 | name: start-domain-com-ssl
43 | readOnly: true
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/15-traefik-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | kind: Deployment
3 | apiVersion: apps/v1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | volumes:
21 | - name: config
22 | configMap:
23 | name: traefik-config-map
24 | - name: start-domain-com-ssl
25 | secret:
26 | secretName: start-domain-com-ssl
27 | containers:
28 | - name: traefik
29 | image: traefik:v2.2.1
30 | ports:
31 | - name: web
32 | containerPort: 80
33 | - name: admin
34 | containerPort: 8080
35 | - name: websecure
36 | containerPort: 443
37 | volumeMounts:
38 | - mountPath: /etc/traefik/traefik.toml
39 | name: config
40 | subPath: traefik.toml
41 | - mountPath: "/var/ssl/start-domain-com-ssl"
42 | name: start-domain-com-ssl
43 | readOnly: true
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/15-traefik-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | kind: Deployment
3 | apiVersion: apps/v1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | volumes:
21 | - name: config
22 | configMap:
23 | name: traefik-config-map
24 | - name: start-domain-com-ssl
25 | secret:
26 | secretName: start-domain-com-ssl
27 | containers:
28 | - name: traefik
29 | image: traefik:v2.2.1
30 | ports:
31 | - name: web
32 | containerPort: 80
33 | - name: admin
34 | containerPort: 8080
35 | - name: websecure
36 | containerPort: 443
37 | volumeMounts:
38 | - mountPath: /etc/traefik/traefik.toml
39 | name: config
40 | subPath: traefik.toml
41 | - mountPath: "/var/ssl/start-domain-com-ssl"
42 | name: start-domain-com-ssl
43 | readOnly: true
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/15-traefik-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | kind: Deployment
3 | apiVersion: apps/v1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | volumes:
21 | - name: config
22 | configMap:
23 | name: traefik-config-map
24 | - name: start-domain-com-ssl
25 | secret:
26 | secretName: start-domain-com-ssl
27 | containers:
28 | - name: traefik
29 | image: traefik:v2.2.1
30 | ports:
31 | - name: web
32 | containerPort: 80
33 | - name: admin
34 | containerPort: 8080
35 | - name: websecure
36 | containerPort: 443
37 | volumeMounts:
38 | - mountPath: /etc/traefik/traefik.toml
39 | name: config
40 | subPath: traefik.toml
41 | - mountPath: "/var/ssl/start-domain-com-ssl"
42 | name: start-domain-com-ssl
43 | readOnly: true
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/15-traefik-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | kind: Deployment
3 | apiVersion: apps/v1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | volumes:
21 | - name: config
22 | configMap:
23 | name: traefik-config-map
24 | - name: start-domain-com-ssl
25 | secret:
26 | secretName: start-domain-com-ssl
27 | containers:
28 | - name: traefik
29 | image: traefik:v2.2.1
30 | ports:
31 | - name: web
32 | containerPort: 80
33 | - name: admin
34 | containerPort: 8080
35 | - name: websecure
36 | containerPort: 443
37 | volumeMounts:
38 | - mountPath: /etc/traefik/traefik.toml
39 | name: config
40 | subPath: traefik.toml
41 | - mountPath: "/var/ssl/start-domain-com-ssl"
42 | name: start-domain-com-ssl
43 | readOnly: true
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/15-traefik-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | kind: Deployment
3 | apiVersion: apps/v1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | volumes:
21 | - name: config
22 | configMap:
23 | name: traefik-config-map
24 | - name: start-domain-com-ssl
25 | secret:
26 | secretName: start-domain-com-ssl
27 | containers:
28 | - name: traefik
29 | image: traefik:v2.2.1
30 | ports:
31 | - name: web
32 | containerPort: 80
33 | - name: admin
34 | containerPort: 8080
35 | - name: websecure
36 | containerPort: 443
37 | volumeMounts:
38 | - mountPath: /etc/traefik/traefik.toml
39 | name: config
40 | subPath: traefik.toml
41 | - mountPath: "/var/ssl/start-domain-com-ssl"
42 | name: start-domain-com-ssl
43 | readOnly: true
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/15-traefik-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | kind: Deployment
3 | apiVersion: apps/v1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | volumes:
21 | - name: config
22 | configMap:
23 | name: traefik-config-map
24 | - name: start-domain-com-ssl
25 | secret:
26 | secretName: start-domain-com-ssl
27 | containers:
28 | - name: traefik
29 | image: traefik:v2.2.1
30 | ports:
31 | - name: web
32 | containerPort: 80
33 | - name: admin
34 | containerPort: 8080
35 | - name: websecure
36 | containerPort: 443
37 | volumeMounts:
38 | - mountPath: /etc/traefik/traefik.toml
39 | name: config
40 | subPath: traefik.toml
41 | - mountPath: "/var/ssl/start-domain-com-ssl"
42 | name: start-domain-com-ssl
43 | readOnly: true
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/15-traefik-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | kind: Deployment
3 | apiVersion: apps/v1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | volumes:
21 | - name: config
22 | configMap:
23 | name: traefik-config-map
24 | - name: start-domain-com-ssl
25 | secret:
26 | secretName: start-domain-com-ssl
27 | containers:
28 | - name: traefik
29 | image: traefik:v2.2.1
30 | ports:
31 | - name: web
32 | containerPort: 80
33 | - name: admin
34 | containerPort: 8080
35 | - name: websecure
36 | containerPort: 443
37 | volumeMounts:
38 | - mountPath: /etc/traefik/traefik.toml
39 | name: config
40 | subPath: traefik.toml
41 | - mountPath: "/var/ssl/start-domain-com-ssl"
42 | name: start-domain-com-ssl
43 | readOnly: true
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/15-traefik-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | kind: Deployment
3 | apiVersion: apps/v1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | volumes:
21 | - name: config
22 | configMap:
23 | name: traefik-config-map
24 | - name: start-domain-com-ssl
25 | secret:
26 | secretName: start-domain-com-ssl
27 | containers:
28 | - name: traefik
29 | image: traefik:v2.2.1
30 | ports:
31 | - name: web
32 | containerPort: 80
33 | - name: admin
34 | containerPort: 8080
35 | - name: websecure
36 | containerPort: 443
37 | volumeMounts:
38 | - mountPath: /etc/traefik/traefik.toml
39 | name: config
40 | subPath: traefik.toml
41 | - mountPath: "/var/ssl/start-domain-com-ssl"
42 | name: start-domain-com-ssl
43 | readOnly: true
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/15-traefik-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | kind: Deployment
3 | apiVersion: apps/v1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | volumes:
21 | - name: config
22 | configMap:
23 | name: traefik-config-map
24 | - name: start-domain-com-ssl
25 | secret:
26 | secretName: start-domain-com-ssl
27 | containers:
28 | - name: traefik
29 | image: traefik:v2.2.1
30 | ports:
31 | - name: web
32 | containerPort: 80
33 | - name: admin
34 | containerPort: 8080
35 | - name: websecure
36 | containerPort: 443
37 | volumeMounts:
38 | - mountPath: /etc/traefik/traefik.toml
39 | name: config
40 | subPath: traefik.toml
41 | - mountPath: "/var/ssl/start-domain-com-ssl"
42 | name: start-domain-com-ssl
43 | readOnly: true
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/15-traefik-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | kind: Deployment
3 | apiVersion: apps/v1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | volumes:
21 | - name: config
22 | configMap:
23 | name: traefik-config-map
24 | - name: start-domain-com-ssl
25 | secret:
26 | secretName: start-domain-com-ssl
27 | containers:
28 | - name: traefik
29 | image: traefik:v2.2.1
30 | ports:
31 | - name: web
32 | containerPort: 80
33 | - name: admin
34 | containerPort: 8080
35 | - name: websecure
36 | containerPort: 443
37 | volumeMounts:
38 | - mountPath: /etc/traefik/traefik.toml
39 | name: config
40 | subPath: traefik.toml
41 | - mountPath: "/var/ssl/start-domain-com-ssl"
42 | name: start-domain-com-ssl
43 | readOnly: true
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/15-traefik-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | kind: Deployment
3 | apiVersion: apps/v1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | volumes:
21 | - name: config
22 | configMap:
23 | name: traefik-config-map
24 | - name: start-domain-com-ssl
25 | secret:
26 | secretName: start-domain-com-ssl
27 | containers:
28 | - name: traefik
29 | image: traefik:v2.2.1
30 | ports:
31 | - name: web
32 | containerPort: 80
33 | - name: admin
34 | containerPort: 8080
35 | - name: websecure
36 | containerPort: 443
37 | volumeMounts:
38 | - mountPath: /etc/traefik/traefik.toml
39 | name: config
40 | subPath: traefik.toml
41 | - mountPath: "/var/ssl/start-domain-com-ssl"
42 | name: start-domain-com-ssl
43 | readOnly: true
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/15-traefik-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | kind: Deployment
3 | apiVersion: apps/v1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | volumes:
21 | - name: config
22 | configMap:
23 | name: traefik-config-map
24 | - name: start-domain-com-ssl
25 | secret:
26 | secretName: start-domain-com-ssl
27 | containers:
28 | - name: traefik
29 | image: traefik:v2.2.1
30 | ports:
31 | - name: web
32 | containerPort: 80
33 | - name: admin
34 | containerPort: 8080
35 | - name: websecure
36 | containerPort: 443
37 | volumeMounts:
38 | - mountPath: /etc/traefik/traefik.toml
39 | name: config
40 | subPath: traefik.toml
41 | - mountPath: "/var/ssl/start-domain-com-ssl"
42 | name: start-domain-com-ssl
43 | readOnly: true
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/15-traefik-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | kind: Deployment
3 | apiVersion: apps/v1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | volumes:
21 | - name: config
22 | configMap:
23 | name: traefik-config-map
24 | - name: start-domain-com-ssl
25 | secret:
26 | secretName: start-domain-com-ssl
27 | containers:
28 | - name: traefik
29 | image: traefik:v2.2.1
30 | ports:
31 | - name: web
32 | containerPort: 80
33 | - name: admin
34 | containerPort: 8080
35 | - name: websecure
36 | containerPort: 443
37 | volumeMounts:
38 | - mountPath: /etc/traefik/traefik.toml
39 | name: config
40 | subPath: traefik.toml
41 | - mountPath: "/var/ssl/start-domain-com-ssl"
42 | name: start-domain-com-ssl
43 | readOnly: true
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Secret.default.start-domain-com-ssl
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/12-secret.yaml:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | data:
3 | star_domain.com.key:
4 | star_domain_com.chained.crt:
5 | kind: Secret
6 | metadata:
7 | name: start-domain-com-ssl
8 | namespace: default
9 | type: Opaque
Check: CKV_K8S_155: "Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations"
FAILED for resource: ClusterRole.default.ingress-nginx-ext-admission
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/build/ingress_nginx_ext_all.yaml:238-261
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-control-over-validating-or-mutating-admission-webhook-configurations-are-minimized.html
238 | apiVersion: rbac.authorization.k8s.io/v1
239 | kind: ClusterRole
240 | metadata:
241 | annotations:
242 | helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
243 | helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
244 | labels:
245 | app.kubernetes.io/component: admission-webhook
246 | app.kubernetes.io/instance: ingress-nginx-ext
247 | app.kubernetes.io/managed-by: Helm
248 | app.kubernetes.io/name: ingress-nginx
249 | app.kubernetes.io/part-of: ingress-nginx
250 | app.kubernetes.io/version: 1.8.0
251 | helm.sh/chart: ingress-nginx-4.7.0
252 | name: ingress-nginx-ext-admission
253 | rules:
254 | - apiGroups:
255 | - admissionregistration.k8s.io
256 | resources:
257 | - validatingwebhookconfigurations
258 | verbs:
259 | - get
260 | - update
261 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.ingress-nginx-ext.ingress-nginx-ext-controller
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/build/ingress_nginx_ext_all.yaml:432-550
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.ingress-nginx-ext.ingress-nginx-ext-controller
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/build/ingress_nginx_ext_all.yaml:432-550
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_25: "Minimize the admission of containers with added capability"
FAILED for resource: Deployment.ingress-nginx-ext.ingress-nginx-ext-controller
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/build/ingress_nginx_ext_all.yaml:432-550
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-24.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.ingress-nginx-ext.ingress-nginx-ext-controller
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/build/ingress_nginx_ext_all.yaml:432-550
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.ingress-nginx-ext.ingress-nginx-ext-controller
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/build/ingress_nginx_ext_all.yaml:432-550
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.ingress-nginx-ext.ingress-nginx-ext-controller
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/build/ingress_nginx_ext_all.yaml:432-550
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.ingress-nginx-ext.ingress-nginx-ext-controller
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/build/ingress_nginx_ext_all.yaml:432-550
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.ingress-nginx-ext.ingress-nginx-ext-controller
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/build/ingress_nginx_ext_all.yaml:432-550
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.ingress-nginx-ext.ingress-nginx-ext-controller
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/build/ingress_nginx_ext_all.yaml:432-550
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Job.ingress-nginx-ext.ingress-nginx-ext-admission-create
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/build/ingress_nginx_ext_all.yaml:551-604
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Job.ingress-nginx-ext.ingress-nginx-ext-admission-create
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/build/ingress_nginx_ext_all.yaml:551-604
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Job.ingress-nginx-ext.ingress-nginx-ext-admission-create
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/build/ingress_nginx_ext_all.yaml:551-604
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Job.ingress-nginx-ext.ingress-nginx-ext-admission-create
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/build/ingress_nginx_ext_all.yaml:551-604
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Job.ingress-nginx-ext.ingress-nginx-ext-admission-create
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/build/ingress_nginx_ext_all.yaml:551-604
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Job.ingress-nginx-ext.ingress-nginx-ext-admission-create
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/build/ingress_nginx_ext_all.yaml:551-604
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Job.ingress-nginx-ext.ingress-nginx-ext-admission-create
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/build/ingress_nginx_ext_all.yaml:551-604
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Job.ingress-nginx-ext.ingress-nginx-ext-admission-create
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/build/ingress_nginx_ext_all.yaml:551-604
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Job.ingress-nginx-ext.ingress-nginx-ext-admission-create
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/build/ingress_nginx_ext_all.yaml:551-604
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Job.ingress-nginx-ext.ingress-nginx-ext-admission-create
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/build/ingress_nginx_ext_all.yaml:551-604
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Job.ingress-nginx-ext.ingress-nginx-ext-admission-patch
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/build/ingress_nginx_ext_all.yaml:605-660
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Job.ingress-nginx-ext.ingress-nginx-ext-admission-patch
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/build/ingress_nginx_ext_all.yaml:605-660
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Job.ingress-nginx-ext.ingress-nginx-ext-admission-patch
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/build/ingress_nginx_ext_all.yaml:605-660
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Job.ingress-nginx-ext.ingress-nginx-ext-admission-patch
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/build/ingress_nginx_ext_all.yaml:605-660
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Job.ingress-nginx-ext.ingress-nginx-ext-admission-patch
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/build/ingress_nginx_ext_all.yaml:605-660
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Job.ingress-nginx-ext.ingress-nginx-ext-admission-patch
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/build/ingress_nginx_ext_all.yaml:605-660
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Job.ingress-nginx-ext.ingress-nginx-ext-admission-patch
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/build/ingress_nginx_ext_all.yaml:605-660
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Job.ingress-nginx-ext.ingress-nginx-ext-admission-patch
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/build/ingress_nginx_ext_all.yaml:605-660
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Job.ingress-nginx-ext.ingress-nginx-ext-admission-patch
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/build/ingress_nginx_ext_all.yaml:605-660
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Job.ingress-nginx-ext.ingress-nginx-ext-admission-patch
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/build/ingress_nginx_ext_all.yaml:605-660
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.ingress-nginx-ext.ingress-nginx-ext-controller
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/vendor/ingress-nginx/ingress-nginx-ext-vendor.yaml:319-437
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.ingress-nginx-ext.ingress-nginx-ext-controller
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/vendor/ingress-nginx/ingress-nginx-ext-vendor.yaml:319-437
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_25: "Minimize the admission of containers with added capability"
FAILED for resource: Deployment.ingress-nginx-ext.ingress-nginx-ext-controller
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/vendor/ingress-nginx/ingress-nginx-ext-vendor.yaml:319-437
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-24.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.ingress-nginx-ext.ingress-nginx-ext-controller
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/vendor/ingress-nginx/ingress-nginx-ext-vendor.yaml:319-437
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.ingress-nginx-ext.ingress-nginx-ext-controller
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/vendor/ingress-nginx/ingress-nginx-ext-vendor.yaml:319-437
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.ingress-nginx-ext.ingress-nginx-ext-controller
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/vendor/ingress-nginx/ingress-nginx-ext-vendor.yaml:319-437
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.ingress-nginx-ext.ingress-nginx-ext-controller
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/vendor/ingress-nginx/ingress-nginx-ext-vendor.yaml:319-437
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.ingress-nginx-ext.ingress-nginx-ext-controller
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/vendor/ingress-nginx/ingress-nginx-ext-vendor.yaml:319-437
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.ingress-nginx-ext.ingress-nginx-ext-controller
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/vendor/ingress-nginx/ingress-nginx-ext-vendor.yaml:319-437
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_155: "Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations"
FAILED for resource: ClusterRole.default.ingress-nginx-ext-admission
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/vendor/ingress-nginx/ingress-nginx-ext-vendor.yaml:514-537
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-control-over-validating-or-mutating-admission-webhook-configurations-are-minimized.html
514 | apiVersion: rbac.authorization.k8s.io/v1
515 | kind: ClusterRole
516 | metadata:
517 | name: ingress-nginx-ext-admission
518 | annotations:
519 | "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
520 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
521 | labels:
522 | helm.sh/chart: ingress-nginx-4.7.0
523 | app.kubernetes.io/name: ingress-nginx
524 | app.kubernetes.io/instance: ingress-nginx-ext
525 | app.kubernetes.io/version: "1.8.0"
526 | app.kubernetes.io/part-of: ingress-nginx
527 | app.kubernetes.io/managed-by: Helm
528 | app.kubernetes.io/component: admission-webhook
529 | rules:
530 | - apiGroups:
531 | - admissionregistration.k8s.io
532 | resources:
533 | - validatingwebhookconfigurations
534 | verbs:
535 | - get
536 | - update
537 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Job.ingress-nginx-ext.ingress-nginx-ext-admission-create
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/vendor/ingress-nginx/ingress-nginx-ext-vendor.yaml:616-669
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Job.ingress-nginx-ext.ingress-nginx-ext-admission-create
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/vendor/ingress-nginx/ingress-nginx-ext-vendor.yaml:616-669
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Job.ingress-nginx-ext.ingress-nginx-ext-admission-create
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/vendor/ingress-nginx/ingress-nginx-ext-vendor.yaml:616-669
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Job.ingress-nginx-ext.ingress-nginx-ext-admission-create
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/vendor/ingress-nginx/ingress-nginx-ext-vendor.yaml:616-669
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Job.ingress-nginx-ext.ingress-nginx-ext-admission-create
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/vendor/ingress-nginx/ingress-nginx-ext-vendor.yaml:616-669
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Job.ingress-nginx-ext.ingress-nginx-ext-admission-create
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/vendor/ingress-nginx/ingress-nginx-ext-vendor.yaml:616-669
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Job.ingress-nginx-ext.ingress-nginx-ext-admission-create
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/vendor/ingress-nginx/ingress-nginx-ext-vendor.yaml:616-669
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Job.ingress-nginx-ext.ingress-nginx-ext-admission-create
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/vendor/ingress-nginx/ingress-nginx-ext-vendor.yaml:616-669
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Job.ingress-nginx-ext.ingress-nginx-ext-admission-create
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/vendor/ingress-nginx/ingress-nginx-ext-vendor.yaml:616-669
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Job.ingress-nginx-ext.ingress-nginx-ext-admission-create
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/vendor/ingress-nginx/ingress-nginx-ext-vendor.yaml:616-669
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Job.ingress-nginx-ext.ingress-nginx-ext-admission-patch
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/vendor/ingress-nginx/ingress-nginx-ext-vendor.yaml:671-725
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Job.ingress-nginx-ext.ingress-nginx-ext-admission-patch
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/vendor/ingress-nginx/ingress-nginx-ext-vendor.yaml:671-725
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Job.ingress-nginx-ext.ingress-nginx-ext-admission-patch
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/vendor/ingress-nginx/ingress-nginx-ext-vendor.yaml:671-725
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Job.ingress-nginx-ext.ingress-nginx-ext-admission-patch
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/vendor/ingress-nginx/ingress-nginx-ext-vendor.yaml:671-725
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Job.ingress-nginx-ext.ingress-nginx-ext-admission-patch
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/vendor/ingress-nginx/ingress-nginx-ext-vendor.yaml:671-725
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Job.ingress-nginx-ext.ingress-nginx-ext-admission-patch
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/vendor/ingress-nginx/ingress-nginx-ext-vendor.yaml:671-725
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Job.ingress-nginx-ext.ingress-nginx-ext-admission-patch
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/vendor/ingress-nginx/ingress-nginx-ext-vendor.yaml:671-725
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Job.ingress-nginx-ext.ingress-nginx-ext-admission-patch
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/vendor/ingress-nginx/ingress-nginx-ext-vendor.yaml:671-725
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Job.ingress-nginx-ext.ingress-nginx-ext-admission-patch
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/vendor/ingress-nginx/ingress-nginx-ext-vendor.yaml:671-725
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Job.ingress-nginx-ext.ingress-nginx-ext-admission-patch
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/vendor/ingress-nginx/ingress-nginx-ext-vendor.yaml:671-725
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.ingress-nginx-ext.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/base/app/dep_whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: ingress-nginx-ext
5 | name: whoami
6 | labels:
7 | app: whoami
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: containous/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.ingress-nginx-ext.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/base/app/dep_whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: ingress-nginx-ext
5 | name: whoami
6 | labels:
7 | app: whoami
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: containous/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.ingress-nginx-ext.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/base/app/dep_whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: ingress-nginx-ext
5 | name: whoami
6 | labels:
7 | app: whoami
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: containous/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.ingress-nginx-ext.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/base/app/dep_whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: ingress-nginx-ext
5 | name: whoami
6 | labels:
7 | app: whoami
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: containous/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.ingress-nginx-ext.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/base/app/dep_whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: ingress-nginx-ext
5 | name: whoami
6 | labels:
7 | app: whoami
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: containous/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.ingress-nginx-ext.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/base/app/dep_whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: ingress-nginx-ext
5 | name: whoami
6 | labels:
7 | app: whoami
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: containous/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.ingress-nginx-ext.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/base/app/dep_whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: ingress-nginx-ext
5 | name: whoami
6 | labels:
7 | app: whoami
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: containous/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.ingress-nginx-ext.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/base/app/dep_whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: ingress-nginx-ext
5 | name: whoami
6 | labels:
7 | app: whoami
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: containous/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.ingress-nginx-ext.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/base/app/dep_whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: ingress-nginx-ext
5 | name: whoami
6 | labels:
7 | app: whoami
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: containous/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.ingress-nginx-ext.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/base/app/dep_whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: ingress-nginx-ext
5 | name: whoami
6 | labels:
7 | app: whoami
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: containous/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.ingress-nginx-ext.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/base/app/dep_whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: ingress-nginx-ext
5 | name: whoami
6 | labels:
7 | app: whoami
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: containous/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.ingress-nginx-ext.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/base/app/dep_whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: ingress-nginx-ext
5 | name: whoami
6 | labels:
7 | app: whoami
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: containous/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.ingress-nginx-ext.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/base/app/dep_whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: ingress-nginx-ext
5 | name: whoami
6 | labels:
7 | app: whoami
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: containous/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.ingress-nginx-ext.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/base/app/dep_whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: ingress-nginx-ext
5 | name: whoami
6 | labels:
7 | app: whoami
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: containous/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.ingress-nginx-ext.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/base/app/dep_whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: ingress-nginx-ext
5 | name: whoami
6 | labels:
7 | app: whoami
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: containous/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.ingress-nginx-ext.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/base/app/dep_whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: ingress-nginx-ext
5 | name: whoami
6 | labels:
7 | app: whoami
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: containous/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.ingress-nginx-ext.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/base/app/dep_whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: ingress-nginx-ext
5 | name: whoami
6 | labels:
7 | app: whoami
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: containous/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.ingress-nginx-ext.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/base/app/dep_whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: ingress-nginx-ext
5 | name: whoami
6 | labels:
7 | app: whoami
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: containous/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ServiceAccount.default.kafka-template
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_008__local__kafka/kafka-manifests.yaml:3-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
3 | apiVersion: v1
4 | kind: ServiceAccount
5 | metadata:
6 | name: kafka-template
7 | labels:
8 | app.kubernetes.io/name: kafka
9 | helm.sh/chart: kafka-14.1.0
10 | app.kubernetes.io/instance: kafka-template
11 | app.kubernetes.io/managed-by: Helm
12 | app.kubernetes.io/component: kafka
13 | automountServiceAccountToken: true
14 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.kafka-template-scripts
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_008__local__kafka/kafka-manifests.yaml:16-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
16 | apiVersion: v1
17 | kind: ConfigMap
18 | metadata:
19 | name: kafka-template-scripts
20 | labels:
21 | app.kubernetes.io/name: kafka
22 | helm.sh/chart: kafka-14.1.0
23 | app.kubernetes.io/instance: kafka-template
24 | app.kubernetes.io/managed-by: Helm
25 | data:
26 | setup.sh: |-
27 | #!/bin/bash
28 |
29 | ID="${MY_POD_NAME#"kafka-template-"}"
30 | if [[ -f "/bitnami/kafka/data/meta.properties" ]]; then
31 | export KAFKA_CFG_BROKER_ID="$(grep "broker.id" /bitnami/kafka/data/meta.properties | awk -F '=' '{print $2}')"
32 | else
33 | export KAFKA_CFG_BROKER_ID="$((ID + 0))"
34 | fi
35 |
36 | exec /entrypoint.sh /run.sh
37 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.kafka-template-zookeeper-headless
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_008__local__kafka/kafka-manifests.yaml:39-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
39 | apiVersion: v1
40 | kind: Service
41 | metadata:
42 | name: kafka-template-zookeeper-headless
43 | namespace: default
44 | labels:
45 | app.kubernetes.io/name: zookeeper
46 | helm.sh/chart: zookeeper-7.4.1
47 | app.kubernetes.io/instance: kafka-template
48 | app.kubernetes.io/managed-by: Helm
49 | app.kubernetes.io/component: zookeeper
50 | spec:
51 | type: ClusterIP
52 | clusterIP: None
53 | publishNotReadyAddresses: true
54 | ports:
55 |
56 | - name: tcp-client
57 | port: 2181
58 | targetPort: client
59 |
60 |
61 | - name: follower
62 | port: 2888
63 | targetPort: follower
64 | - name: tcp-election
65 | port: 3888
66 | targetPort: election
67 | selector:
68 | app.kubernetes.io/name: zookeeper
69 | app.kubernetes.io/instance: kafka-template
70 | app.kubernetes.io/component: zookeeper
71 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.kafka-template-zookeeper
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_008__local__kafka/kafka-manifests.yaml:73-104
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
73 | apiVersion: v1
74 | kind: Service
75 | metadata:
76 | name: kafka-template-zookeeper
77 | namespace: default
78 | labels:
79 | app.kubernetes.io/name: zookeeper
80 | helm.sh/chart: zookeeper-7.4.1
81 | app.kubernetes.io/instance: kafka-template
82 | app.kubernetes.io/managed-by: Helm
83 | app.kubernetes.io/component: zookeeper
84 | spec:
85 | type: ClusterIP
86 | ports:
87 |
88 | - name: tcp-client
89 | port: 2181
90 | targetPort: client
91 | nodePort: null
92 |
93 |
94 | - name: follower
95 | port: 2888
96 | targetPort: follower
97 | - name: tcp-election
98 | port: 3888
99 | targetPort: election
100 | selector:
101 | app.kubernetes.io/name: zookeeper
102 | app.kubernetes.io/instance: kafka-template
103 | app.kubernetes.io/component: zookeeper
104 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.kafka-template-headless
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_008__local__kafka/kafka-manifests.yaml:106-132
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
106 | apiVersion: v1
107 | kind: Service
108 | metadata:
109 | name: kafka-template-headless
110 | labels:
111 | app.kubernetes.io/name: kafka
112 | helm.sh/chart: kafka-14.1.0
113 | app.kubernetes.io/instance: kafka-template
114 | app.kubernetes.io/managed-by: Helm
115 | app.kubernetes.io/component: kafka
116 | spec:
117 | type: ClusterIP
118 | clusterIP: None
119 | ports:
120 | - name: tcp-client
121 | port: 9092
122 | protocol: TCP
123 | targetPort: kafka-client
124 | - name: tcp-internal
125 | port: 9093
126 | protocol: TCP
127 | targetPort: kafka-internal
128 | selector:
129 | app.kubernetes.io/name: kafka
130 | app.kubernetes.io/instance: kafka-template
131 | app.kubernetes.io/component: kafka
132 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.kafka-template
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_008__local__kafka/kafka-manifests.yaml:134-156
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
134 | apiVersion: v1
135 | kind: Service
136 | metadata:
137 | name: kafka-template
138 | labels:
139 | app.kubernetes.io/name: kafka
140 | helm.sh/chart: kafka-14.1.0
141 | app.kubernetes.io/instance: kafka-template
142 | app.kubernetes.io/managed-by: Helm
143 | app.kubernetes.io/component: kafka
144 | spec:
145 | type: ClusterIP
146 | ports:
147 | - name: tcp-client
148 | port: 9092
149 | protocol: TCP
150 | targetPort: kafka-client
151 | nodePort: null
152 | selector:
153 | app.kubernetes.io/name: kafka
154 | app.kubernetes.io/instance: kafka-template
155 | app.kubernetes.io/component: kafka
156 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: StatefulSet.default.kafka-template-zookeeper
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_008__local__kafka/kafka-manifests.yaml:158-323
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: StatefulSet.default.kafka-template-zookeeper
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_008__local__kafka/kafka-manifests.yaml:158-323
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: StatefulSet.default.kafka-template-zookeeper
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_008__local__kafka/kafka-manifests.yaml:158-323
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: StatefulSet.default.kafka-template-zookeeper
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_008__local__kafka/kafka-manifests.yaml:158-323
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: StatefulSet.default.kafka-template-zookeeper
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_008__local__kafka/kafka-manifests.yaml:158-323
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: StatefulSet.default.kafka-template-zookeeper
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_008__local__kafka/kafka-manifests.yaml:158-323
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: StatefulSet.default.kafka-template-zookeeper
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_008__local__kafka/kafka-manifests.yaml:158-323
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: StatefulSet.default.kafka-template-zookeeper
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_008__local__kafka/kafka-manifests.yaml:158-323
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: StatefulSet.default.kafka-template-zookeeper
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_008__local__kafka/kafka-manifests.yaml:158-323
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: StatefulSet.default.kafka-template-zookeeper
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_008__local__kafka/kafka-manifests.yaml:158-323
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: StatefulSet.default.kafka-template-zookeeper
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_008__local__kafka/kafka-manifests.yaml:158-323
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: StatefulSet.default.kafka-template-zookeeper
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_008__local__kafka/kafka-manifests.yaml:158-323
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: StatefulSet.default.kafka-template
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_008__local__kafka/kafka-manifests.yaml:325-503
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: StatefulSet.default.kafka-template
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_008__local__kafka/kafka-manifests.yaml:325-503
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: StatefulSet.default.kafka-template
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_008__local__kafka/kafka-manifests.yaml:325-503
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: StatefulSet.default.kafka-template
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_008__local__kafka/kafka-manifests.yaml:325-503
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: StatefulSet.default.kafka-template
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_008__local__kafka/kafka-manifests.yaml:325-503
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: StatefulSet.default.kafka-template
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_008__local__kafka/kafka-manifests.yaml:325-503
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: StatefulSet.default.kafka-template
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_008__local__kafka/kafka-manifests.yaml:325-503
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: StatefulSet.default.kafka-template
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_008__local__kafka/kafka-manifests.yaml:325-503
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: StatefulSet.default.kafka-template
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_008__local__kafka/kafka-manifests.yaml:325-503
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: StatefulSet.default.kafka-template
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_008__local__kafka/kafka-manifests.yaml:325-503
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: StatefulSet.default.kafka-template
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_008__local__kafka/kafka-manifests.yaml:325-503
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: StatefulSet.default.kafka-template
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_008__local__kafka/kafka-manifests.yaml:325-503
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: StatefulSet.default.kafka-template
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_008__local__kafka/kafka-manifests.yaml:325-503
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: StatefulSet.default.kafka-template
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_008__local__kafka/kafka-manifests.yaml:325-503
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: StatefulSet.default.kafka-template
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_008__local__kafka/kafka-manifests.yaml:325-503
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.kube-system.kube-state-metrics
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/35-deployment.yaml:1-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: kube-state-metrics
6 | app.kubernetes.io/version: 1.9.5
7 | name: kube-state-metrics
8 | namespace: kube-system
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app.kubernetes.io/name: kube-state-metrics
14 | template:
15 | metadata:
16 | labels:
17 | app.kubernetes.io/name: kube-state-metrics
18 | app.kubernetes.io/version: 1.9.5
19 | spec:
20 | containers:
21 | - image: quay.io/coreos/kube-state-metrics:v1.9.5
22 | livenessProbe:
23 | httpGet:
24 | path: /healthz
25 | port: 8080
26 | initialDelaySeconds: 5
27 | timeoutSeconds: 5
28 | name: kube-state-metrics
29 | ports:
30 | - containerPort: 8080
31 | name: http-metrics
32 | - containerPort: 8081
33 | name: telemetry
34 | readinessProbe:
35 | httpGet:
36 | path: /
37 | port: 8081
38 | initialDelaySeconds: 5
39 | timeoutSeconds: 5
40 | securityContext:
41 | runAsUser: 65534
42 | nodeSelector:
43 | kubernetes.io/os: linux
44 | serviceAccountName: kube-state-metrics
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.kube-system.kube-state-metrics
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/35-deployment.yaml:1-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: kube-state-metrics
6 | app.kubernetes.io/version: 1.9.5
7 | name: kube-state-metrics
8 | namespace: kube-system
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app.kubernetes.io/name: kube-state-metrics
14 | template:
15 | metadata:
16 | labels:
17 | app.kubernetes.io/name: kube-state-metrics
18 | app.kubernetes.io/version: 1.9.5
19 | spec:
20 | containers:
21 | - image: quay.io/coreos/kube-state-metrics:v1.9.5
22 | livenessProbe:
23 | httpGet:
24 | path: /healthz
25 | port: 8080
26 | initialDelaySeconds: 5
27 | timeoutSeconds: 5
28 | name: kube-state-metrics
29 | ports:
30 | - containerPort: 8080
31 | name: http-metrics
32 | - containerPort: 8081
33 | name: telemetry
34 | readinessProbe:
35 | httpGet:
36 | path: /
37 | port: 8081
38 | initialDelaySeconds: 5
39 | timeoutSeconds: 5
40 | securityContext:
41 | runAsUser: 65534
42 | nodeSelector:
43 | kubernetes.io/os: linux
44 | serviceAccountName: kube-state-metrics
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.kube-system.kube-state-metrics
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/35-deployment.yaml:1-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: kube-state-metrics
6 | app.kubernetes.io/version: 1.9.5
7 | name: kube-state-metrics
8 | namespace: kube-system
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app.kubernetes.io/name: kube-state-metrics
14 | template:
15 | metadata:
16 | labels:
17 | app.kubernetes.io/name: kube-state-metrics
18 | app.kubernetes.io/version: 1.9.5
19 | spec:
20 | containers:
21 | - image: quay.io/coreos/kube-state-metrics:v1.9.5
22 | livenessProbe:
23 | httpGet:
24 | path: /healthz
25 | port: 8080
26 | initialDelaySeconds: 5
27 | timeoutSeconds: 5
28 | name: kube-state-metrics
29 | ports:
30 | - containerPort: 8080
31 | name: http-metrics
32 | - containerPort: 8081
33 | name: telemetry
34 | readinessProbe:
35 | httpGet:
36 | path: /
37 | port: 8081
38 | initialDelaySeconds: 5
39 | timeoutSeconds: 5
40 | securityContext:
41 | runAsUser: 65534
42 | nodeSelector:
43 | kubernetes.io/os: linux
44 | serviceAccountName: kube-state-metrics
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.kube-system.kube-state-metrics
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/35-deployment.yaml:1-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: kube-state-metrics
6 | app.kubernetes.io/version: 1.9.5
7 | name: kube-state-metrics
8 | namespace: kube-system
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app.kubernetes.io/name: kube-state-metrics
14 | template:
15 | metadata:
16 | labels:
17 | app.kubernetes.io/name: kube-state-metrics
18 | app.kubernetes.io/version: 1.9.5
19 | spec:
20 | containers:
21 | - image: quay.io/coreos/kube-state-metrics:v1.9.5
22 | livenessProbe:
23 | httpGet:
24 | path: /healthz
25 | port: 8080
26 | initialDelaySeconds: 5
27 | timeoutSeconds: 5
28 | name: kube-state-metrics
29 | ports:
30 | - containerPort: 8080
31 | name: http-metrics
32 | - containerPort: 8081
33 | name: telemetry
34 | readinessProbe:
35 | httpGet:
36 | path: /
37 | port: 8081
38 | initialDelaySeconds: 5
39 | timeoutSeconds: 5
40 | securityContext:
41 | runAsUser: 65534
42 | nodeSelector:
43 | kubernetes.io/os: linux
44 | serviceAccountName: kube-state-metrics
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.kube-system.kube-state-metrics
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/35-deployment.yaml:1-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: kube-state-metrics
6 | app.kubernetes.io/version: 1.9.5
7 | name: kube-state-metrics
8 | namespace: kube-system
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app.kubernetes.io/name: kube-state-metrics
14 | template:
15 | metadata:
16 | labels:
17 | app.kubernetes.io/name: kube-state-metrics
18 | app.kubernetes.io/version: 1.9.5
19 | spec:
20 | containers:
21 | - image: quay.io/coreos/kube-state-metrics:v1.9.5
22 | livenessProbe:
23 | httpGet:
24 | path: /healthz
25 | port: 8080
26 | initialDelaySeconds: 5
27 | timeoutSeconds: 5
28 | name: kube-state-metrics
29 | ports:
30 | - containerPort: 8080
31 | name: http-metrics
32 | - containerPort: 8081
33 | name: telemetry
34 | readinessProbe:
35 | httpGet:
36 | path: /
37 | port: 8081
38 | initialDelaySeconds: 5
39 | timeoutSeconds: 5
40 | securityContext:
41 | runAsUser: 65534
42 | nodeSelector:
43 | kubernetes.io/os: linux
44 | serviceAccountName: kube-state-metrics
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.kube-system.kube-state-metrics
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/35-deployment.yaml:1-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: kube-state-metrics
6 | app.kubernetes.io/version: 1.9.5
7 | name: kube-state-metrics
8 | namespace: kube-system
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app.kubernetes.io/name: kube-state-metrics
14 | template:
15 | metadata:
16 | labels:
17 | app.kubernetes.io/name: kube-state-metrics
18 | app.kubernetes.io/version: 1.9.5
19 | spec:
20 | containers:
21 | - image: quay.io/coreos/kube-state-metrics:v1.9.5
22 | livenessProbe:
23 | httpGet:
24 | path: /healthz
25 | port: 8080
26 | initialDelaySeconds: 5
27 | timeoutSeconds: 5
28 | name: kube-state-metrics
29 | ports:
30 | - containerPort: 8080
31 | name: http-metrics
32 | - containerPort: 8081
33 | name: telemetry
34 | readinessProbe:
35 | httpGet:
36 | path: /
37 | port: 8081
38 | initialDelaySeconds: 5
39 | timeoutSeconds: 5
40 | securityContext:
41 | runAsUser: 65534
42 | nodeSelector:
43 | kubernetes.io/os: linux
44 | serviceAccountName: kube-state-metrics
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.kube-system.kube-state-metrics
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/35-deployment.yaml:1-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: kube-state-metrics
6 | app.kubernetes.io/version: 1.9.5
7 | name: kube-state-metrics
8 | namespace: kube-system
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app.kubernetes.io/name: kube-state-metrics
14 | template:
15 | metadata:
16 | labels:
17 | app.kubernetes.io/name: kube-state-metrics
18 | app.kubernetes.io/version: 1.9.5
19 | spec:
20 | containers:
21 | - image: quay.io/coreos/kube-state-metrics:v1.9.5
22 | livenessProbe:
23 | httpGet:
24 | path: /healthz
25 | port: 8080
26 | initialDelaySeconds: 5
27 | timeoutSeconds: 5
28 | name: kube-state-metrics
29 | ports:
30 | - containerPort: 8080
31 | name: http-metrics
32 | - containerPort: 8081
33 | name: telemetry
34 | readinessProbe:
35 | httpGet:
36 | path: /
37 | port: 8081
38 | initialDelaySeconds: 5
39 | timeoutSeconds: 5
40 | securityContext:
41 | runAsUser: 65534
42 | nodeSelector:
43 | kubernetes.io/os: linux
44 | serviceAccountName: kube-state-metrics
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.kube-system.kube-state-metrics
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/35-deployment.yaml:1-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: kube-state-metrics
6 | app.kubernetes.io/version: 1.9.5
7 | name: kube-state-metrics
8 | namespace: kube-system
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app.kubernetes.io/name: kube-state-metrics
14 | template:
15 | metadata:
16 | labels:
17 | app.kubernetes.io/name: kube-state-metrics
18 | app.kubernetes.io/version: 1.9.5
19 | spec:
20 | containers:
21 | - image: quay.io/coreos/kube-state-metrics:v1.9.5
22 | livenessProbe:
23 | httpGet:
24 | path: /healthz
25 | port: 8080
26 | initialDelaySeconds: 5
27 | timeoutSeconds: 5
28 | name: kube-state-metrics
29 | ports:
30 | - containerPort: 8080
31 | name: http-metrics
32 | - containerPort: 8081
33 | name: telemetry
34 | readinessProbe:
35 | httpGet:
36 | path: /
37 | port: 8081
38 | initialDelaySeconds: 5
39 | timeoutSeconds: 5
40 | securityContext:
41 | runAsUser: 65534
42 | nodeSelector:
43 | kubernetes.io/os: linux
44 | serviceAccountName: kube-state-metrics
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.kube-system.kube-state-metrics
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/35-deployment.yaml:1-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: kube-state-metrics
6 | app.kubernetes.io/version: 1.9.5
7 | name: kube-state-metrics
8 | namespace: kube-system
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app.kubernetes.io/name: kube-state-metrics
14 | template:
15 | metadata:
16 | labels:
17 | app.kubernetes.io/name: kube-state-metrics
18 | app.kubernetes.io/version: 1.9.5
19 | spec:
20 | containers:
21 | - image: quay.io/coreos/kube-state-metrics:v1.9.5
22 | livenessProbe:
23 | httpGet:
24 | path: /healthz
25 | port: 8080
26 | initialDelaySeconds: 5
27 | timeoutSeconds: 5
28 | name: kube-state-metrics
29 | ports:
30 | - containerPort: 8080
31 | name: http-metrics
32 | - containerPort: 8081
33 | name: telemetry
34 | readinessProbe:
35 | httpGet:
36 | path: /
37 | port: 8081
38 | initialDelaySeconds: 5
39 | timeoutSeconds: 5
40 | securityContext:
41 | runAsUser: 65534
42 | nodeSelector:
43 | kubernetes.io/os: linux
44 | serviceAccountName: kube-state-metrics
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.kube-system.kube-state-metrics
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/35-deployment.yaml:1-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: kube-state-metrics
6 | app.kubernetes.io/version: 1.9.5
7 | name: kube-state-metrics
8 | namespace: kube-system
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app.kubernetes.io/name: kube-state-metrics
14 | template:
15 | metadata:
16 | labels:
17 | app.kubernetes.io/name: kube-state-metrics
18 | app.kubernetes.io/version: 1.9.5
19 | spec:
20 | containers:
21 | - image: quay.io/coreos/kube-state-metrics:v1.9.5
22 | livenessProbe:
23 | httpGet:
24 | path: /healthz
25 | port: 8080
26 | initialDelaySeconds: 5
27 | timeoutSeconds: 5
28 | name: kube-state-metrics
29 | ports:
30 | - containerPort: 8080
31 | name: http-metrics
32 | - containerPort: 8081
33 | name: telemetry
34 | readinessProbe:
35 | httpGet:
36 | path: /
37 | port: 8081
38 | initialDelaySeconds: 5
39 | timeoutSeconds: 5
40 | securityContext:
41 | runAsUser: 65534
42 | nodeSelector:
43 | kubernetes.io/os: linux
44 | serviceAccountName: kube-state-metrics
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.kube-system.kube-state-metrics
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/35-deployment.yaml:1-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: kube-state-metrics
6 | app.kubernetes.io/version: 1.9.5
7 | name: kube-state-metrics
8 | namespace: kube-system
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app.kubernetes.io/name: kube-state-metrics
14 | template:
15 | metadata:
16 | labels:
17 | app.kubernetes.io/name: kube-state-metrics
18 | app.kubernetes.io/version: 1.9.5
19 | spec:
20 | containers:
21 | - image: quay.io/coreos/kube-state-metrics:v1.9.5
22 | livenessProbe:
23 | httpGet:
24 | path: /healthz
25 | port: 8080
26 | initialDelaySeconds: 5
27 | timeoutSeconds: 5
28 | name: kube-state-metrics
29 | ports:
30 | - containerPort: 8080
31 | name: http-metrics
32 | - containerPort: 8081
33 | name: telemetry
34 | readinessProbe:
35 | httpGet:
36 | path: /
37 | port: 8081
38 | initialDelaySeconds: 5
39 | timeoutSeconds: 5
40 | securityContext:
41 | runAsUser: 65534
42 | nodeSelector:
43 | kubernetes.io/os: linux
44 | serviceAccountName: kube-state-metrics
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.kube-system.kube-state-metrics
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/35-deployment.yaml:1-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: kube-state-metrics
6 | app.kubernetes.io/version: 1.9.5
7 | name: kube-state-metrics
8 | namespace: kube-system
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app.kubernetes.io/name: kube-state-metrics
14 | template:
15 | metadata:
16 | labels:
17 | app.kubernetes.io/name: kube-state-metrics
18 | app.kubernetes.io/version: 1.9.5
19 | spec:
20 | containers:
21 | - image: quay.io/coreos/kube-state-metrics:v1.9.5
22 | livenessProbe:
23 | httpGet:
24 | path: /healthz
25 | port: 8080
26 | initialDelaySeconds: 5
27 | timeoutSeconds: 5
28 | name: kube-state-metrics
29 | ports:
30 | - containerPort: 8080
31 | name: http-metrics
32 | - containerPort: 8081
33 | name: telemetry
34 | readinessProbe:
35 | httpGet:
36 | path: /
37 | port: 8081
38 | initialDelaySeconds: 5
39 | timeoutSeconds: 5
40 | securityContext:
41 | runAsUser: 65534
42 | nodeSelector:
43 | kubernetes.io/os: linux
44 | serviceAccountName: kube-state-metrics
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.kube-system.kube-state-metrics
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/35-deployment.yaml:1-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: kube-state-metrics
6 | app.kubernetes.io/version: 1.9.5
7 | name: kube-state-metrics
8 | namespace: kube-system
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app.kubernetes.io/name: kube-state-metrics
14 | template:
15 | metadata:
16 | labels:
17 | app.kubernetes.io/name: kube-state-metrics
18 | app.kubernetes.io/version: 1.9.5
19 | spec:
20 | containers:
21 | - image: quay.io/coreos/kube-state-metrics:v1.9.5
22 | livenessProbe:
23 | httpGet:
24 | path: /healthz
25 | port: 8080
26 | initialDelaySeconds: 5
27 | timeoutSeconds: 5
28 | name: kube-state-metrics
29 | ports:
30 | - containerPort: 8080
31 | name: http-metrics
32 | - containerPort: 8081
33 | name: telemetry
34 | readinessProbe:
35 | httpGet:
36 | path: /
37 | port: 8081
38 | initialDelaySeconds: 5
39 | timeoutSeconds: 5
40 | securityContext:
41 | runAsUser: 65534
42 | nodeSelector:
43 | kubernetes.io/os: linux
44 | serviceAccountName: kube-state-metrics
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ServiceAccount.default.datadog-agent
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/05-serviceaccount.yaml:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | kind: ServiceAccount
2 | apiVersion: v1
3 | metadata:
4 | name: datadog-agent
5 | namespace: default
6 |
7 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ServiceAccount.default.dca
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/05-serviceaccount.yaml:9-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
9 | kind: ServiceAccount
10 | apiVersion: v1
11 | metadata:
12 | name: dca
13 | namespace: default
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: DaemonSet.default.datadog-agent
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/25-datadog-agent.yaml:1-215
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_26: "Do not specify hostPort unless absolutely necessary"
FAILED for resource: DaemonSet.default.datadog-agent
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/25-datadog-agent.yaml:1-215
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-25.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: DaemonSet.default.datadog-agent
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/25-datadog-agent.yaml:1-215
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: DaemonSet.default.datadog-agent
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/25-datadog-agent.yaml:1-215
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: DaemonSet.default.datadog-agent
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/25-datadog-agent.yaml:1-215
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: DaemonSet.default.datadog-agent
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/25-datadog-agent.yaml:1-215
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: DaemonSet.default.datadog-agent
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/25-datadog-agent.yaml:1-215
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: DaemonSet.default.datadog-agent
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/25-datadog-agent.yaml:1-215
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: DaemonSet.default.datadog-agent
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/25-datadog-agent.yaml:1-215
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: DaemonSet.default.datadog-agent
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/25-datadog-agent.yaml:1-215
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: DaemonSet.default.datadog-agent
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/25-datadog-agent.yaml:1-215
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: DaemonSet.default.datadog-agent
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/25-datadog-agent.yaml:1-215
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: DaemonSet.default.datadog-agent
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/25-datadog-agent.yaml:1-215
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: DaemonSet.default.datadog-agent
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/25-datadog-agent.yaml:1-215
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: DaemonSet.default.datadog-agent
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/25-datadog-agent.yaml:1-215
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: DaemonSet.default.datadog-agent
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/25-datadog-agent.yaml:1-215
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.datadog-cluster-agent
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/20-datadog-cluster-agent.yaml:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: datadog-cluster-agent
5 | labels:
6 | app: datadog-cluster-agent
7 | spec:
8 | ports:
9 | - port: 5005 # Has to be the same as the one exposed in the DCA. Default is 5005.
10 | protocol: TCP
11 | selector:
12 | app: datadog-cluster-agent
13 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.datadog-cluster-agent
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/20-datadog-cluster-agent.yaml:14-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | name: datadog-cluster-agent
18 | namespace: default
19 | spec:
20 | selector:
21 | matchLabels:
22 | app: datadog-cluster-agent
23 | template:
24 | metadata:
25 | labels:
26 | app: datadog-cluster-agent
27 | name: datadog-agent
28 | annotations:
29 | ad.datadoghq.com/datadog-cluster-agent.check_names: '["prometheus"]'
30 | ad.datadoghq.com/datadog-cluster-agent.init_configs: '[{}]'
31 | ad.datadoghq.com/datadog-cluster-agent.instances: '[{"prometheus_url": "http://%%host%%:5000/metrics","namespace": "datadog.cluster_agent","metrics": ["go_goroutines","go_memstats_*","process_*","api_requests","datadog_requests","external_metrics", "cluster_checks_*"]}]'
32 | spec:
33 | serviceAccountName: dca
34 | containers:
35 | - image: datadog/cluster-agent:latest
36 | imagePullPolicy: Always
37 | name: datadog-cluster-agent
38 | env:
39 | - name: DD_API_KEY
40 | valueFrom:
41 | secretKeyRef:
42 | name: datadog-secret
43 | key: api-key
44 | # Optionally reference an APP KEY for the External Metrics Provider.
45 | # - name: DD_APP_KEY
46 | # value: ''
47 | - name: DD_CLUSTER_AGENT_AUTH_TOKEN
48 | valueFrom:
49 | secretKeyRef:
50 | name: datadog-auth-token
51 | key: token
52 | - name: DD_COLLECT_KUBERNETES_EVENTS
53 | value: "true"
54 | - name: DD_LEADER_ELECTION
55 | value: "true"
56 | - name: DD_EXTERNAL_METRICS_PROVIDER_ENABLED
57 | value: "true"
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.datadog-cluster-agent
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/20-datadog-cluster-agent.yaml:14-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | name: datadog-cluster-agent
18 | namespace: default
19 | spec:
20 | selector:
21 | matchLabels:
22 | app: datadog-cluster-agent
23 | template:
24 | metadata:
25 | labels:
26 | app: datadog-cluster-agent
27 | name: datadog-agent
28 | annotations:
29 | ad.datadoghq.com/datadog-cluster-agent.check_names: '["prometheus"]'
30 | ad.datadoghq.com/datadog-cluster-agent.init_configs: '[{}]'
31 | ad.datadoghq.com/datadog-cluster-agent.instances: '[{"prometheus_url": "http://%%host%%:5000/metrics","namespace": "datadog.cluster_agent","metrics": ["go_goroutines","go_memstats_*","process_*","api_requests","datadog_requests","external_metrics", "cluster_checks_*"]}]'
32 | spec:
33 | serviceAccountName: dca
34 | containers:
35 | - image: datadog/cluster-agent:latest
36 | imagePullPolicy: Always
37 | name: datadog-cluster-agent
38 | env:
39 | - name: DD_API_KEY
40 | valueFrom:
41 | secretKeyRef:
42 | name: datadog-secret
43 | key: api-key
44 | # Optionally reference an APP KEY for the External Metrics Provider.
45 | # - name: DD_APP_KEY
46 | # value: ''
47 | - name: DD_CLUSTER_AGENT_AUTH_TOKEN
48 | valueFrom:
49 | secretKeyRef:
50 | name: datadog-auth-token
51 | key: token
52 | - name: DD_COLLECT_KUBERNETES_EVENTS
53 | value: "true"
54 | - name: DD_LEADER_ELECTION
55 | value: "true"
56 | - name: DD_EXTERNAL_METRICS_PROVIDER_ENABLED
57 | value: "true"
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.datadog-cluster-agent
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/20-datadog-cluster-agent.yaml:14-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | name: datadog-cluster-agent
18 | namespace: default
19 | spec:
20 | selector:
21 | matchLabels:
22 | app: datadog-cluster-agent
23 | template:
24 | metadata:
25 | labels:
26 | app: datadog-cluster-agent
27 | name: datadog-agent
28 | annotations:
29 | ad.datadoghq.com/datadog-cluster-agent.check_names: '["prometheus"]'
30 | ad.datadoghq.com/datadog-cluster-agent.init_configs: '[{}]'
31 | ad.datadoghq.com/datadog-cluster-agent.instances: '[{"prometheus_url": "http://%%host%%:5000/metrics","namespace": "datadog.cluster_agent","metrics": ["go_goroutines","go_memstats_*","process_*","api_requests","datadog_requests","external_metrics", "cluster_checks_*"]}]'
32 | spec:
33 | serviceAccountName: dca
34 | containers:
35 | - image: datadog/cluster-agent:latest
36 | imagePullPolicy: Always
37 | name: datadog-cluster-agent
38 | env:
39 | - name: DD_API_KEY
40 | valueFrom:
41 | secretKeyRef:
42 | name: datadog-secret
43 | key: api-key
44 | # Optionally reference an APP KEY for the External Metrics Provider.
45 | # - name: DD_APP_KEY
46 | # value: ''
47 | - name: DD_CLUSTER_AGENT_AUTH_TOKEN
48 | valueFrom:
49 | secretKeyRef:
50 | name: datadog-auth-token
51 | key: token
52 | - name: DD_COLLECT_KUBERNETES_EVENTS
53 | value: "true"
54 | - name: DD_LEADER_ELECTION
55 | value: "true"
56 | - name: DD_EXTERNAL_METRICS_PROVIDER_ENABLED
57 | value: "true"
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.datadog-cluster-agent
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/20-datadog-cluster-agent.yaml:14-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | name: datadog-cluster-agent
18 | namespace: default
19 | spec:
20 | selector:
21 | matchLabels:
22 | app: datadog-cluster-agent
23 | template:
24 | metadata:
25 | labels:
26 | app: datadog-cluster-agent
27 | name: datadog-agent
28 | annotations:
29 | ad.datadoghq.com/datadog-cluster-agent.check_names: '["prometheus"]'
30 | ad.datadoghq.com/datadog-cluster-agent.init_configs: '[{}]'
31 | ad.datadoghq.com/datadog-cluster-agent.instances: '[{"prometheus_url": "http://%%host%%:5000/metrics","namespace": "datadog.cluster_agent","metrics": ["go_goroutines","go_memstats_*","process_*","api_requests","datadog_requests","external_metrics", "cluster_checks_*"]}]'
32 | spec:
33 | serviceAccountName: dca
34 | containers:
35 | - image: datadog/cluster-agent:latest
36 | imagePullPolicy: Always
37 | name: datadog-cluster-agent
38 | env:
39 | - name: DD_API_KEY
40 | valueFrom:
41 | secretKeyRef:
42 | name: datadog-secret
43 | key: api-key
44 | # Optionally reference an APP KEY for the External Metrics Provider.
45 | # - name: DD_APP_KEY
46 | # value: ''
47 | - name: DD_CLUSTER_AGENT_AUTH_TOKEN
48 | valueFrom:
49 | secretKeyRef:
50 | name: datadog-auth-token
51 | key: token
52 | - name: DD_COLLECT_KUBERNETES_EVENTS
53 | value: "true"
54 | - name: DD_LEADER_ELECTION
55 | value: "true"
56 | - name: DD_EXTERNAL_METRICS_PROVIDER_ENABLED
57 | value: "true"
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.datadog-cluster-agent
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/20-datadog-cluster-agent.yaml:14-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | name: datadog-cluster-agent
18 | namespace: default
19 | spec:
20 | selector:
21 | matchLabels:
22 | app: datadog-cluster-agent
23 | template:
24 | metadata:
25 | labels:
26 | app: datadog-cluster-agent
27 | name: datadog-agent
28 | annotations:
29 | ad.datadoghq.com/datadog-cluster-agent.check_names: '["prometheus"]'
30 | ad.datadoghq.com/datadog-cluster-agent.init_configs: '[{}]'
31 | ad.datadoghq.com/datadog-cluster-agent.instances: '[{"prometheus_url": "http://%%host%%:5000/metrics","namespace": "datadog.cluster_agent","metrics": ["go_goroutines","go_memstats_*","process_*","api_requests","datadog_requests","external_metrics", "cluster_checks_*"]}]'
32 | spec:
33 | serviceAccountName: dca
34 | containers:
35 | - image: datadog/cluster-agent:latest
36 | imagePullPolicy: Always
37 | name: datadog-cluster-agent
38 | env:
39 | - name: DD_API_KEY
40 | valueFrom:
41 | secretKeyRef:
42 | name: datadog-secret
43 | key: api-key
44 | # Optionally reference an APP KEY for the External Metrics Provider.
45 | # - name: DD_APP_KEY
46 | # value: ''
47 | - name: DD_CLUSTER_AGENT_AUTH_TOKEN
48 | valueFrom:
49 | secretKeyRef:
50 | name: datadog-auth-token
51 | key: token
52 | - name: DD_COLLECT_KUBERNETES_EVENTS
53 | value: "true"
54 | - name: DD_LEADER_ELECTION
55 | value: "true"
56 | - name: DD_EXTERNAL_METRICS_PROVIDER_ENABLED
57 | value: "true"
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.datadog-cluster-agent
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/20-datadog-cluster-agent.yaml:14-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | name: datadog-cluster-agent
18 | namespace: default
19 | spec:
20 | selector:
21 | matchLabels:
22 | app: datadog-cluster-agent
23 | template:
24 | metadata:
25 | labels:
26 | app: datadog-cluster-agent
27 | name: datadog-agent
28 | annotations:
29 | ad.datadoghq.com/datadog-cluster-agent.check_names: '["prometheus"]'
30 | ad.datadoghq.com/datadog-cluster-agent.init_configs: '[{}]'
31 | ad.datadoghq.com/datadog-cluster-agent.instances: '[{"prometheus_url": "http://%%host%%:5000/metrics","namespace": "datadog.cluster_agent","metrics": ["go_goroutines","go_memstats_*","process_*","api_requests","datadog_requests","external_metrics", "cluster_checks_*"]}]'
32 | spec:
33 | serviceAccountName: dca
34 | containers:
35 | - image: datadog/cluster-agent:latest
36 | imagePullPolicy: Always
37 | name: datadog-cluster-agent
38 | env:
39 | - name: DD_API_KEY
40 | valueFrom:
41 | secretKeyRef:
42 | name: datadog-secret
43 | key: api-key
44 | # Optionally reference an APP KEY for the External Metrics Provider.
45 | # - name: DD_APP_KEY
46 | # value: ''
47 | - name: DD_CLUSTER_AGENT_AUTH_TOKEN
48 | valueFrom:
49 | secretKeyRef:
50 | name: datadog-auth-token
51 | key: token
52 | - name: DD_COLLECT_KUBERNETES_EVENTS
53 | value: "true"
54 | - name: DD_LEADER_ELECTION
55 | value: "true"
56 | - name: DD_EXTERNAL_METRICS_PROVIDER_ENABLED
57 | value: "true"
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.datadog-cluster-agent
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/20-datadog-cluster-agent.yaml:14-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | name: datadog-cluster-agent
18 | namespace: default
19 | spec:
20 | selector:
21 | matchLabels:
22 | app: datadog-cluster-agent
23 | template:
24 | metadata:
25 | labels:
26 | app: datadog-cluster-agent
27 | name: datadog-agent
28 | annotations:
29 | ad.datadoghq.com/datadog-cluster-agent.check_names: '["prometheus"]'
30 | ad.datadoghq.com/datadog-cluster-agent.init_configs: '[{}]'
31 | ad.datadoghq.com/datadog-cluster-agent.instances: '[{"prometheus_url": "http://%%host%%:5000/metrics","namespace": "datadog.cluster_agent","metrics": ["go_goroutines","go_memstats_*","process_*","api_requests","datadog_requests","external_metrics", "cluster_checks_*"]}]'
32 | spec:
33 | serviceAccountName: dca
34 | containers:
35 | - image: datadog/cluster-agent:latest
36 | imagePullPolicy: Always
37 | name: datadog-cluster-agent
38 | env:
39 | - name: DD_API_KEY
40 | valueFrom:
41 | secretKeyRef:
42 | name: datadog-secret
43 | key: api-key
44 | # Optionally reference an APP KEY for the External Metrics Provider.
45 | # - name: DD_APP_KEY
46 | # value: ''
47 | - name: DD_CLUSTER_AGENT_AUTH_TOKEN
48 | valueFrom:
49 | secretKeyRef:
50 | name: datadog-auth-token
51 | key: token
52 | - name: DD_COLLECT_KUBERNETES_EVENTS
53 | value: "true"
54 | - name: DD_LEADER_ELECTION
55 | value: "true"
56 | - name: DD_EXTERNAL_METRICS_PROVIDER_ENABLED
57 | value: "true"
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.datadog-cluster-agent
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/20-datadog-cluster-agent.yaml:14-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | name: datadog-cluster-agent
18 | namespace: default
19 | spec:
20 | selector:
21 | matchLabels:
22 | app: datadog-cluster-agent
23 | template:
24 | metadata:
25 | labels:
26 | app: datadog-cluster-agent
27 | name: datadog-agent
28 | annotations:
29 | ad.datadoghq.com/datadog-cluster-agent.check_names: '["prometheus"]'
30 | ad.datadoghq.com/datadog-cluster-agent.init_configs: '[{}]'
31 | ad.datadoghq.com/datadog-cluster-agent.instances: '[{"prometheus_url": "http://%%host%%:5000/metrics","namespace": "datadog.cluster_agent","metrics": ["go_goroutines","go_memstats_*","process_*","api_requests","datadog_requests","external_metrics", "cluster_checks_*"]}]'
32 | spec:
33 | serviceAccountName: dca
34 | containers:
35 | - image: datadog/cluster-agent:latest
36 | imagePullPolicy: Always
37 | name: datadog-cluster-agent
38 | env:
39 | - name: DD_API_KEY
40 | valueFrom:
41 | secretKeyRef:
42 | name: datadog-secret
43 | key: api-key
44 | # Optionally reference an APP KEY for the External Metrics Provider.
45 | # - name: DD_APP_KEY
46 | # value: ''
47 | - name: DD_CLUSTER_AGENT_AUTH_TOKEN
48 | valueFrom:
49 | secretKeyRef:
50 | name: datadog-auth-token
51 | key: token
52 | - name: DD_COLLECT_KUBERNETES_EVENTS
53 | value: "true"
54 | - name: DD_LEADER_ELECTION
55 | value: "true"
56 | - name: DD_EXTERNAL_METRICS_PROVIDER_ENABLED
57 | value: "true"
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.datadog-cluster-agent
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/20-datadog-cluster-agent.yaml:14-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | name: datadog-cluster-agent
18 | namespace: default
19 | spec:
20 | selector:
21 | matchLabels:
22 | app: datadog-cluster-agent
23 | template:
24 | metadata:
25 | labels:
26 | app: datadog-cluster-agent
27 | name: datadog-agent
28 | annotations:
29 | ad.datadoghq.com/datadog-cluster-agent.check_names: '["prometheus"]'
30 | ad.datadoghq.com/datadog-cluster-agent.init_configs: '[{}]'
31 | ad.datadoghq.com/datadog-cluster-agent.instances: '[{"prometheus_url": "http://%%host%%:5000/metrics","namespace": "datadog.cluster_agent","metrics": ["go_goroutines","go_memstats_*","process_*","api_requests","datadog_requests","external_metrics", "cluster_checks_*"]}]'
32 | spec:
33 | serviceAccountName: dca
34 | containers:
35 | - image: datadog/cluster-agent:latest
36 | imagePullPolicy: Always
37 | name: datadog-cluster-agent
38 | env:
39 | - name: DD_API_KEY
40 | valueFrom:
41 | secretKeyRef:
42 | name: datadog-secret
43 | key: api-key
44 | # Optionally reference an APP KEY for the External Metrics Provider.
45 | # - name: DD_APP_KEY
46 | # value: ''
47 | - name: DD_CLUSTER_AGENT_AUTH_TOKEN
48 | valueFrom:
49 | secretKeyRef:
50 | name: datadog-auth-token
51 | key: token
52 | - name: DD_COLLECT_KUBERNETES_EVENTS
53 | value: "true"
54 | - name: DD_LEADER_ELECTION
55 | value: "true"
56 | - name: DD_EXTERNAL_METRICS_PROVIDER_ENABLED
57 | value: "true"
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.datadog-cluster-agent
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/20-datadog-cluster-agent.yaml:14-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | name: datadog-cluster-agent
18 | namespace: default
19 | spec:
20 | selector:
21 | matchLabels:
22 | app: datadog-cluster-agent
23 | template:
24 | metadata:
25 | labels:
26 | app: datadog-cluster-agent
27 | name: datadog-agent
28 | annotations:
29 | ad.datadoghq.com/datadog-cluster-agent.check_names: '["prometheus"]'
30 | ad.datadoghq.com/datadog-cluster-agent.init_configs: '[{}]'
31 | ad.datadoghq.com/datadog-cluster-agent.instances: '[{"prometheus_url": "http://%%host%%:5000/metrics","namespace": "datadog.cluster_agent","metrics": ["go_goroutines","go_memstats_*","process_*","api_requests","datadog_requests","external_metrics", "cluster_checks_*"]}]'
32 | spec:
33 | serviceAccountName: dca
34 | containers:
35 | - image: datadog/cluster-agent:latest
36 | imagePullPolicy: Always
37 | name: datadog-cluster-agent
38 | env:
39 | - name: DD_API_KEY
40 | valueFrom:
41 | secretKeyRef:
42 | name: datadog-secret
43 | key: api-key
44 | # Optionally reference an APP KEY for the External Metrics Provider.
45 | # - name: DD_APP_KEY
46 | # value: ''
47 | - name: DD_CLUSTER_AGENT_AUTH_TOKEN
48 | valueFrom:
49 | secretKeyRef:
50 | name: datadog-auth-token
51 | key: token
52 | - name: DD_COLLECT_KUBERNETES_EVENTS
53 | value: "true"
54 | - name: DD_LEADER_ELECTION
55 | value: "true"
56 | - name: DD_EXTERNAL_METRICS_PROVIDER_ENABLED
57 | value: "true"
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.datadog-cluster-agent
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/20-datadog-cluster-agent.yaml:14-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | name: datadog-cluster-agent
18 | namespace: default
19 | spec:
20 | selector:
21 | matchLabels:
22 | app: datadog-cluster-agent
23 | template:
24 | metadata:
25 | labels:
26 | app: datadog-cluster-agent
27 | name: datadog-agent
28 | annotations:
29 | ad.datadoghq.com/datadog-cluster-agent.check_names: '["prometheus"]'
30 | ad.datadoghq.com/datadog-cluster-agent.init_configs: '[{}]'
31 | ad.datadoghq.com/datadog-cluster-agent.instances: '[{"prometheus_url": "http://%%host%%:5000/metrics","namespace": "datadog.cluster_agent","metrics": ["go_goroutines","go_memstats_*","process_*","api_requests","datadog_requests","external_metrics", "cluster_checks_*"]}]'
32 | spec:
33 | serviceAccountName: dca
34 | containers:
35 | - image: datadog/cluster-agent:latest
36 | imagePullPolicy: Always
37 | name: datadog-cluster-agent
38 | env:
39 | - name: DD_API_KEY
40 | valueFrom:
41 | secretKeyRef:
42 | name: datadog-secret
43 | key: api-key
44 | # Optionally reference an APP KEY for the External Metrics Provider.
45 | # - name: DD_APP_KEY
46 | # value: ''
47 | - name: DD_CLUSTER_AGENT_AUTH_TOKEN
48 | valueFrom:
49 | secretKeyRef:
50 | name: datadog-auth-token
51 | key: token
52 | - name: DD_COLLECT_KUBERNETES_EVENTS
53 | value: "true"
54 | - name: DD_LEADER_ELECTION
55 | value: "true"
56 | - name: DD_EXTERNAL_METRICS_PROVIDER_ENABLED
57 | value: "true"
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.datadog-cluster-agent
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/20-datadog-cluster-agent.yaml:14-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | name: datadog-cluster-agent
18 | namespace: default
19 | spec:
20 | selector:
21 | matchLabels:
22 | app: datadog-cluster-agent
23 | template:
24 | metadata:
25 | labels:
26 | app: datadog-cluster-agent
27 | name: datadog-agent
28 | annotations:
29 | ad.datadoghq.com/datadog-cluster-agent.check_names: '["prometheus"]'
30 | ad.datadoghq.com/datadog-cluster-agent.init_configs: '[{}]'
31 | ad.datadoghq.com/datadog-cluster-agent.instances: '[{"prometheus_url": "http://%%host%%:5000/metrics","namespace": "datadog.cluster_agent","metrics": ["go_goroutines","go_memstats_*","process_*","api_requests","datadog_requests","external_metrics", "cluster_checks_*"]}]'
32 | spec:
33 | serviceAccountName: dca
34 | containers:
35 | - image: datadog/cluster-agent:latest
36 | imagePullPolicy: Always
37 | name: datadog-cluster-agent
38 | env:
39 | - name: DD_API_KEY
40 | valueFrom:
41 | secretKeyRef:
42 | name: datadog-secret
43 | key: api-key
44 | # Optionally reference an APP KEY for the External Metrics Provider.
45 | # - name: DD_APP_KEY
46 | # value: ''
47 | - name: DD_CLUSTER_AGENT_AUTH_TOKEN
48 | valueFrom:
49 | secretKeyRef:
50 | name: datadog-auth-token
51 | key: token
52 | - name: DD_COLLECT_KUBERNETES_EVENTS
53 | value: "true"
54 | - name: DD_LEADER_ELECTION
55 | value: "true"
56 | - name: DD_EXTERNAL_METRICS_PROVIDER_ENABLED
57 | value: "true"
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: Deployment.default.datadog-cluster-agent
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/20-datadog-cluster-agent.yaml:14-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | name: datadog-cluster-agent
18 | namespace: default
19 | spec:
20 | selector:
21 | matchLabels:
22 | app: datadog-cluster-agent
23 | template:
24 | metadata:
25 | labels:
26 | app: datadog-cluster-agent
27 | name: datadog-agent
28 | annotations:
29 | ad.datadoghq.com/datadog-cluster-agent.check_names: '["prometheus"]'
30 | ad.datadoghq.com/datadog-cluster-agent.init_configs: '[{}]'
31 | ad.datadoghq.com/datadog-cluster-agent.instances: '[{"prometheus_url": "http://%%host%%:5000/metrics","namespace": "datadog.cluster_agent","metrics": ["go_goroutines","go_memstats_*","process_*","api_requests","datadog_requests","external_metrics", "cluster_checks_*"]}]'
32 | spec:
33 | serviceAccountName: dca
34 | containers:
35 | - image: datadog/cluster-agent:latest
36 | imagePullPolicy: Always
37 | name: datadog-cluster-agent
38 | env:
39 | - name: DD_API_KEY
40 | valueFrom:
41 | secretKeyRef:
42 | name: datadog-secret
43 | key: api-key
44 | # Optionally reference an APP KEY for the External Metrics Provider.
45 | # - name: DD_APP_KEY
46 | # value: ''
47 | - name: DD_CLUSTER_AGENT_AUTH_TOKEN
48 | valueFrom:
49 | secretKeyRef:
50 | name: datadog-auth-token
51 | key: token
52 | - name: DD_COLLECT_KUBERNETES_EVENTS
53 | value: "true"
54 | - name: DD_LEADER_ELECTION
55 | value: "true"
56 | - name: DD_EXTERNAL_METRICS_PROVIDER_ENABLED
57 | value: "true"
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.datadog-cluster-agent
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/20-datadog-cluster-agent.yaml:14-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | name: datadog-cluster-agent
18 | namespace: default
19 | spec:
20 | selector:
21 | matchLabels:
22 | app: datadog-cluster-agent
23 | template:
24 | metadata:
25 | labels:
26 | app: datadog-cluster-agent
27 | name: datadog-agent
28 | annotations:
29 | ad.datadoghq.com/datadog-cluster-agent.check_names: '["prometheus"]'
30 | ad.datadoghq.com/datadog-cluster-agent.init_configs: '[{}]'
31 | ad.datadoghq.com/datadog-cluster-agent.instances: '[{"prometheus_url": "http://%%host%%:5000/metrics","namespace": "datadog.cluster_agent","metrics": ["go_goroutines","go_memstats_*","process_*","api_requests","datadog_requests","external_metrics", "cluster_checks_*"]}]'
32 | spec:
33 | serviceAccountName: dca
34 | containers:
35 | - image: datadog/cluster-agent:latest
36 | imagePullPolicy: Always
37 | name: datadog-cluster-agent
38 | env:
39 | - name: DD_API_KEY
40 | valueFrom:
41 | secretKeyRef:
42 | name: datadog-secret
43 | key: api-key
44 | # Optionally reference an APP KEY for the External Metrics Provider.
45 | # - name: DD_APP_KEY
46 | # value: ''
47 | - name: DD_CLUSTER_AGENT_AUTH_TOKEN
48 | valueFrom:
49 | secretKeyRef:
50 | name: datadog-auth-token
51 | key: token
52 | - name: DD_COLLECT_KUBERNETES_EVENTS
53 | value: "true"
54 | - name: DD_LEADER_ELECTION
55 | value: "true"
56 | - name: DD_EXTERNAL_METRICS_PROVIDER_ENABLED
57 | value: "true"
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.datadog-cluster-agent
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/20-datadog-cluster-agent.yaml:14-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | name: datadog-cluster-agent
18 | namespace: default
19 | spec:
20 | selector:
21 | matchLabels:
22 | app: datadog-cluster-agent
23 | template:
24 | metadata:
25 | labels:
26 | app: datadog-cluster-agent
27 | name: datadog-agent
28 | annotations:
29 | ad.datadoghq.com/datadog-cluster-agent.check_names: '["prometheus"]'
30 | ad.datadoghq.com/datadog-cluster-agent.init_configs: '[{}]'
31 | ad.datadoghq.com/datadog-cluster-agent.instances: '[{"prometheus_url": "http://%%host%%:5000/metrics","namespace": "datadog.cluster_agent","metrics": ["go_goroutines","go_memstats_*","process_*","api_requests","datadog_requests","external_metrics", "cluster_checks_*"]}]'
32 | spec:
33 | serviceAccountName: dca
34 | containers:
35 | - image: datadog/cluster-agent:latest
36 | imagePullPolicy: Always
37 | name: datadog-cluster-agent
38 | env:
39 | - name: DD_API_KEY
40 | valueFrom:
41 | secretKeyRef:
42 | name: datadog-secret
43 | key: api-key
44 | # Optionally reference an APP KEY for the External Metrics Provider.
45 | # - name: DD_APP_KEY
46 | # value: ''
47 | - name: DD_CLUSTER_AGENT_AUTH_TOKEN
48 | valueFrom:
49 | secretKeyRef:
50 | name: datadog-auth-token
51 | key: token
52 | - name: DD_COLLECT_KUBERNETES_EVENTS
53 | value: "true"
54 | - name: DD_LEADER_ELECTION
55 | value: "true"
56 | - name: DD_EXTERNAL_METRICS_PROVIDER_ENABLED
57 | value: "true"
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.datadog-cluster-agent
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/20-datadog-cluster-agent.yaml:14-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | name: datadog-cluster-agent
18 | namespace: default
19 | spec:
20 | selector:
21 | matchLabels:
22 | app: datadog-cluster-agent
23 | template:
24 | metadata:
25 | labels:
26 | app: datadog-cluster-agent
27 | name: datadog-agent
28 | annotations:
29 | ad.datadoghq.com/datadog-cluster-agent.check_names: '["prometheus"]'
30 | ad.datadoghq.com/datadog-cluster-agent.init_configs: '[{}]'
31 | ad.datadoghq.com/datadog-cluster-agent.instances: '[{"prometheus_url": "http://%%host%%:5000/metrics","namespace": "datadog.cluster_agent","metrics": ["go_goroutines","go_memstats_*","process_*","api_requests","datadog_requests","external_metrics", "cluster_checks_*"]}]'
32 | spec:
33 | serviceAccountName: dca
34 | containers:
35 | - image: datadog/cluster-agent:latest
36 | imagePullPolicy: Always
37 | name: datadog-cluster-agent
38 | env:
39 | - name: DD_API_KEY
40 | valueFrom:
41 | secretKeyRef:
42 | name: datadog-secret
43 | key: api-key
44 | # Optionally reference an APP KEY for the External Metrics Provider.
45 | # - name: DD_APP_KEY
46 | # value: ''
47 | - name: DD_CLUSTER_AGENT_AUTH_TOKEN
48 | valueFrom:
49 | secretKeyRef:
50 | name: datadog-auth-token
51 | key: token
52 | - name: DD_COLLECT_KUBERNETES_EVENTS
53 | value: "true"
54 | - name: DD_LEADER_ELECTION
55 | value: "true"
56 | - name: DD_EXTERNAL_METRICS_PROVIDER_ENABLED
57 | value: "true"
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.datadog-cluster-agent
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/20-datadog-cluster-agent.yaml:14-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | name: datadog-cluster-agent
18 | namespace: default
19 | spec:
20 | selector:
21 | matchLabels:
22 | app: datadog-cluster-agent
23 | template:
24 | metadata:
25 | labels:
26 | app: datadog-cluster-agent
27 | name: datadog-agent
28 | annotations:
29 | ad.datadoghq.com/datadog-cluster-agent.check_names: '["prometheus"]'
30 | ad.datadoghq.com/datadog-cluster-agent.init_configs: '[{}]'
31 | ad.datadoghq.com/datadog-cluster-agent.instances: '[{"prometheus_url": "http://%%host%%:5000/metrics","namespace": "datadog.cluster_agent","metrics": ["go_goroutines","go_memstats_*","process_*","api_requests","datadog_requests","external_metrics", "cluster_checks_*"]}]'
32 | spec:
33 | serviceAccountName: dca
34 | containers:
35 | - image: datadog/cluster-agent:latest
36 | imagePullPolicy: Always
37 | name: datadog-cluster-agent
38 | env:
39 | - name: DD_API_KEY
40 | valueFrom:
41 | secretKeyRef:
42 | name: datadog-secret
43 | key: api-key
44 | # Optionally reference an APP KEY for the External Metrics Provider.
45 | # - name: DD_APP_KEY
46 | # value: ''
47 | - name: DD_CLUSTER_AGENT_AUTH_TOKEN
48 | valueFrom:
49 | secretKeyRef:
50 | name: datadog-auth-token
51 | key: token
52 | - name: DD_COLLECT_KUBERNETES_EVENTS
53 | value: "true"
54 | - name: DD_LEADER_ELECTION
55 | value: "true"
56 | - name: DD_EXTERNAL_METRICS_PROVIDER_ENABLED
57 | value: "true"
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.datadog-cluster-agent
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/20-datadog-cluster-agent.yaml:14-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | name: datadog-cluster-agent
18 | namespace: default
19 | spec:
20 | selector:
21 | matchLabels:
22 | app: datadog-cluster-agent
23 | template:
24 | metadata:
25 | labels:
26 | app: datadog-cluster-agent
27 | name: datadog-agent
28 | annotations:
29 | ad.datadoghq.com/datadog-cluster-agent.check_names: '["prometheus"]'
30 | ad.datadoghq.com/datadog-cluster-agent.init_configs: '[{}]'
31 | ad.datadoghq.com/datadog-cluster-agent.instances: '[{"prometheus_url": "http://%%host%%:5000/metrics","namespace": "datadog.cluster_agent","metrics": ["go_goroutines","go_memstats_*","process_*","api_requests","datadog_requests","external_metrics", "cluster_checks_*"]}]'
32 | spec:
33 | serviceAccountName: dca
34 | containers:
35 | - image: datadog/cluster-agent:latest
36 | imagePullPolicy: Always
37 | name: datadog-cluster-agent
38 | env:
39 | - name: DD_API_KEY
40 | valueFrom:
41 | secretKeyRef:
42 | name: datadog-secret
43 | key: api-key
44 | # Optionally reference an APP KEY for the External Metrics Provider.
45 | # - name: DD_APP_KEY
46 | # value: ''
47 | - name: DD_CLUSTER_AGENT_AUTH_TOKEN
48 | valueFrom:
49 | secretKeyRef:
50 | name: datadog-auth-token
51 | key: token
52 | - name: DD_COLLECT_KUBERNETES_EVENTS
53 | value: "true"
54 | - name: DD_LEADER_ELECTION
55 | value: "true"
56 | - name: DD_EXTERNAL_METRICS_PROVIDER_ENABLED
57 | value: "true"
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.datadog-cluster-agent
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/20-datadog-cluster-agent.yaml:14-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | name: datadog-cluster-agent
18 | namespace: default
19 | spec:
20 | selector:
21 | matchLabels:
22 | app: datadog-cluster-agent
23 | template:
24 | metadata:
25 | labels:
26 | app: datadog-cluster-agent
27 | name: datadog-agent
28 | annotations:
29 | ad.datadoghq.com/datadog-cluster-agent.check_names: '["prometheus"]'
30 | ad.datadoghq.com/datadog-cluster-agent.init_configs: '[{}]'
31 | ad.datadoghq.com/datadog-cluster-agent.instances: '[{"prometheus_url": "http://%%host%%:5000/metrics","namespace": "datadog.cluster_agent","metrics": ["go_goroutines","go_memstats_*","process_*","api_requests","datadog_requests","external_metrics", "cluster_checks_*"]}]'
32 | spec:
33 | serviceAccountName: dca
34 | containers:
35 | - image: datadog/cluster-agent:latest
36 | imagePullPolicy: Always
37 | name: datadog-cluster-agent
38 | env:
39 | - name: DD_API_KEY
40 | valueFrom:
41 | secretKeyRef:
42 | name: datadog-secret
43 | key: api-key
44 | # Optionally reference an APP KEY for the External Metrics Provider.
45 | # - name: DD_APP_KEY
46 | # value: ''
47 | - name: DD_CLUSTER_AGENT_AUTH_TOKEN
48 | valueFrom:
49 | secretKeyRef:
50 | name: datadog-auth-token
51 | key: token
52 | - name: DD_COLLECT_KUBERNETES_EVENTS
53 | value: "true"
54 | - name: DD_LEADER_ELECTION
55 | value: "true"
56 | - name: DD_EXTERNAL_METRICS_PROVIDER_ENABLED
57 | value: "true"
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.datadog-cluster-agent
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/20-datadog-cluster-agent.yaml:14-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | name: datadog-cluster-agent
18 | namespace: default
19 | spec:
20 | selector:
21 | matchLabels:
22 | app: datadog-cluster-agent
23 | template:
24 | metadata:
25 | labels:
26 | app: datadog-cluster-agent
27 | name: datadog-agent
28 | annotations:
29 | ad.datadoghq.com/datadog-cluster-agent.check_names: '["prometheus"]'
30 | ad.datadoghq.com/datadog-cluster-agent.init_configs: '[{}]'
31 | ad.datadoghq.com/datadog-cluster-agent.instances: '[{"prometheus_url": "http://%%host%%:5000/metrics","namespace": "datadog.cluster_agent","metrics": ["go_goroutines","go_memstats_*","process_*","api_requests","datadog_requests","external_metrics", "cluster_checks_*"]}]'
32 | spec:
33 | serviceAccountName: dca
34 | containers:
35 | - image: datadog/cluster-agent:latest
36 | imagePullPolicy: Always
37 | name: datadog-cluster-agent
38 | env:
39 | - name: DD_API_KEY
40 | valueFrom:
41 | secretKeyRef:
42 | name: datadog-secret
43 | key: api-key
44 | # Optionally reference an APP KEY for the External Metrics Provider.
45 | # - name: DD_APP_KEY
46 | # value: ''
47 | - name: DD_CLUSTER_AGENT_AUTH_TOKEN
48 | valueFrom:
49 | secretKeyRef:
50 | name: datadog-auth-token
51 | key: token
52 | - name: DD_COLLECT_KUBERNETES_EVENTS
53 | value: "true"
54 | - name: DD_LEADER_ELECTION
55 | value: "true"
56 | - name: DD_EXTERNAL_METRICS_PROVIDER_ENABLED
57 | value: "true"
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ServiceAccount.default.jenkins
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:3-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
3 | apiVersion: v1
4 | kind: ServiceAccount
5 | metadata:
6 | name: jenkins
7 | namespace: default
8 | labels:
9 | "app.kubernetes.io/name": 'jenkins'
10 | "helm.sh/chart": "jenkins-3.5.9"
11 | "app.kubernetes.io/managed-by": "Helm"
12 | "app.kubernetes.io/instance": "RELEASE-NAME"
13 | "app.kubernetes.io/component": "jenkins-controller"
14 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Secret.default.jenkins
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:16-31
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
16 | apiVersion: v1
17 | kind: Secret
18 | metadata:
19 | name: jenkins
20 | namespace: default
21 | labels:
22 | "app.kubernetes.io/name": 'jenkins'
23 | "helm.sh/chart": "jenkins-3.5.9"
24 | "app.kubernetes.io/managed-by": "Helm"
25 | "app.kubernetes.io/instance": "RELEASE-NAME"
26 | "app.kubernetes.io/component": "jenkins-controller"
27 | type: Opaque
28 | data:
29 | jenkins-admin-password: "UVdhR2ZCa3ZUU0xDb0JhR1NmV2pCdQ=="
30 | jenkins-admin-user: "YWRtaW4="
31 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.jenkins
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:33-69
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
33 | apiVersion: v1
34 | kind: ConfigMap
35 | metadata:
36 | name: jenkins
37 | namespace: default
38 | labels:
39 | "app.kubernetes.io/name": 'jenkins'
40 | "app.kubernetes.io/managed-by": "Helm"
41 | "app.kubernetes.io/instance": "RELEASE-NAME"
42 | "app.kubernetes.io/component": "jenkins-controller"
43 | data:
44 | apply_config.sh: |-
45 | set -e
46 | echo "disable Setup Wizard"
47 | # Prevent Setup Wizard when JCasC is enabled
48 | echo $JENKINS_VERSION > /var/jenkins_home/jenkins.install.UpgradeWizard.state
49 | echo $JENKINS_VERSION > /var/jenkins_home/jenkins.install.InstallUtil.lastExecVersion
50 | echo "download plugins"
51 | # Install missing plugins
52 | cp /var/jenkins_config/plugins.txt /var/jenkins_home;
53 | rm -rf /usr/share/jenkins/ref/plugins/*.lock
54 | version () { echo "$@" | awk -F. '{ printf("%d%03d%03d%03d\n", $1,$2,$3,$4); }'; }
55 | if [ -f "/usr/share/jenkins/jenkins.war" ] && [ -n "$(command -v jenkins-plugin-cli)" 2>/dev/null ] && [ $(version $(jenkins-plugin-cli --version)) -ge $(version "2.1.1") ]; then
56 | jenkins-plugin-cli --war "/usr/share/jenkins/jenkins.war" --plugin-file "/var/jenkins_home/plugins.txt" --latest false;
57 | else
58 | /usr/local/bin/install-plugins.sh `echo $(cat /var/jenkins_home/plugins.txt)`;
59 | fi
60 | echo "copy plugins to shared volume"
61 | # Copy plugins to shared volume
62 | yes n | cp -i /usr/share/jenkins/ref/plugins/* /var/jenkins_plugins/;
63 | echo "finished initialization"
64 | plugins.txt: |-
65 | kubernetes:1.29.4
66 | workflow-aggregator:2.6
67 | git:4.7.1
68 | configuration-as-code:1.51
69 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.jenkins-jenkins-jcasc-config
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:71-163
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Role.default.jenkins-schedule-agents
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:185-203
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
185 | apiVersion: rbac.authorization.k8s.io/v1
186 | kind: Role
187 | metadata:
188 | name: jenkins-schedule-agents
189 | namespace: default
190 | labels:
191 | "app.kubernetes.io/name": 'jenkins'
192 | "helm.sh/chart": "jenkins-3.5.9"
193 | "app.kubernetes.io/managed-by": "Helm"
194 | "app.kubernetes.io/instance": "RELEASE-NAME"
195 | "app.kubernetes.io/component": "jenkins-controller"
196 | rules:
197 | - apiGroups: [""]
198 | resources: ["pods", "pods/exec", "pods/log", "persistentvolumeclaims", "events"]
199 | verbs: ["get", "list", "watch"]
200 | - apiGroups: [""]
201 | resources: ["pods", "pods/exec", "persistentvolumeclaims"]
202 | verbs: ["create", "delete", "deletecollection", "patch", "update"]
203 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Role.default.jenkins-casc-reload
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:207-222
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
207 | apiVersion: rbac.authorization.k8s.io/v1
208 | kind: Role
209 | metadata:
210 | name: jenkins-casc-reload
211 | namespace: default
212 | labels:
213 | "app.kubernetes.io/name": 'jenkins'
214 | "helm.sh/chart": "jenkins-3.5.9"
215 | "app.kubernetes.io/managed-by": "Helm"
216 | "app.kubernetes.io/instance": "RELEASE-NAME"
217 | "app.kubernetes.io/component": "jenkins-controller"
218 | rules:
219 | - apiGroups: [""]
220 | resources: ["configmaps"]
221 | verbs: ["get", "watch", "list"]
222 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: RoleBinding.default.jenkins-schedule-agents
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:226-245
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
226 | apiVersion: rbac.authorization.k8s.io/v1
227 | kind: RoleBinding
228 | metadata:
229 | name: jenkins-schedule-agents
230 | namespace: default
231 | labels:
232 | "app.kubernetes.io/name": 'jenkins'
233 | "helm.sh/chart": "jenkins-3.5.9"
234 | "app.kubernetes.io/managed-by": "Helm"
235 | "app.kubernetes.io/instance": "RELEASE-NAME"
236 | "app.kubernetes.io/component": "jenkins-controller"
237 | roleRef:
238 | apiGroup: rbac.authorization.k8s.io
239 | kind: Role
240 | name: jenkins-schedule-agents
241 | subjects:
242 | - kind: ServiceAccount
243 | name: jenkins
244 | namespace: default
245 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: RoleBinding.default.jenkins-watch-configmaps
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:247-266
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
247 | apiVersion: rbac.authorization.k8s.io/v1
248 | kind: RoleBinding
249 | metadata:
250 | name: jenkins-watch-configmaps
251 | namespace: default
252 | labels:
253 | "app.kubernetes.io/name": 'jenkins'
254 | "helm.sh/chart": "jenkins-3.5.9"
255 | "app.kubernetes.io/managed-by": "Helm"
256 | "app.kubernetes.io/instance": "RELEASE-NAME"
257 | "app.kubernetes.io/component": "jenkins-controller"
258 | roleRef:
259 | apiGroup: rbac.authorization.k8s.io
260 | kind: Role
261 | name: jenkins-casc-reload
262 | subjects:
263 | - kind: ServiceAccount
264 | name: jenkins
265 | namespace: default
266 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.jenkins-agent
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:268-288
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
268 | apiVersion: v1
269 | kind: Service
270 | metadata:
271 | name: jenkins-agent
272 | namespace: default
273 | labels:
274 | "app.kubernetes.io/name": 'jenkins'
275 | "helm.sh/chart": "jenkins-3.5.9"
276 | "app.kubernetes.io/managed-by": "Helm"
277 | "app.kubernetes.io/instance": "RELEASE-NAME"
278 | "app.kubernetes.io/component": "jenkins-controller"
279 | spec:
280 | ports:
281 | - port: 50000
282 | targetPort: 50000
283 | name: agent-listener
284 | selector:
285 | "app.kubernetes.io/component": "jenkins-controller"
286 | "app.kubernetes.io/instance": "RELEASE-NAME"
287 | type: ClusterIP
288 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.jenkins
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:290-310
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
290 | apiVersion: v1
291 | kind: Service
292 | metadata:
293 | name: jenkins
294 | namespace: default
295 | labels:
296 | "app.kubernetes.io/name": 'jenkins'
297 | "helm.sh/chart": "jenkins-3.5.9"
298 | "app.kubernetes.io/managed-by": "Helm"
299 | "app.kubernetes.io/instance": "RELEASE-NAME"
300 | "app.kubernetes.io/component": "jenkins-controller"
301 | spec:
302 | ports:
303 | - port: 8080
304 | name: http
305 | targetPort: 8080
306 | selector:
307 | "app.kubernetes.io/component": "jenkins-controller"
308 | "app.kubernetes.io/instance": "RELEASE-NAME"
309 | type: ClusterIP
310 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: StatefulSet.default.jenkins
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:312-484
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: StatefulSet.default.jenkins
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:312-484
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: StatefulSet.default.jenkins
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:312-484
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: StatefulSet.default.jenkins
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:312-484
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: StatefulSet.default.jenkins
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:312-484
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: StatefulSet.default.jenkins
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:312-484
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: StatefulSet.default.jenkins
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:312-484
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: StatefulSet.default.jenkins
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:312-484
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: StatefulSet.default.jenkins
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:312-484
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: StatefulSet.default.jenkins
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:312-484
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: StatefulSet.default.jenkins
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:312-484
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: StatefulSet.default.jenkins
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:312-484
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: StatefulSet.default.jenkins
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:312-484
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: StatefulSet.default.jenkins
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:312-484
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: StatefulSet.default.jenkins
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:312-484
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: StatefulSet.default.jenkins
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:312-484
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.jenkins-tests
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:486-498
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
486 | apiVersion: v1
487 | kind: ConfigMap
488 | metadata:
489 | name: jenkins-tests
490 | namespace: default
491 | annotations:
492 | "helm.sh/hook": test
493 | data:
494 | run.sh: |-
495 | @test "Testing Jenkins UI is accessible" {
496 | curl --retry 48 --retry-delay 10 jenkins:8080/login
497 | }
498 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.default.ui-test-8ep3t
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:500-538
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
500 | apiVersion: v1
501 | kind: Pod
502 | metadata:
503 | name: "ui-test-8ep3t"
504 | namespace: default
505 | annotations:
506 | "helm.sh/hook": test-success
507 | spec:
508 | initContainers:
509 | - name: "test-framework"
510 | image: "bats/bats:1.2.1"
511 | command:
512 | - "bash"
513 | - "-c"
514 | args:
515 | - |
516 | # copy bats to tools dir
517 | set -ex
518 | cp -R /opt/bats /tools/bats/
519 | volumeMounts:
520 | - mountPath: /tools
521 | name: tools
522 | containers:
523 | - name: ui-test
524 | image: codeaprendiz/jenkins-controller-base:latest
525 | command: ["/tools/bats/bin/bats", "-t", "/tests/run.sh"]
526 | volumeMounts:
527 | - mountPath: /tests
528 | name: tests
529 | readOnly: true
530 | - mountPath: /tools
531 | name: tools
532 | volumes:
533 | - name: tests
534 | configMap:
535 | name: jenkins-tests
536 | - name: tools
537 | emptyDir: {}
538 | restartPolicy: Never
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.default.ui-test-8ep3t
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:500-538
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
500 | apiVersion: v1
501 | kind: Pod
502 | metadata:
503 | name: "ui-test-8ep3t"
504 | namespace: default
505 | annotations:
506 | "helm.sh/hook": test-success
507 | spec:
508 | initContainers:
509 | - name: "test-framework"
510 | image: "bats/bats:1.2.1"
511 | command:
512 | - "bash"
513 | - "-c"
514 | args:
515 | - |
516 | # copy bats to tools dir
517 | set -ex
518 | cp -R /opt/bats /tools/bats/
519 | volumeMounts:
520 | - mountPath: /tools
521 | name: tools
522 | containers:
523 | - name: ui-test
524 | image: codeaprendiz/jenkins-controller-base:latest
525 | command: ["/tools/bats/bin/bats", "-t", "/tests/run.sh"]
526 | volumeMounts:
527 | - mountPath: /tests
528 | name: tests
529 | readOnly: true
530 | - mountPath: /tools
531 | name: tools
532 | volumes:
533 | - name: tests
534 | configMap:
535 | name: jenkins-tests
536 | - name: tools
537 | emptyDir: {}
538 | restartPolicy: Never
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Pod.default.ui-test-8ep3t
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:500-538
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
500 | apiVersion: v1
501 | kind: Pod
502 | metadata:
503 | name: "ui-test-8ep3t"
504 | namespace: default
505 | annotations:
506 | "helm.sh/hook": test-success
507 | spec:
508 | initContainers:
509 | - name: "test-framework"
510 | image: "bats/bats:1.2.1"
511 | command:
512 | - "bash"
513 | - "-c"
514 | args:
515 | - |
516 | # copy bats to tools dir
517 | set -ex
518 | cp -R /opt/bats /tools/bats/
519 | volumeMounts:
520 | - mountPath: /tools
521 | name: tools
522 | containers:
523 | - name: ui-test
524 | image: codeaprendiz/jenkins-controller-base:latest
525 | command: ["/tools/bats/bin/bats", "-t", "/tests/run.sh"]
526 | volumeMounts:
527 | - mountPath: /tests
528 | name: tests
529 | readOnly: true
530 | - mountPath: /tools
531 | name: tools
532 | volumes:
533 | - name: tests
534 | configMap:
535 | name: jenkins-tests
536 | - name: tools
537 | emptyDir: {}
538 | restartPolicy: Never
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Pod.default.ui-test-8ep3t
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:500-538
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
500 | apiVersion: v1
501 | kind: Pod
502 | metadata:
503 | name: "ui-test-8ep3t"
504 | namespace: default
505 | annotations:
506 | "helm.sh/hook": test-success
507 | spec:
508 | initContainers:
509 | - name: "test-framework"
510 | image: "bats/bats:1.2.1"
511 | command:
512 | - "bash"
513 | - "-c"
514 | args:
515 | - |
516 | # copy bats to tools dir
517 | set -ex
518 | cp -R /opt/bats /tools/bats/
519 | volumeMounts:
520 | - mountPath: /tools
521 | name: tools
522 | containers:
523 | - name: ui-test
524 | image: codeaprendiz/jenkins-controller-base:latest
525 | command: ["/tools/bats/bin/bats", "-t", "/tests/run.sh"]
526 | volumeMounts:
527 | - mountPath: /tests
528 | name: tests
529 | readOnly: true
530 | - mountPath: /tools
531 | name: tools
532 | volumes:
533 | - name: tests
534 | configMap:
535 | name: jenkins-tests
536 | - name: tools
537 | emptyDir: {}
538 | restartPolicy: Never
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.default.ui-test-8ep3t
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:500-538
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
500 | apiVersion: v1
501 | kind: Pod
502 | metadata:
503 | name: "ui-test-8ep3t"
504 | namespace: default
505 | annotations:
506 | "helm.sh/hook": test-success
507 | spec:
508 | initContainers:
509 | - name: "test-framework"
510 | image: "bats/bats:1.2.1"
511 | command:
512 | - "bash"
513 | - "-c"
514 | args:
515 | - |
516 | # copy bats to tools dir
517 | set -ex
518 | cp -R /opt/bats /tools/bats/
519 | volumeMounts:
520 | - mountPath: /tools
521 | name: tools
522 | containers:
523 | - name: ui-test
524 | image: codeaprendiz/jenkins-controller-base:latest
525 | command: ["/tools/bats/bin/bats", "-t", "/tests/run.sh"]
526 | volumeMounts:
527 | - mountPath: /tests
528 | name: tests
529 | readOnly: true
530 | - mountPath: /tools
531 | name: tools
532 | volumes:
533 | - name: tests
534 | configMap:
535 | name: jenkins-tests
536 | - name: tools
537 | emptyDir: {}
538 | restartPolicy: Never
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.default.ui-test-8ep3t
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:500-538
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
500 | apiVersion: v1
501 | kind: Pod
502 | metadata:
503 | name: "ui-test-8ep3t"
504 | namespace: default
505 | annotations:
506 | "helm.sh/hook": test-success
507 | spec:
508 | initContainers:
509 | - name: "test-framework"
510 | image: "bats/bats:1.2.1"
511 | command:
512 | - "bash"
513 | - "-c"
514 | args:
515 | - |
516 | # copy bats to tools dir
517 | set -ex
518 | cp -R /opt/bats /tools/bats/
519 | volumeMounts:
520 | - mountPath: /tools
521 | name: tools
522 | containers:
523 | - name: ui-test
524 | image: codeaprendiz/jenkins-controller-base:latest
525 | command: ["/tools/bats/bin/bats", "-t", "/tests/run.sh"]
526 | volumeMounts:
527 | - mountPath: /tests
528 | name: tests
529 | readOnly: true
530 | - mountPath: /tools
531 | name: tools
532 | volumes:
533 | - name: tests
534 | configMap:
535 | name: jenkins-tests
536 | - name: tools
537 | emptyDir: {}
538 | restartPolicy: Never
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.default.ui-test-8ep3t
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:500-538
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
500 | apiVersion: v1
501 | kind: Pod
502 | metadata:
503 | name: "ui-test-8ep3t"
504 | namespace: default
505 | annotations:
506 | "helm.sh/hook": test-success
507 | spec:
508 | initContainers:
509 | - name: "test-framework"
510 | image: "bats/bats:1.2.1"
511 | command:
512 | - "bash"
513 | - "-c"
514 | args:
515 | - |
516 | # copy bats to tools dir
517 | set -ex
518 | cp -R /opt/bats /tools/bats/
519 | volumeMounts:
520 | - mountPath: /tools
521 | name: tools
522 | containers:
523 | - name: ui-test
524 | image: codeaprendiz/jenkins-controller-base:latest
525 | command: ["/tools/bats/bin/bats", "-t", "/tests/run.sh"]
526 | volumeMounts:
527 | - mountPath: /tests
528 | name: tests
529 | readOnly: true
530 | - mountPath: /tools
531 | name: tools
532 | volumes:
533 | - name: tests
534 | configMap:
535 | name: jenkins-tests
536 | - name: tools
537 | emptyDir: {}
538 | restartPolicy: Never
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.default.ui-test-8ep3t
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:500-538
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
500 | apiVersion: v1
501 | kind: Pod
502 | metadata:
503 | name: "ui-test-8ep3t"
504 | namespace: default
505 | annotations:
506 | "helm.sh/hook": test-success
507 | spec:
508 | initContainers:
509 | - name: "test-framework"
510 | image: "bats/bats:1.2.1"
511 | command:
512 | - "bash"
513 | - "-c"
514 | args:
515 | - |
516 | # copy bats to tools dir
517 | set -ex
518 | cp -R /opt/bats /tools/bats/
519 | volumeMounts:
520 | - mountPath: /tools
521 | name: tools
522 | containers:
523 | - name: ui-test
524 | image: codeaprendiz/jenkins-controller-base:latest
525 | command: ["/tools/bats/bin/bats", "-t", "/tests/run.sh"]
526 | volumeMounts:
527 | - mountPath: /tests
528 | name: tests
529 | readOnly: true
530 | - mountPath: /tools
531 | name: tools
532 | volumes:
533 | - name: tests
534 | configMap:
535 | name: jenkins-tests
536 | - name: tools
537 | emptyDir: {}
538 | restartPolicy: Never
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.default.ui-test-8ep3t
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:500-538
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
500 | apiVersion: v1
501 | kind: Pod
502 | metadata:
503 | name: "ui-test-8ep3t"
504 | namespace: default
505 | annotations:
506 | "helm.sh/hook": test-success
507 | spec:
508 | initContainers:
509 | - name: "test-framework"
510 | image: "bats/bats:1.2.1"
511 | command:
512 | - "bash"
513 | - "-c"
514 | args:
515 | - |
516 | # copy bats to tools dir
517 | set -ex
518 | cp -R /opt/bats /tools/bats/
519 | volumeMounts:
520 | - mountPath: /tools
521 | name: tools
522 | containers:
523 | - name: ui-test
524 | image: codeaprendiz/jenkins-controller-base:latest
525 | command: ["/tools/bats/bin/bats", "-t", "/tests/run.sh"]
526 | volumeMounts:
527 | - mountPath: /tests
528 | name: tests
529 | readOnly: true
530 | - mountPath: /tools
531 | name: tools
532 | volumes:
533 | - name: tests
534 | configMap:
535 | name: jenkins-tests
536 | - name: tools
537 | emptyDir: {}
538 | restartPolicy: Never
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.default.ui-test-8ep3t
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:500-538
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
500 | apiVersion: v1
501 | kind: Pod
502 | metadata:
503 | name: "ui-test-8ep3t"
504 | namespace: default
505 | annotations:
506 | "helm.sh/hook": test-success
507 | spec:
508 | initContainers:
509 | - name: "test-framework"
510 | image: "bats/bats:1.2.1"
511 | command:
512 | - "bash"
513 | - "-c"
514 | args:
515 | - |
516 | # copy bats to tools dir
517 | set -ex
518 | cp -R /opt/bats /tools/bats/
519 | volumeMounts:
520 | - mountPath: /tools
521 | name: tools
522 | containers:
523 | - name: ui-test
524 | image: codeaprendiz/jenkins-controller-base:latest
525 | command: ["/tools/bats/bin/bats", "-t", "/tests/run.sh"]
526 | volumeMounts:
527 | - mountPath: /tests
528 | name: tests
529 | readOnly: true
530 | - mountPath: /tools
531 | name: tools
532 | volumes:
533 | - name: tests
534 | configMap:
535 | name: jenkins-tests
536 | - name: tools
537 | emptyDir: {}
538 | restartPolicy: Never
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.default.ui-test-8ep3t
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:500-538
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
500 | apiVersion: v1
501 | kind: Pod
502 | metadata:
503 | name: "ui-test-8ep3t"
504 | namespace: default
505 | annotations:
506 | "helm.sh/hook": test-success
507 | spec:
508 | initContainers:
509 | - name: "test-framework"
510 | image: "bats/bats:1.2.1"
511 | command:
512 | - "bash"
513 | - "-c"
514 | args:
515 | - |
516 | # copy bats to tools dir
517 | set -ex
518 | cp -R /opt/bats /tools/bats/
519 | volumeMounts:
520 | - mountPath: /tools
521 | name: tools
522 | containers:
523 | - name: ui-test
524 | image: codeaprendiz/jenkins-controller-base:latest
525 | command: ["/tools/bats/bin/bats", "-t", "/tests/run.sh"]
526 | volumeMounts:
527 | - mountPath: /tests
528 | name: tests
529 | readOnly: true
530 | - mountPath: /tools
531 | name: tools
532 | volumes:
533 | - name: tests
534 | configMap:
535 | name: jenkins-tests
536 | - name: tools
537 | emptyDir: {}
538 | restartPolicy: Never
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.default.ui-test-8ep3t
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:500-538
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
500 | apiVersion: v1
501 | kind: Pod
502 | metadata:
503 | name: "ui-test-8ep3t"
504 | namespace: default
505 | annotations:
506 | "helm.sh/hook": test-success
507 | spec:
508 | initContainers:
509 | - name: "test-framework"
510 | image: "bats/bats:1.2.1"
511 | command:
512 | - "bash"
513 | - "-c"
514 | args:
515 | - |
516 | # copy bats to tools dir
517 | set -ex
518 | cp -R /opt/bats /tools/bats/
519 | volumeMounts:
520 | - mountPath: /tools
521 | name: tools
522 | containers:
523 | - name: ui-test
524 | image: codeaprendiz/jenkins-controller-base:latest
525 | command: ["/tools/bats/bin/bats", "-t", "/tests/run.sh"]
526 | volumeMounts:
527 | - mountPath: /tests
528 | name: tests
529 | readOnly: true
530 | - mountPath: /tools
531 | name: tools
532 | volumes:
533 | - name: tests
534 | configMap:
535 | name: jenkins-tests
536 | - name: tools
537 | emptyDir: {}
538 | restartPolicy: Never
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.default.ui-test-8ep3t
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:500-538
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
500 | apiVersion: v1
501 | kind: Pod
502 | metadata:
503 | name: "ui-test-8ep3t"
504 | namespace: default
505 | annotations:
506 | "helm.sh/hook": test-success
507 | spec:
508 | initContainers:
509 | - name: "test-framework"
510 | image: "bats/bats:1.2.1"
511 | command:
512 | - "bash"
513 | - "-c"
514 | args:
515 | - |
516 | # copy bats to tools dir
517 | set -ex
518 | cp -R /opt/bats /tools/bats/
519 | volumeMounts:
520 | - mountPath: /tools
521 | name: tools
522 | containers:
523 | - name: ui-test
524 | image: codeaprendiz/jenkins-controller-base:latest
525 | command: ["/tools/bats/bin/bats", "-t", "/tests/run.sh"]
526 | volumeMounts:
527 | - mountPath: /tests
528 | name: tests
529 | readOnly: true
530 | - mountPath: /tools
531 | name: tools
532 | volumes:
533 | - name: tests
534 | configMap:
535 | name: jenkins-tests
536 | - name: tools
537 | emptyDir: {}
538 | restartPolicy: Never
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.default.ui-test-8ep3t
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:500-538
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
500 | apiVersion: v1
501 | kind: Pod
502 | metadata:
503 | name: "ui-test-8ep3t"
504 | namespace: default
505 | annotations:
506 | "helm.sh/hook": test-success
507 | spec:
508 | initContainers:
509 | - name: "test-framework"
510 | image: "bats/bats:1.2.1"
511 | command:
512 | - "bash"
513 | - "-c"
514 | args:
515 | - |
516 | # copy bats to tools dir
517 | set -ex
518 | cp -R /opt/bats /tools/bats/
519 | volumeMounts:
520 | - mountPath: /tools
521 | name: tools
522 | containers:
523 | - name: ui-test
524 | image: codeaprendiz/jenkins-controller-base:latest
525 | command: ["/tools/bats/bin/bats", "-t", "/tests/run.sh"]
526 | volumeMounts:
527 | - mountPath: /tests
528 | name: tests
529 | readOnly: true
530 | - mountPath: /tools
531 | name: tools
532 | volumes:
533 | - name: tests
534 | configMap:
535 | name: jenkins-tests
536 | - name: tools
537 | emptyDir: {}
538 | restartPolicy: Never
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.default.ui-test-8ep3t
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:500-538
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
500 | apiVersion: v1
501 | kind: Pod
502 | metadata:
503 | name: "ui-test-8ep3t"
504 | namespace: default
505 | annotations:
506 | "helm.sh/hook": test-success
507 | spec:
508 | initContainers:
509 | - name: "test-framework"
510 | image: "bats/bats:1.2.1"
511 | command:
512 | - "bash"
513 | - "-c"
514 | args:
515 | - |
516 | # copy bats to tools dir
517 | set -ex
518 | cp -R /opt/bats /tools/bats/
519 | volumeMounts:
520 | - mountPath: /tools
521 | name: tools
522 | containers:
523 | - name: ui-test
524 | image: codeaprendiz/jenkins-controller-base:latest
525 | command: ["/tools/bats/bin/bats", "-t", "/tests/run.sh"]
526 | volumeMounts:
527 | - mountPath: /tests
528 | name: tests
529 | readOnly: true
530 | - mountPath: /tools
531 | name: tools
532 | volumes:
533 | - name: tests
534 | configMap:
535 | name: jenkins-tests
536 | - name: tools
537 | emptyDir: {}
538 | restartPolicy: Never
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.default.ui-test-8ep3t
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:500-538
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
500 | apiVersion: v1
501 | kind: Pod
502 | metadata:
503 | name: "ui-test-8ep3t"
504 | namespace: default
505 | annotations:
506 | "helm.sh/hook": test-success
507 | spec:
508 | initContainers:
509 | - name: "test-framework"
510 | image: "bats/bats:1.2.1"
511 | command:
512 | - "bash"
513 | - "-c"
514 | args:
515 | - |
516 | # copy bats to tools dir
517 | set -ex
518 | cp -R /opt/bats /tools/bats/
519 | volumeMounts:
520 | - mountPath: /tools
521 | name: tools
522 | containers:
523 | - name: ui-test
524 | image: codeaprendiz/jenkins-controller-base:latest
525 | command: ["/tools/bats/bin/bats", "-t", "/tests/run.sh"]
526 | volumeMounts:
527 | - mountPath: /tests
528 | name: tests
529 | readOnly: true
530 | - mountPath: /tools
531 | name: tools
532 | volumes:
533 | - name: tests
534 | configMap:
535 | name: jenkins-tests
536 | - name: tools
537 | emptyDir: {}
538 | restartPolicy: Never
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Pod.default.ui-test-8ep3t
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:500-538
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
500 | apiVersion: v1
501 | kind: Pod
502 | metadata:
503 | name: "ui-test-8ep3t"
504 | namespace: default
505 | annotations:
506 | "helm.sh/hook": test-success
507 | spec:
508 | initContainers:
509 | - name: "test-framework"
510 | image: "bats/bats:1.2.1"
511 | command:
512 | - "bash"
513 | - "-c"
514 | args:
515 | - |
516 | # copy bats to tools dir
517 | set -ex
518 | cp -R /opt/bats /tools/bats/
519 | volumeMounts:
520 | - mountPath: /tools
521 | name: tools
522 | containers:
523 | - name: ui-test
524 | image: codeaprendiz/jenkins-controller-base:latest
525 | command: ["/tools/bats/bin/bats", "-t", "/tests/run.sh"]
526 | volumeMounts:
527 | - mountPath: /tests
528 | name: tests
529 | readOnly: true
530 | - mountPath: /tools
531 | name: tools
532 | volumes:
533 | - name: tests
534 | configMap:
535 | name: jenkins-tests
536 | - name: tools
537 | emptyDir: {}
538 | restartPolicy: Never
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Pod.default.ui-test-8ep3t
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:500-538
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
500 | apiVersion: v1
501 | kind: Pod
502 | metadata:
503 | name: "ui-test-8ep3t"
504 | namespace: default
505 | annotations:
506 | "helm.sh/hook": test-success
507 | spec:
508 | initContainers:
509 | - name: "test-framework"
510 | image: "bats/bats:1.2.1"
511 | command:
512 | - "bash"
513 | - "-c"
514 | args:
515 | - |
516 | # copy bats to tools dir
517 | set -ex
518 | cp -R /opt/bats /tools/bats/
519 | volumeMounts:
520 | - mountPath: /tools
521 | name: tools
522 | containers:
523 | - name: ui-test
524 | image: codeaprendiz/jenkins-controller-base:latest
525 | command: ["/tools/bats/bin/bats", "-t", "/tests/run.sh"]
526 | volumeMounts:
527 | - mountPath: /tests
528 | name: tests
529 | readOnly: true
530 | - mountPath: /tools
531 | name: tools
532 | volumes:
533 | - name: tests
534 | configMap:
535 | name: jenkins-tests
536 | - name: tools
537 | emptyDir: {}
538 | restartPolicy: Never
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.default.ui-test-8ep3t
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:500-538
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
500 | apiVersion: v1
501 | kind: Pod
502 | metadata:
503 | name: "ui-test-8ep3t"
504 | namespace: default
505 | annotations:
506 | "helm.sh/hook": test-success
507 | spec:
508 | initContainers:
509 | - name: "test-framework"
510 | image: "bats/bats:1.2.1"
511 | command:
512 | - "bash"
513 | - "-c"
514 | args:
515 | - |
516 | # copy bats to tools dir
517 | set -ex
518 | cp -R /opt/bats /tools/bats/
519 | volumeMounts:
520 | - mountPath: /tools
521 | name: tools
522 | containers:
523 | - name: ui-test
524 | image: codeaprendiz/jenkins-controller-base:latest
525 | command: ["/tools/bats/bin/bats", "-t", "/tests/run.sh"]
526 | volumeMounts:
527 | - mountPath: /tests
528 | name: tests
529 | readOnly: true
530 | - mountPath: /tools
531 | name: tools
532 | volumes:
533 | - name: tests
534 | configMap:
535 | name: jenkins-tests
536 | - name: tools
537 | emptyDir: {}
538 | restartPolicy: Never
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.default.ui-test-8ep3t
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:500-538
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
500 | apiVersion: v1
501 | kind: Pod
502 | metadata:
503 | name: "ui-test-8ep3t"
504 | namespace: default
505 | annotations:
506 | "helm.sh/hook": test-success
507 | spec:
508 | initContainers:
509 | - name: "test-framework"
510 | image: "bats/bats:1.2.1"
511 | command:
512 | - "bash"
513 | - "-c"
514 | args:
515 | - |
516 | # copy bats to tools dir
517 | set -ex
518 | cp -R /opt/bats /tools/bats/
519 | volumeMounts:
520 | - mountPath: /tools
521 | name: tools
522 | containers:
523 | - name: ui-test
524 | image: codeaprendiz/jenkins-controller-base:latest
525 | command: ["/tools/bats/bin/bats", "-t", "/tests/run.sh"]
526 | volumeMounts:
527 | - mountPath: /tests
528 | name: tests
529 | readOnly: true
530 | - mountPath: /tools
531 | name: tools
532 | volumes:
533 | - name: tests
534 | configMap:
535 | name: jenkins-tests
536 | - name: tools
537 | emptyDir: {}
538 | restartPolicy: Never
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/20-traefik-service.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: Service
4 | metadata:
5 | name: traefik
6 | spec:
7 | type: LoadBalancer
8 | selector:
9 | app: traefik
10 | ports:
11 | - protocol: TCP
12 | port: 80
13 | name: web
14 | targetPort: 80
15 | - protocol: TCP
16 | port: 443
17 | name: websecure
18 | targetPort: 80
19 | - protocol: TCP
20 | port: 8080
21 | name: admin
22 | targetPort: 8080
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ServiceAccount.default.traefik-ingress-controller
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/10-service-account.yaml:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: ServiceAccount
3 | metadata:
4 | name: traefik-ingress-controller
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/30-whoami-service.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: whoami
5 |
6 | spec:
7 | ports:
8 | - protocol: TCP
9 | name: web
10 | port: 80
11 | selector:
12 | app: whoami
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/15-traefik-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | kind: Deployment
3 | apiVersion: extensions/v1beta1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | containers:
21 | - name: traefik
22 | image: traefik:v2.2
23 | args:
24 | - --accesslog=true
25 | - --api
26 | - --api.insecure
27 | - --entrypoints.web.address=:80
28 | - --entrypoints.websecure.address=:443
29 | - --providers.kubernetescrd
30 | - --configfile=/config/traefik.toml
31 | ports:
32 | - name: web
33 | containerPort: 80
34 | - name: admin
35 | containerPort: 8080
36 | - name: websecure
37 | containerPort: 443
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/15-traefik-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | kind: Deployment
3 | apiVersion: extensions/v1beta1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | containers:
21 | - name: traefik
22 | image: traefik:v2.2
23 | args:
24 | - --accesslog=true
25 | - --api
26 | - --api.insecure
27 | - --entrypoints.web.address=:80
28 | - --entrypoints.websecure.address=:443
29 | - --providers.kubernetescrd
30 | - --configfile=/config/traefik.toml
31 | ports:
32 | - name: web
33 | containerPort: 80
34 | - name: admin
35 | containerPort: 8080
36 | - name: websecure
37 | containerPort: 443
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/15-traefik-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | kind: Deployment
3 | apiVersion: extensions/v1beta1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | containers:
21 | - name: traefik
22 | image: traefik:v2.2
23 | args:
24 | - --accesslog=true
25 | - --api
26 | - --api.insecure
27 | - --entrypoints.web.address=:80
28 | - --entrypoints.websecure.address=:443
29 | - --providers.kubernetescrd
30 | - --configfile=/config/traefik.toml
31 | ports:
32 | - name: web
33 | containerPort: 80
34 | - name: admin
35 | containerPort: 8080
36 | - name: websecure
37 | containerPort: 443
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/15-traefik-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | kind: Deployment
3 | apiVersion: extensions/v1beta1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | containers:
21 | - name: traefik
22 | image: traefik:v2.2
23 | args:
24 | - --accesslog=true
25 | - --api
26 | - --api.insecure
27 | - --entrypoints.web.address=:80
28 | - --entrypoints.websecure.address=:443
29 | - --providers.kubernetescrd
30 | - --configfile=/config/traefik.toml
31 | ports:
32 | - name: web
33 | containerPort: 80
34 | - name: admin
35 | containerPort: 8080
36 | - name: websecure
37 | containerPort: 443
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/15-traefik-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | kind: Deployment
3 | apiVersion: extensions/v1beta1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | containers:
21 | - name: traefik
22 | image: traefik:v2.2
23 | args:
24 | - --accesslog=true
25 | - --api
26 | - --api.insecure
27 | - --entrypoints.web.address=:80
28 | - --entrypoints.websecure.address=:443
29 | - --providers.kubernetescrd
30 | - --configfile=/config/traefik.toml
31 | ports:
32 | - name: web
33 | containerPort: 80
34 | - name: admin
35 | containerPort: 8080
36 | - name: websecure
37 | containerPort: 443
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/15-traefik-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | kind: Deployment
3 | apiVersion: extensions/v1beta1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | containers:
21 | - name: traefik
22 | image: traefik:v2.2
23 | args:
24 | - --accesslog=true
25 | - --api
26 | - --api.insecure
27 | - --entrypoints.web.address=:80
28 | - --entrypoints.websecure.address=:443
29 | - --providers.kubernetescrd
30 | - --configfile=/config/traefik.toml
31 | ports:
32 | - name: web
33 | containerPort: 80
34 | - name: admin
35 | containerPort: 8080
36 | - name: websecure
37 | containerPort: 443
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/15-traefik-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | kind: Deployment
3 | apiVersion: extensions/v1beta1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | containers:
21 | - name: traefik
22 | image: traefik:v2.2
23 | args:
24 | - --accesslog=true
25 | - --api
26 | - --api.insecure
27 | - --entrypoints.web.address=:80
28 | - --entrypoints.websecure.address=:443
29 | - --providers.kubernetescrd
30 | - --configfile=/config/traefik.toml
31 | ports:
32 | - name: web
33 | containerPort: 80
34 | - name: admin
35 | containerPort: 8080
36 | - name: websecure
37 | containerPort: 443
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/15-traefik-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | kind: Deployment
3 | apiVersion: extensions/v1beta1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | containers:
21 | - name: traefik
22 | image: traefik:v2.2
23 | args:
24 | - --accesslog=true
25 | - --api
26 | - --api.insecure
27 | - --entrypoints.web.address=:80
28 | - --entrypoints.websecure.address=:443
29 | - --providers.kubernetescrd
30 | - --configfile=/config/traefik.toml
31 | ports:
32 | - name: web
33 | containerPort: 80
34 | - name: admin
35 | containerPort: 8080
36 | - name: websecure
37 | containerPort: 443
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/15-traefik-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | kind: Deployment
3 | apiVersion: extensions/v1beta1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | containers:
21 | - name: traefik
22 | image: traefik:v2.2
23 | args:
24 | - --accesslog=true
25 | - --api
26 | - --api.insecure
27 | - --entrypoints.web.address=:80
28 | - --entrypoints.websecure.address=:443
29 | - --providers.kubernetescrd
30 | - --configfile=/config/traefik.toml
31 | ports:
32 | - name: web
33 | containerPort: 80
34 | - name: admin
35 | containerPort: 8080
36 | - name: websecure
37 | containerPort: 443
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/15-traefik-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | kind: Deployment
3 | apiVersion: extensions/v1beta1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | containers:
21 | - name: traefik
22 | image: traefik:v2.2
23 | args:
24 | - --accesslog=true
25 | - --api
26 | - --api.insecure
27 | - --entrypoints.web.address=:80
28 | - --entrypoints.websecure.address=:443
29 | - --providers.kubernetescrd
30 | - --configfile=/config/traefik.toml
31 | ports:
32 | - name: web
33 | containerPort: 80
34 | - name: admin
35 | containerPort: 8080
36 | - name: websecure
37 | containerPort: 443
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/15-traefik-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | kind: Deployment
3 | apiVersion: extensions/v1beta1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | containers:
21 | - name: traefik
22 | image: traefik:v2.2
23 | args:
24 | - --accesslog=true
25 | - --api
26 | - --api.insecure
27 | - --entrypoints.web.address=:80
28 | - --entrypoints.websecure.address=:443
29 | - --providers.kubernetescrd
30 | - --configfile=/config/traefik.toml
31 | ports:
32 | - name: web
33 | containerPort: 80
34 | - name: admin
35 | containerPort: 8080
36 | - name: websecure
37 | containerPort: 443
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/15-traefik-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | kind: Deployment
3 | apiVersion: extensions/v1beta1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | containers:
21 | - name: traefik
22 | image: traefik:v2.2
23 | args:
24 | - --accesslog=true
25 | - --api
26 | - --api.insecure
27 | - --entrypoints.web.address=:80
28 | - --entrypoints.websecure.address=:443
29 | - --providers.kubernetescrd
30 | - --configfile=/config/traefik.toml
31 | ports:
32 | - name: web
33 | containerPort: 80
34 | - name: admin
35 | containerPort: 8080
36 | - name: websecure
37 | containerPort: 443
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/15-traefik-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | kind: Deployment
3 | apiVersion: extensions/v1beta1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | containers:
21 | - name: traefik
22 | image: traefik:v2.2
23 | args:
24 | - --accesslog=true
25 | - --api
26 | - --api.insecure
27 | - --entrypoints.web.address=:80
28 | - --entrypoints.websecure.address=:443
29 | - --providers.kubernetescrd
30 | - --configfile=/config/traefik.toml
31 | ports:
32 | - name: web
33 | containerPort: 80
34 | - name: admin
35 | containerPort: 8080
36 | - name: websecure
37 | containerPort: 443
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/15-traefik-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | kind: Deployment
3 | apiVersion: extensions/v1beta1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | containers:
21 | - name: traefik
22 | image: traefik:v2.2
23 | args:
24 | - --accesslog=true
25 | - --api
26 | - --api.insecure
27 | - --entrypoints.web.address=:80
28 | - --entrypoints.websecure.address=:443
29 | - --providers.kubernetescrd
30 | - --configfile=/config/traefik.toml
31 | ports:
32 | - name: web
33 | containerPort: 80
34 | - name: admin
35 | containerPort: 8080
36 | - name: websecure
37 | containerPort: 443
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/15-traefik-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | kind: Deployment
3 | apiVersion: extensions/v1beta1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | containers:
21 | - name: traefik
22 | image: traefik:v2.2
23 | args:
24 | - --accesslog=true
25 | - --api
26 | - --api.insecure
27 | - --entrypoints.web.address=:80
28 | - --entrypoints.websecure.address=:443
29 | - --providers.kubernetescrd
30 | - --configfile=/config/traefik.toml
31 | ports:
32 | - name: web
33 | containerPort: 80
34 | - name: admin
35 | containerPort: 8080
36 | - name: websecure
37 | containerPort: 443
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/15-traefik-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | kind: Deployment
3 | apiVersion: extensions/v1beta1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | containers:
21 | - name: traefik
22 | image: traefik:v2.2
23 | args:
24 | - --accesslog=true
25 | - --api
26 | - --api.insecure
27 | - --entrypoints.web.address=:80
28 | - --entrypoints.websecure.address=:443
29 | - --providers.kubernetescrd
30 | - --configfile=/config/traefik.toml
31 | ports:
32 | - name: web
33 | containerPort: 80
34 | - name: admin
35 | containerPort: 8080
36 | - name: websecure
37 | containerPort: 443
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/15-traefik-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | kind: Deployment
3 | apiVersion: extensions/v1beta1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | containers:
21 | - name: traefik
22 | image: traefik:v2.2
23 | args:
24 | - --accesslog=true
25 | - --api
26 | - --api.insecure
27 | - --entrypoints.web.address=:80
28 | - --entrypoints.websecure.address=:443
29 | - --providers.kubernetescrd
30 | - --configfile=/config/traefik.toml
31 | ports:
32 | - name: web
33 | containerPort: 80
34 | - name: admin
35 | containerPort: 8080
36 | - name: websecure
37 | containerPort: 443
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/15-traefik-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | kind: Deployment
3 | apiVersion: extensions/v1beta1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | containers:
21 | - name: traefik
22 | image: traefik:v2.2
23 | args:
24 | - --accesslog=true
25 | - --api
26 | - --api.insecure
27 | - --entrypoints.web.address=:80
28 | - --entrypoints.websecure.address=:443
29 | - --providers.kubernetescrd
30 | - --configfile=/config/traefik.toml
31 | ports:
32 | - name: web
33 | containerPort: 80
34 | - name: admin
35 | containerPort: 8080
36 | - name: websecure
37 | containerPort: 443
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/15-traefik-deployment.yaml:2-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | kind: Deployment
3 | apiVersion: extensions/v1beta1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | containers:
21 | - name: traefik
22 | image: traefik:v2.2
23 | args:
24 | - --accesslog=true
25 | - --api
26 | - --api.insecure
27 | - --entrypoints.web.address=:80
28 | - --entrypoints.websecure.address=:443
29 | - --providers.kubernetescrd
30 | - --configfile=/config/traefik.toml
31 | ports:
32 | - name: web
33 | containerPort: 80
34 | - name: admin
35 | containerPort: 8080
36 | - name: websecure
37 | containerPort: 443
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/whoami.yaml:3-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
3 | apiVersion: apps/v1
4 | kind: Deployment
5 | metadata:
6 | name: whoami
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: whoami
12 | template:
13 | metadata:
14 | labels:
15 | app: whoami
16 | spec:
17 | containers:
18 | - name: whoami
19 | image: containous/whoami:v1.4.0
20 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/whoami.yaml:3-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
3 | apiVersion: apps/v1
4 | kind: Deployment
5 | metadata:
6 | name: whoami
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: whoami
12 | template:
13 | metadata:
14 | labels:
15 | app: whoami
16 | spec:
17 | containers:
18 | - name: whoami
19 | image: containous/whoami:v1.4.0
20 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/whoami.yaml:3-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
3 | apiVersion: apps/v1
4 | kind: Deployment
5 | metadata:
6 | name: whoami
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: whoami
12 | template:
13 | metadata:
14 | labels:
15 | app: whoami
16 | spec:
17 | containers:
18 | - name: whoami
19 | image: containous/whoami:v1.4.0
20 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/whoami.yaml:3-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
3 | apiVersion: apps/v1
4 | kind: Deployment
5 | metadata:
6 | name: whoami
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: whoami
12 | template:
13 | metadata:
14 | labels:
15 | app: whoami
16 | spec:
17 | containers:
18 | - name: whoami
19 | image: containous/whoami:v1.4.0
20 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/whoami.yaml:3-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
3 | apiVersion: apps/v1
4 | kind: Deployment
5 | metadata:
6 | name: whoami
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: whoami
12 | template:
13 | metadata:
14 | labels:
15 | app: whoami
16 | spec:
17 | containers:
18 | - name: whoami
19 | image: containous/whoami:v1.4.0
20 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/whoami.yaml:3-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
3 | apiVersion: apps/v1
4 | kind: Deployment
5 | metadata:
6 | name: whoami
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: whoami
12 | template:
13 | metadata:
14 | labels:
15 | app: whoami
16 | spec:
17 | containers:
18 | - name: whoami
19 | image: containous/whoami:v1.4.0
20 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/whoami.yaml:3-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
3 | apiVersion: apps/v1
4 | kind: Deployment
5 | metadata:
6 | name: whoami
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: whoami
12 | template:
13 | metadata:
14 | labels:
15 | app: whoami
16 | spec:
17 | containers:
18 | - name: whoami
19 | image: containous/whoami:v1.4.0
20 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/whoami.yaml:3-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
3 | apiVersion: apps/v1
4 | kind: Deployment
5 | metadata:
6 | name: whoami
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: whoami
12 | template:
13 | metadata:
14 | labels:
15 | app: whoami
16 | spec:
17 | containers:
18 | - name: whoami
19 | image: containous/whoami:v1.4.0
20 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/whoami.yaml:3-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
3 | apiVersion: apps/v1
4 | kind: Deployment
5 | metadata:
6 | name: whoami
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: whoami
12 | template:
13 | metadata:
14 | labels:
15 | app: whoami
16 | spec:
17 | containers:
18 | - name: whoami
19 | image: containous/whoami:v1.4.0
20 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/whoami.yaml:3-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
3 | apiVersion: apps/v1
4 | kind: Deployment
5 | metadata:
6 | name: whoami
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: whoami
12 | template:
13 | metadata:
14 | labels:
15 | app: whoami
16 | spec:
17 | containers:
18 | - name: whoami
19 | image: containous/whoami:v1.4.0
20 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/whoami.yaml:3-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
3 | apiVersion: apps/v1
4 | kind: Deployment
5 | metadata:
6 | name: whoami
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: whoami
12 | template:
13 | metadata:
14 | labels:
15 | app: whoami
16 | spec:
17 | containers:
18 | - name: whoami
19 | image: containous/whoami:v1.4.0
20 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/whoami.yaml:3-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
3 | apiVersion: apps/v1
4 | kind: Deployment
5 | metadata:
6 | name: whoami
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: whoami
12 | template:
13 | metadata:
14 | labels:
15 | app: whoami
16 | spec:
17 | containers:
18 | - name: whoami
19 | image: containous/whoami:v1.4.0
20 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/whoami.yaml:3-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
3 | apiVersion: apps/v1
4 | kind: Deployment
5 | metadata:
6 | name: whoami
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: whoami
12 | template:
13 | metadata:
14 | labels:
15 | app: whoami
16 | spec:
17 | containers:
18 | - name: whoami
19 | image: containous/whoami:v1.4.0
20 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/whoami.yaml:3-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
3 | apiVersion: apps/v1
4 | kind: Deployment
5 | metadata:
6 | name: whoami
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: whoami
12 | template:
13 | metadata:
14 | labels:
15 | app: whoami
16 | spec:
17 | containers:
18 | - name: whoami
19 | image: containous/whoami:v1.4.0
20 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/whoami.yaml:3-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
3 | apiVersion: apps/v1
4 | kind: Deployment
5 | metadata:
6 | name: whoami
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: whoami
12 | template:
13 | metadata:
14 | labels:
15 | app: whoami
16 | spec:
17 | containers:
18 | - name: whoami
19 | image: containous/whoami:v1.4.0
20 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/whoami.yaml:3-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
3 | apiVersion: apps/v1
4 | kind: Deployment
5 | metadata:
6 | name: whoami
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: whoami
12 | template:
13 | metadata:
14 | labels:
15 | app: whoami
16 | spec:
17 | containers:
18 | - name: whoami
19 | image: containous/whoami:v1.4.0
20 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/whoami.yaml:3-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
3 | apiVersion: apps/v1
4 | kind: Deployment
5 | metadata:
6 | name: whoami
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: whoami
12 | template:
13 | metadata:
14 | labels:
15 | app: whoami
16 | spec:
17 | containers:
18 | - name: whoami
19 | image: containous/whoami:v1.4.0
20 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/whoami.yaml:3-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
3 | apiVersion: apps/v1
4 | kind: Deployment
5 | metadata:
6 | name: whoami
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: whoami
12 | template:
13 | metadata:
14 | labels:
15 | app: whoami
16 | spec:
17 | containers:
18 | - name: whoami
19 | image: containous/whoami:v1.4.0
20 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/whoami.yaml:3-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
3 | apiVersion: apps/v1
4 | kind: Deployment
5 | metadata:
6 | name: whoami
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: whoami
12 | template:
13 | metadata:
14 | labels:
15 | app: whoami
16 | spec:
17 | containers:
18 | - name: whoami
19 | image: containous/whoami:v1.4.0
20 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/whoami.yaml:21-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
21 | apiVersion: v1
22 | kind: Service
23 | metadata:
24 | name: whoami
25 | labels:
26 | app: whoami
27 | spec:
28 | type: ClusterIP
29 | ports:
30 | - port: 80
31 | name: whoami
32 | selector:
33 | app: whoami
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ServiceAccount.default.cert-manager-name-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:3-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
3 | apiVersion: v1
4 | kind: ServiceAccount
5 | metadata:
6 | name: cert-manager-name-cainjector
7 | namespace: "default"
8 | labels:
9 | app: cainjector
10 | app.kubernetes.io/name: cainjector
11 | app.kubernetes.io/instance: cert-manager-name
12 | app.kubernetes.io/managed-by: Helm
13 | app.kubernetes.io/component: "cainjector"
14 | helm.sh/chart: cert-manager-v1.1.1
15 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ServiceAccount.default.cert-manager-name
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:17-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
17 | apiVersion: v1
18 | kind: ServiceAccount
19 | metadata:
20 | name: cert-manager-name
21 | namespace: "default"
22 | labels:
23 | app: cert-manager
24 | app.kubernetes.io/name: cert-manager
25 | app.kubernetes.io/instance: cert-manager-name
26 | app.kubernetes.io/managed-by: Helm
27 | app.kubernetes.io/component: "controller"
28 | helm.sh/chart: cert-manager-v1.1.1
29 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ServiceAccount.default.cert-manager-name-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:31-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
31 | apiVersion: v1
32 | kind: ServiceAccount
33 | metadata:
34 | name: cert-manager-name-webhook
35 | namespace: "default"
36 | labels:
37 | app: webhook
38 | app.kubernetes.io/name: webhook
39 | app.kubernetes.io/instance: cert-manager-name
40 | app.kubernetes.io/managed-by: Helm
41 | app.kubernetes.io/component: "webhook"
42 | helm.sh/chart: cert-manager-v1.1.1
43 | ---
Check: CKV_K8S_155: "Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations"
FAILED for resource: ClusterRole.default.cert-manager-name-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:45-78
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-control-over-validating-or-mutating-admission-webhook-configurations-are-minimized.html
45 | apiVersion: rbac.authorization.k8s.io/v1
46 | kind: ClusterRole
47 | metadata:
48 | name: cert-manager-name-cainjector
49 | labels:
50 | app: cainjector
51 | app.kubernetes.io/name: cainjector
52 | app.kubernetes.io/instance: cert-manager-name
53 | app.kubernetes.io/managed-by: Helm
54 | app.kubernetes.io/component: "cainjector"
55 | helm.sh/chart: cert-manager-v1.1.1
56 | rules:
57 | - apiGroups: ["cert-manager.io"]
58 | resources: ["certificates"]
59 | verbs: ["get", "list", "watch"]
60 | - apiGroups: [""]
61 | resources: ["secrets"]
62 | verbs: ["get", "list", "watch"]
63 | - apiGroups: [""]
64 | resources: ["events"]
65 | verbs: ["get", "create", "update", "patch"]
66 | - apiGroups: ["admissionregistration.k8s.io"]
67 | resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
68 | verbs: ["get", "list", "watch", "update"]
69 | - apiGroups: ["apiregistration.k8s.io"]
70 | resources: ["apiservices"]
71 | verbs: ["get", "list", "watch", "update"]
72 | - apiGroups: ["apiextensions.k8s.io"]
73 | resources: ["customresourcedefinitions"]
74 | verbs: ["get", "list", "watch", "update"]
75 | - apiGroups: ["auditregistration.k8s.io"]
76 | resources: ["auditsinks"]
77 | verbs: ["get", "list", "watch", "update"]
78 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Role.default.cert-manager-name-webhook:dynamic-serving
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:543-565
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
543 | apiVersion: rbac.authorization.k8s.io/v1
544 | kind: Role
545 | metadata:
546 | name: cert-manager-name-webhook:dynamic-serving
547 | namespace: "default"
548 | labels:
549 | app: webhook
550 | app.kubernetes.io/name: webhook
551 | app.kubernetes.io/instance: cert-manager-name
552 | app.kubernetes.io/managed-by: Helm
553 | app.kubernetes.io/component: "webhook"
554 | helm.sh/chart: cert-manager-v1.1.1
555 | rules:
556 | - apiGroups: [""]
557 | resources: ["secrets"]
558 | resourceNames:
559 | - 'cert-manager-name-webhook-ca'
560 | verbs: ["get", "list", "watch", "update"]
561 | # It's not possible to grant CREATE permission on a single resourceName.
562 | - apiGroups: [""]
563 | resources: ["secrets"]
564 | verbs: ["create"]
565 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: RoleBinding.default.cert-manager-name-webhook:dynamic-serving
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:616-637
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
616 | apiVersion: rbac.authorization.k8s.io/v1
617 | kind: RoleBinding
618 | metadata:
619 | name: cert-manager-name-webhook:dynamic-serving
620 | namespace: "default"
621 | labels:
622 | app: webhook
623 | app.kubernetes.io/name: webhook
624 | app.kubernetes.io/instance: cert-manager-name
625 | app.kubernetes.io/managed-by: Helm
626 | app.kubernetes.io/component: "webhook"
627 | helm.sh/chart: cert-manager-v1.1.1
628 | roleRef:
629 | apiGroup: rbac.authorization.k8s.io
630 | kind: Role
631 | name: cert-manager-name-webhook:dynamic-serving
632 | subjects:
633 | - apiGroup: ""
634 | kind: ServiceAccount
635 | name: cert-manager-name-webhook
636 | namespace: default
637 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.cert-manager-name
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:639-661
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
639 | apiVersion: v1
640 | kind: Service
641 | metadata:
642 | name: cert-manager-name
643 | namespace: "default"
644 | labels:
645 | app: cert-manager
646 | app.kubernetes.io/name: cert-manager
647 | app.kubernetes.io/instance: cert-manager-name
648 | app.kubernetes.io/managed-by: Helm
649 | app.kubernetes.io/component: "controller"
650 | helm.sh/chart: cert-manager-v1.1.1
651 | spec:
652 | type: ClusterIP
653 | ports:
654 | - protocol: TCP
655 | port: 9402
656 | targetPort: 9402
657 | selector:
658 | app.kubernetes.io/name: cert-manager
659 | app.kubernetes.io/instance: cert-manager-name
660 | app.kubernetes.io/component: "controller"
661 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.cert-manager-name-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:663-685
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
663 | apiVersion: v1
664 | kind: Service
665 | metadata:
666 | name: cert-manager-name-webhook
667 | namespace: "default"
668 | labels:
669 | app: webhook
670 | app.kubernetes.io/name: webhook
671 | app.kubernetes.io/instance: cert-manager-name
672 | app.kubernetes.io/managed-by: Helm
673 | app.kubernetes.io/component: "webhook"
674 | helm.sh/chart: cert-manager-v1.1.1
675 | spec:
676 | type: ClusterIP
677 | ports:
678 | - name: https
679 | port: 443
680 | targetPort: 10250
681 | selector:
682 | app.kubernetes.io/name: webhook
683 | app.kubernetes.io/instance: cert-manager-name
684 | app.kubernetes.io/component: "webhook"
685 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.cert-manager-name-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:687-731
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
687 | apiVersion: apps/v1
688 | kind: Deployment
689 | metadata:
690 | name: cert-manager-name-cainjector
691 | namespace: "default"
692 | labels:
693 | app: cainjector
694 | app.kubernetes.io/name: cainjector
695 | app.kubernetes.io/instance: cert-manager-name
696 | app.kubernetes.io/managed-by: Helm
697 | app.kubernetes.io/component: "cainjector"
698 | helm.sh/chart: cert-manager-v1.1.1
699 | spec:
700 | replicas: 1
701 | selector:
702 | matchLabels:
703 | app.kubernetes.io/name: cainjector
704 | app.kubernetes.io/instance: cert-manager-name
705 | app.kubernetes.io/component: "cainjector"
706 | template:
707 | metadata:
708 | labels:
709 | app: cainjector
710 | app.kubernetes.io/name: cainjector
711 | app.kubernetes.io/instance: cert-manager-name
712 | app.kubernetes.io/managed-by: Helm
713 | app.kubernetes.io/component: "cainjector"
714 | helm.sh/chart: cert-manager-v1.1.1
715 | spec:
716 | serviceAccountName: cert-manager-name-cainjector
717 | containers:
718 | - name: cert-manager
719 | image: "quay.io/jetstack/cert-manager-cainjector:v1.1.1"
720 | imagePullPolicy: IfNotPresent
721 | args:
722 | - --v=2
723 | - --leader-election-namespace=kube-system
724 | env:
725 | - name: POD_NAMESPACE
726 | valueFrom:
727 | fieldRef:
728 | fieldPath: metadata.namespace
729 | resources:
730 | {}
731 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.cert-manager-name-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:687-731
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
687 | apiVersion: apps/v1
688 | kind: Deployment
689 | metadata:
690 | name: cert-manager-name-cainjector
691 | namespace: "default"
692 | labels:
693 | app: cainjector
694 | app.kubernetes.io/name: cainjector
695 | app.kubernetes.io/instance: cert-manager-name
696 | app.kubernetes.io/managed-by: Helm
697 | app.kubernetes.io/component: "cainjector"
698 | helm.sh/chart: cert-manager-v1.1.1
699 | spec:
700 | replicas: 1
701 | selector:
702 | matchLabels:
703 | app.kubernetes.io/name: cainjector
704 | app.kubernetes.io/instance: cert-manager-name
705 | app.kubernetes.io/component: "cainjector"
706 | template:
707 | metadata:
708 | labels:
709 | app: cainjector
710 | app.kubernetes.io/name: cainjector
711 | app.kubernetes.io/instance: cert-manager-name
712 | app.kubernetes.io/managed-by: Helm
713 | app.kubernetes.io/component: "cainjector"
714 | helm.sh/chart: cert-manager-v1.1.1
715 | spec:
716 | serviceAccountName: cert-manager-name-cainjector
717 | containers:
718 | - name: cert-manager
719 | image: "quay.io/jetstack/cert-manager-cainjector:v1.1.1"
720 | imagePullPolicy: IfNotPresent
721 | args:
722 | - --v=2
723 | - --leader-election-namespace=kube-system
724 | env:
725 | - name: POD_NAMESPACE
726 | valueFrom:
727 | fieldRef:
728 | fieldPath: metadata.namespace
729 | resources:
730 | {}
731 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.cert-manager-name-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:687-731
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
687 | apiVersion: apps/v1
688 | kind: Deployment
689 | metadata:
690 | name: cert-manager-name-cainjector
691 | namespace: "default"
692 | labels:
693 | app: cainjector
694 | app.kubernetes.io/name: cainjector
695 | app.kubernetes.io/instance: cert-manager-name
696 | app.kubernetes.io/managed-by: Helm
697 | app.kubernetes.io/component: "cainjector"
698 | helm.sh/chart: cert-manager-v1.1.1
699 | spec:
700 | replicas: 1
701 | selector:
702 | matchLabels:
703 | app.kubernetes.io/name: cainjector
704 | app.kubernetes.io/instance: cert-manager-name
705 | app.kubernetes.io/component: "cainjector"
706 | template:
707 | metadata:
708 | labels:
709 | app: cainjector
710 | app.kubernetes.io/name: cainjector
711 | app.kubernetes.io/instance: cert-manager-name
712 | app.kubernetes.io/managed-by: Helm
713 | app.kubernetes.io/component: "cainjector"
714 | helm.sh/chart: cert-manager-v1.1.1
715 | spec:
716 | serviceAccountName: cert-manager-name-cainjector
717 | containers:
718 | - name: cert-manager
719 | image: "quay.io/jetstack/cert-manager-cainjector:v1.1.1"
720 | imagePullPolicy: IfNotPresent
721 | args:
722 | - --v=2
723 | - --leader-election-namespace=kube-system
724 | env:
725 | - name: POD_NAMESPACE
726 | valueFrom:
727 | fieldRef:
728 | fieldPath: metadata.namespace
729 | resources:
730 | {}
731 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.cert-manager-name-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:687-731
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
687 | apiVersion: apps/v1
688 | kind: Deployment
689 | metadata:
690 | name: cert-manager-name-cainjector
691 | namespace: "default"
692 | labels:
693 | app: cainjector
694 | app.kubernetes.io/name: cainjector
695 | app.kubernetes.io/instance: cert-manager-name
696 | app.kubernetes.io/managed-by: Helm
697 | app.kubernetes.io/component: "cainjector"
698 | helm.sh/chart: cert-manager-v1.1.1
699 | spec:
700 | replicas: 1
701 | selector:
702 | matchLabels:
703 | app.kubernetes.io/name: cainjector
704 | app.kubernetes.io/instance: cert-manager-name
705 | app.kubernetes.io/component: "cainjector"
706 | template:
707 | metadata:
708 | labels:
709 | app: cainjector
710 | app.kubernetes.io/name: cainjector
711 | app.kubernetes.io/instance: cert-manager-name
712 | app.kubernetes.io/managed-by: Helm
713 | app.kubernetes.io/component: "cainjector"
714 | helm.sh/chart: cert-manager-v1.1.1
715 | spec:
716 | serviceAccountName: cert-manager-name-cainjector
717 | containers:
718 | - name: cert-manager
719 | image: "quay.io/jetstack/cert-manager-cainjector:v1.1.1"
720 | imagePullPolicy: IfNotPresent
721 | args:
722 | - --v=2
723 | - --leader-election-namespace=kube-system
724 | env:
725 | - name: POD_NAMESPACE
726 | valueFrom:
727 | fieldRef:
728 | fieldPath: metadata.namespace
729 | resources:
730 | {}
731 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.cert-manager-name-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:687-731
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
687 | apiVersion: apps/v1
688 | kind: Deployment
689 | metadata:
690 | name: cert-manager-name-cainjector
691 | namespace: "default"
692 | labels:
693 | app: cainjector
694 | app.kubernetes.io/name: cainjector
695 | app.kubernetes.io/instance: cert-manager-name
696 | app.kubernetes.io/managed-by: Helm
697 | app.kubernetes.io/component: "cainjector"
698 | helm.sh/chart: cert-manager-v1.1.1
699 | spec:
700 | replicas: 1
701 | selector:
702 | matchLabels:
703 | app.kubernetes.io/name: cainjector
704 | app.kubernetes.io/instance: cert-manager-name
705 | app.kubernetes.io/component: "cainjector"
706 | template:
707 | metadata:
708 | labels:
709 | app: cainjector
710 | app.kubernetes.io/name: cainjector
711 | app.kubernetes.io/instance: cert-manager-name
712 | app.kubernetes.io/managed-by: Helm
713 | app.kubernetes.io/component: "cainjector"
714 | helm.sh/chart: cert-manager-v1.1.1
715 | spec:
716 | serviceAccountName: cert-manager-name-cainjector
717 | containers:
718 | - name: cert-manager
719 | image: "quay.io/jetstack/cert-manager-cainjector:v1.1.1"
720 | imagePullPolicy: IfNotPresent
721 | args:
722 | - --v=2
723 | - --leader-election-namespace=kube-system
724 | env:
725 | - name: POD_NAMESPACE
726 | valueFrom:
727 | fieldRef:
728 | fieldPath: metadata.namespace
729 | resources:
730 | {}
731 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.cert-manager-name-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:687-731
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
687 | apiVersion: apps/v1
688 | kind: Deployment
689 | metadata:
690 | name: cert-manager-name-cainjector
691 | namespace: "default"
692 | labels:
693 | app: cainjector
694 | app.kubernetes.io/name: cainjector
695 | app.kubernetes.io/instance: cert-manager-name
696 | app.kubernetes.io/managed-by: Helm
697 | app.kubernetes.io/component: "cainjector"
698 | helm.sh/chart: cert-manager-v1.1.1
699 | spec:
700 | replicas: 1
701 | selector:
702 | matchLabels:
703 | app.kubernetes.io/name: cainjector
704 | app.kubernetes.io/instance: cert-manager-name
705 | app.kubernetes.io/component: "cainjector"
706 | template:
707 | metadata:
708 | labels:
709 | app: cainjector
710 | app.kubernetes.io/name: cainjector
711 | app.kubernetes.io/instance: cert-manager-name
712 | app.kubernetes.io/managed-by: Helm
713 | app.kubernetes.io/component: "cainjector"
714 | helm.sh/chart: cert-manager-v1.1.1
715 | spec:
716 | serviceAccountName: cert-manager-name-cainjector
717 | containers:
718 | - name: cert-manager
719 | image: "quay.io/jetstack/cert-manager-cainjector:v1.1.1"
720 | imagePullPolicy: IfNotPresent
721 | args:
722 | - --v=2
723 | - --leader-election-namespace=kube-system
724 | env:
725 | - name: POD_NAMESPACE
726 | valueFrom:
727 | fieldRef:
728 | fieldPath: metadata.namespace
729 | resources:
730 | {}
731 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.cert-manager-name-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:687-731
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
687 | apiVersion: apps/v1
688 | kind: Deployment
689 | metadata:
690 | name: cert-manager-name-cainjector
691 | namespace: "default"
692 | labels:
693 | app: cainjector
694 | app.kubernetes.io/name: cainjector
695 | app.kubernetes.io/instance: cert-manager-name
696 | app.kubernetes.io/managed-by: Helm
697 | app.kubernetes.io/component: "cainjector"
698 | helm.sh/chart: cert-manager-v1.1.1
699 | spec:
700 | replicas: 1
701 | selector:
702 | matchLabels:
703 | app.kubernetes.io/name: cainjector
704 | app.kubernetes.io/instance: cert-manager-name
705 | app.kubernetes.io/component: "cainjector"
706 | template:
707 | metadata:
708 | labels:
709 | app: cainjector
710 | app.kubernetes.io/name: cainjector
711 | app.kubernetes.io/instance: cert-manager-name
712 | app.kubernetes.io/managed-by: Helm
713 | app.kubernetes.io/component: "cainjector"
714 | helm.sh/chart: cert-manager-v1.1.1
715 | spec:
716 | serviceAccountName: cert-manager-name-cainjector
717 | containers:
718 | - name: cert-manager
719 | image: "quay.io/jetstack/cert-manager-cainjector:v1.1.1"
720 | imagePullPolicy: IfNotPresent
721 | args:
722 | - --v=2
723 | - --leader-election-namespace=kube-system
724 | env:
725 | - name: POD_NAMESPACE
726 | valueFrom:
727 | fieldRef:
728 | fieldPath: metadata.namespace
729 | resources:
730 | {}
731 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.cert-manager-name-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:687-731
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
687 | apiVersion: apps/v1
688 | kind: Deployment
689 | metadata:
690 | name: cert-manager-name-cainjector
691 | namespace: "default"
692 | labels:
693 | app: cainjector
694 | app.kubernetes.io/name: cainjector
695 | app.kubernetes.io/instance: cert-manager-name
696 | app.kubernetes.io/managed-by: Helm
697 | app.kubernetes.io/component: "cainjector"
698 | helm.sh/chart: cert-manager-v1.1.1
699 | spec:
700 | replicas: 1
701 | selector:
702 | matchLabels:
703 | app.kubernetes.io/name: cainjector
704 | app.kubernetes.io/instance: cert-manager-name
705 | app.kubernetes.io/component: "cainjector"
706 | template:
707 | metadata:
708 | labels:
709 | app: cainjector
710 | app.kubernetes.io/name: cainjector
711 | app.kubernetes.io/instance: cert-manager-name
712 | app.kubernetes.io/managed-by: Helm
713 | app.kubernetes.io/component: "cainjector"
714 | helm.sh/chart: cert-manager-v1.1.1
715 | spec:
716 | serviceAccountName: cert-manager-name-cainjector
717 | containers:
718 | - name: cert-manager
719 | image: "quay.io/jetstack/cert-manager-cainjector:v1.1.1"
720 | imagePullPolicy: IfNotPresent
721 | args:
722 | - --v=2
723 | - --leader-election-namespace=kube-system
724 | env:
725 | - name: POD_NAMESPACE
726 | valueFrom:
727 | fieldRef:
728 | fieldPath: metadata.namespace
729 | resources:
730 | {}
731 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.cert-manager-name-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:687-731
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
687 | apiVersion: apps/v1
688 | kind: Deployment
689 | metadata:
690 | name: cert-manager-name-cainjector
691 | namespace: "default"
692 | labels:
693 | app: cainjector
694 | app.kubernetes.io/name: cainjector
695 | app.kubernetes.io/instance: cert-manager-name
696 | app.kubernetes.io/managed-by: Helm
697 | app.kubernetes.io/component: "cainjector"
698 | helm.sh/chart: cert-manager-v1.1.1
699 | spec:
700 | replicas: 1
701 | selector:
702 | matchLabels:
703 | app.kubernetes.io/name: cainjector
704 | app.kubernetes.io/instance: cert-manager-name
705 | app.kubernetes.io/component: "cainjector"
706 | template:
707 | metadata:
708 | labels:
709 | app: cainjector
710 | app.kubernetes.io/name: cainjector
711 | app.kubernetes.io/instance: cert-manager-name
712 | app.kubernetes.io/managed-by: Helm
713 | app.kubernetes.io/component: "cainjector"
714 | helm.sh/chart: cert-manager-v1.1.1
715 | spec:
716 | serviceAccountName: cert-manager-name-cainjector
717 | containers:
718 | - name: cert-manager
719 | image: "quay.io/jetstack/cert-manager-cainjector:v1.1.1"
720 | imagePullPolicy: IfNotPresent
721 | args:
722 | - --v=2
723 | - --leader-election-namespace=kube-system
724 | env:
725 | - name: POD_NAMESPACE
726 | valueFrom:
727 | fieldRef:
728 | fieldPath: metadata.namespace
729 | resources:
730 | {}
731 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.cert-manager-name-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:687-731
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
687 | apiVersion: apps/v1
688 | kind: Deployment
689 | metadata:
690 | name: cert-manager-name-cainjector
691 | namespace: "default"
692 | labels:
693 | app: cainjector
694 | app.kubernetes.io/name: cainjector
695 | app.kubernetes.io/instance: cert-manager-name
696 | app.kubernetes.io/managed-by: Helm
697 | app.kubernetes.io/component: "cainjector"
698 | helm.sh/chart: cert-manager-v1.1.1
699 | spec:
700 | replicas: 1
701 | selector:
702 | matchLabels:
703 | app.kubernetes.io/name: cainjector
704 | app.kubernetes.io/instance: cert-manager-name
705 | app.kubernetes.io/component: "cainjector"
706 | template:
707 | metadata:
708 | labels:
709 | app: cainjector
710 | app.kubernetes.io/name: cainjector
711 | app.kubernetes.io/instance: cert-manager-name
712 | app.kubernetes.io/managed-by: Helm
713 | app.kubernetes.io/component: "cainjector"
714 | helm.sh/chart: cert-manager-v1.1.1
715 | spec:
716 | serviceAccountName: cert-manager-name-cainjector
717 | containers:
718 | - name: cert-manager
719 | image: "quay.io/jetstack/cert-manager-cainjector:v1.1.1"
720 | imagePullPolicy: IfNotPresent
721 | args:
722 | - --v=2
723 | - --leader-election-namespace=kube-system
724 | env:
725 | - name: POD_NAMESPACE
726 | valueFrom:
727 | fieldRef:
728 | fieldPath: metadata.namespace
729 | resources:
730 | {}
731 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.cert-manager-name-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:687-731
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
687 | apiVersion: apps/v1
688 | kind: Deployment
689 | metadata:
690 | name: cert-manager-name-cainjector
691 | namespace: "default"
692 | labels:
693 | app: cainjector
694 | app.kubernetes.io/name: cainjector
695 | app.kubernetes.io/instance: cert-manager-name
696 | app.kubernetes.io/managed-by: Helm
697 | app.kubernetes.io/component: "cainjector"
698 | helm.sh/chart: cert-manager-v1.1.1
699 | spec:
700 | replicas: 1
701 | selector:
702 | matchLabels:
703 | app.kubernetes.io/name: cainjector
704 | app.kubernetes.io/instance: cert-manager-name
705 | app.kubernetes.io/component: "cainjector"
706 | template:
707 | metadata:
708 | labels:
709 | app: cainjector
710 | app.kubernetes.io/name: cainjector
711 | app.kubernetes.io/instance: cert-manager-name
712 | app.kubernetes.io/managed-by: Helm
713 | app.kubernetes.io/component: "cainjector"
714 | helm.sh/chart: cert-manager-v1.1.1
715 | spec:
716 | serviceAccountName: cert-manager-name-cainjector
717 | containers:
718 | - name: cert-manager
719 | image: "quay.io/jetstack/cert-manager-cainjector:v1.1.1"
720 | imagePullPolicy: IfNotPresent
721 | args:
722 | - --v=2
723 | - --leader-election-namespace=kube-system
724 | env:
725 | - name: POD_NAMESPACE
726 | valueFrom:
727 | fieldRef:
728 | fieldPath: metadata.namespace
729 | resources:
730 | {}
731 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.cert-manager-name-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:687-731
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
687 | apiVersion: apps/v1
688 | kind: Deployment
689 | metadata:
690 | name: cert-manager-name-cainjector
691 | namespace: "default"
692 | labels:
693 | app: cainjector
694 | app.kubernetes.io/name: cainjector
695 | app.kubernetes.io/instance: cert-manager-name
696 | app.kubernetes.io/managed-by: Helm
697 | app.kubernetes.io/component: "cainjector"
698 | helm.sh/chart: cert-manager-v1.1.1
699 | spec:
700 | replicas: 1
701 | selector:
702 | matchLabels:
703 | app.kubernetes.io/name: cainjector
704 | app.kubernetes.io/instance: cert-manager-name
705 | app.kubernetes.io/component: "cainjector"
706 | template:
707 | metadata:
708 | labels:
709 | app: cainjector
710 | app.kubernetes.io/name: cainjector
711 | app.kubernetes.io/instance: cert-manager-name
712 | app.kubernetes.io/managed-by: Helm
713 | app.kubernetes.io/component: "cainjector"
714 | helm.sh/chart: cert-manager-v1.1.1
715 | spec:
716 | serviceAccountName: cert-manager-name-cainjector
717 | containers:
718 | - name: cert-manager
719 | image: "quay.io/jetstack/cert-manager-cainjector:v1.1.1"
720 | imagePullPolicy: IfNotPresent
721 | args:
722 | - --v=2
723 | - --leader-election-namespace=kube-system
724 | env:
725 | - name: POD_NAMESPACE
726 | valueFrom:
727 | fieldRef:
728 | fieldPath: metadata.namespace
729 | resources:
730 | {}
731 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.cert-manager-name-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:687-731
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
687 | apiVersion: apps/v1
688 | kind: Deployment
689 | metadata:
690 | name: cert-manager-name-cainjector
691 | namespace: "default"
692 | labels:
693 | app: cainjector
694 | app.kubernetes.io/name: cainjector
695 | app.kubernetes.io/instance: cert-manager-name
696 | app.kubernetes.io/managed-by: Helm
697 | app.kubernetes.io/component: "cainjector"
698 | helm.sh/chart: cert-manager-v1.1.1
699 | spec:
700 | replicas: 1
701 | selector:
702 | matchLabels:
703 | app.kubernetes.io/name: cainjector
704 | app.kubernetes.io/instance: cert-manager-name
705 | app.kubernetes.io/component: "cainjector"
706 | template:
707 | metadata:
708 | labels:
709 | app: cainjector
710 | app.kubernetes.io/name: cainjector
711 | app.kubernetes.io/instance: cert-manager-name
712 | app.kubernetes.io/managed-by: Helm
713 | app.kubernetes.io/component: "cainjector"
714 | helm.sh/chart: cert-manager-v1.1.1
715 | spec:
716 | serviceAccountName: cert-manager-name-cainjector
717 | containers:
718 | - name: cert-manager
719 | image: "quay.io/jetstack/cert-manager-cainjector:v1.1.1"
720 | imagePullPolicy: IfNotPresent
721 | args:
722 | - --v=2
723 | - --leader-election-namespace=kube-system
724 | env:
725 | - name: POD_NAMESPACE
726 | valueFrom:
727 | fieldRef:
728 | fieldPath: metadata.namespace
729 | resources:
730 | {}
731 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.cert-manager-name-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:687-731
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
687 | apiVersion: apps/v1
688 | kind: Deployment
689 | metadata:
690 | name: cert-manager-name-cainjector
691 | namespace: "default"
692 | labels:
693 | app: cainjector
694 | app.kubernetes.io/name: cainjector
695 | app.kubernetes.io/instance: cert-manager-name
696 | app.kubernetes.io/managed-by: Helm
697 | app.kubernetes.io/component: "cainjector"
698 | helm.sh/chart: cert-manager-v1.1.1
699 | spec:
700 | replicas: 1
701 | selector:
702 | matchLabels:
703 | app.kubernetes.io/name: cainjector
704 | app.kubernetes.io/instance: cert-manager-name
705 | app.kubernetes.io/component: "cainjector"
706 | template:
707 | metadata:
708 | labels:
709 | app: cainjector
710 | app.kubernetes.io/name: cainjector
711 | app.kubernetes.io/instance: cert-manager-name
712 | app.kubernetes.io/managed-by: Helm
713 | app.kubernetes.io/component: "cainjector"
714 | helm.sh/chart: cert-manager-v1.1.1
715 | spec:
716 | serviceAccountName: cert-manager-name-cainjector
717 | containers:
718 | - name: cert-manager
719 | image: "quay.io/jetstack/cert-manager-cainjector:v1.1.1"
720 | imagePullPolicy: IfNotPresent
721 | args:
722 | - --v=2
723 | - --leader-election-namespace=kube-system
724 | env:
725 | - name: POD_NAMESPACE
726 | valueFrom:
727 | fieldRef:
728 | fieldPath: metadata.namespace
729 | resources:
730 | {}
731 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.cert-manager-name-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:687-731
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
687 | apiVersion: apps/v1
688 | kind: Deployment
689 | metadata:
690 | name: cert-manager-name-cainjector
691 | namespace: "default"
692 | labels:
693 | app: cainjector
694 | app.kubernetes.io/name: cainjector
695 | app.kubernetes.io/instance: cert-manager-name
696 | app.kubernetes.io/managed-by: Helm
697 | app.kubernetes.io/component: "cainjector"
698 | helm.sh/chart: cert-manager-v1.1.1
699 | spec:
700 | replicas: 1
701 | selector:
702 | matchLabels:
703 | app.kubernetes.io/name: cainjector
704 | app.kubernetes.io/instance: cert-manager-name
705 | app.kubernetes.io/component: "cainjector"
706 | template:
707 | metadata:
708 | labels:
709 | app: cainjector
710 | app.kubernetes.io/name: cainjector
711 | app.kubernetes.io/instance: cert-manager-name
712 | app.kubernetes.io/managed-by: Helm
713 | app.kubernetes.io/component: "cainjector"
714 | helm.sh/chart: cert-manager-v1.1.1
715 | spec:
716 | serviceAccountName: cert-manager-name-cainjector
717 | containers:
718 | - name: cert-manager
719 | image: "quay.io/jetstack/cert-manager-cainjector:v1.1.1"
720 | imagePullPolicy: IfNotPresent
721 | args:
722 | - --v=2
723 | - --leader-election-namespace=kube-system
724 | env:
725 | - name: POD_NAMESPACE
726 | valueFrom:
727 | fieldRef:
728 | fieldPath: metadata.namespace
729 | resources:
730 | {}
731 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.cert-manager-name-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:687-731
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
687 | apiVersion: apps/v1
688 | kind: Deployment
689 | metadata:
690 | name: cert-manager-name-cainjector
691 | namespace: "default"
692 | labels:
693 | app: cainjector
694 | app.kubernetes.io/name: cainjector
695 | app.kubernetes.io/instance: cert-manager-name
696 | app.kubernetes.io/managed-by: Helm
697 | app.kubernetes.io/component: "cainjector"
698 | helm.sh/chart: cert-manager-v1.1.1
699 | spec:
700 | replicas: 1
701 | selector:
702 | matchLabels:
703 | app.kubernetes.io/name: cainjector
704 | app.kubernetes.io/instance: cert-manager-name
705 | app.kubernetes.io/component: "cainjector"
706 | template:
707 | metadata:
708 | labels:
709 | app: cainjector
710 | app.kubernetes.io/name: cainjector
711 | app.kubernetes.io/instance: cert-manager-name
712 | app.kubernetes.io/managed-by: Helm
713 | app.kubernetes.io/component: "cainjector"
714 | helm.sh/chart: cert-manager-v1.1.1
715 | spec:
716 | serviceAccountName: cert-manager-name-cainjector
717 | containers:
718 | - name: cert-manager
719 | image: "quay.io/jetstack/cert-manager-cainjector:v1.1.1"
720 | imagePullPolicy: IfNotPresent
721 | args:
722 | - --v=2
723 | - --leader-election-namespace=kube-system
724 | env:
725 | - name: POD_NAMESPACE
726 | valueFrom:
727 | fieldRef:
728 | fieldPath: metadata.namespace
729 | resources:
730 | {}
731 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.cert-manager-name-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:687-731
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
687 | apiVersion: apps/v1
688 | kind: Deployment
689 | metadata:
690 | name: cert-manager-name-cainjector
691 | namespace: "default"
692 | labels:
693 | app: cainjector
694 | app.kubernetes.io/name: cainjector
695 | app.kubernetes.io/instance: cert-manager-name
696 | app.kubernetes.io/managed-by: Helm
697 | app.kubernetes.io/component: "cainjector"
698 | helm.sh/chart: cert-manager-v1.1.1
699 | spec:
700 | replicas: 1
701 | selector:
702 | matchLabels:
703 | app.kubernetes.io/name: cainjector
704 | app.kubernetes.io/instance: cert-manager-name
705 | app.kubernetes.io/component: "cainjector"
706 | template:
707 | metadata:
708 | labels:
709 | app: cainjector
710 | app.kubernetes.io/name: cainjector
711 | app.kubernetes.io/instance: cert-manager-name
712 | app.kubernetes.io/managed-by: Helm
713 | app.kubernetes.io/component: "cainjector"
714 | helm.sh/chart: cert-manager-v1.1.1
715 | spec:
716 | serviceAccountName: cert-manager-name-cainjector
717 | containers:
718 | - name: cert-manager
719 | image: "quay.io/jetstack/cert-manager-cainjector:v1.1.1"
720 | imagePullPolicy: IfNotPresent
721 | args:
722 | - --v=2
723 | - --leader-election-namespace=kube-system
724 | env:
725 | - name: POD_NAMESPACE
726 | valueFrom:
727 | fieldRef:
728 | fieldPath: metadata.namespace
729 | resources:
730 | {}
731 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.cert-manager-name
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:733-785
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.cert-manager-name
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:733-785
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.cert-manager-name
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:733-785
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.cert-manager-name
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:733-785
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.cert-manager-name
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:733-785
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.cert-manager-name
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:733-785
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.cert-manager-name
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:733-785
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.cert-manager-name
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:733-785
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.cert-manager-name
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:733-785
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.cert-manager-name
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:733-785
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.cert-manager-name
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:733-785
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.cert-manager-name
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:733-785
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.cert-manager-name
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:733-785
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.cert-manager-name
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:733-785
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.cert-manager-name
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:733-785
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.cert-manager-name
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:733-785
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.cert-manager-name
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:733-785
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.cert-manager-name-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:787-857
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.cert-manager-name-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:787-857
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.cert-manager-name-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:787-857
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.cert-manager-name-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:787-857
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.cert-manager-name-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:787-857
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.cert-manager-name-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:787-857
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.cert-manager-name-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:787-857
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.cert-manager-name-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:787-857
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.cert-manager-name-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:787-857
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.cert-manager-name-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:787-857
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.cert-manager-name-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:787-857
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.cert-manager-name-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:787-857
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.cert-manager-name-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:787-857
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.cert-manager-name-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:787-857
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.cert-manager-name-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:787-857
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.frontend
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/ingress.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: networking.k8s.io/v1
2 | kind: Ingress
3 | metadata:
4 | annotations:
5 | certmanager.k8s.io/cluster-issuer: letsencrypt-prod
6 | kubernetes.io/ingress.class: nginx
7 | name: frontend
8 | spec:
9 | rules:
10 | -
11 | host: test.devopsk8.com
12 | http:
13 | paths:
14 | - pathType: Prefix
15 | path: /
16 | backend:
17 | service:
18 | name: whoami
19 | port:
20 | number: 80
21 | tls:
22 | -
23 | hosts:
24 | - test.devopsk8.com
25 | secretName: app-mydomain-com
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: DaemonSet.kube-system.journalbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_035__gcp__journalbeat/12-daemonset.yaml:1-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: DaemonSet.kube-system.journalbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_035__gcp__journalbeat/12-daemonset.yaml:1-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: DaemonSet.kube-system.journalbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_035__gcp__journalbeat/12-daemonset.yaml:1-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_19: "Containers should not share the host network namespace"
FAILED for resource: DaemonSet.kube-system.journalbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_035__gcp__journalbeat/12-daemonset.yaml:1-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-18.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: DaemonSet.kube-system.journalbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_035__gcp__journalbeat/12-daemonset.yaml:1-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: DaemonSet.kube-system.journalbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_035__gcp__journalbeat/12-daemonset.yaml:1-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: DaemonSet.kube-system.journalbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_035__gcp__journalbeat/12-daemonset.yaml:1-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: DaemonSet.kube-system.journalbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_035__gcp__journalbeat/12-daemonset.yaml:1-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: DaemonSet.kube-system.journalbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_035__gcp__journalbeat/12-daemonset.yaml:1-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: DaemonSet.kube-system.journalbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_035__gcp__journalbeat/12-daemonset.yaml:1-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: DaemonSet.kube-system.journalbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_035__gcp__journalbeat/12-daemonset.yaml:1-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: DaemonSet.kube-system.journalbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_035__gcp__journalbeat/12-daemonset.yaml:1-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: DaemonSet.kube-system.journalbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_035__gcp__journalbeat/12-daemonset.yaml:1-107
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_6: "Do not admit root containers"
FAILED for resource: PodSecurityPolicy.kube-system.journalbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_035__gcp__journalbeat/04-pod-security-policy.yaml:1-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-5.html
1 | apiVersion: policy/v1beta1
2 | kind: PodSecurityPolicy
3 | metadata:
4 | annotations:
5 | seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
6 | seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
7 | name: journalbeat
8 | namespace: kube-system
9 | spec:
10 | allowedCapabilities:
11 | - KILL
12 | - CHOWN
13 | - FSETID
14 | - FOWNER
15 | - SETGID
16 | - SETUID
17 | - SETFCAP
18 | - SETPCAP
19 | - AUDIT_WRITE
20 | - NET_BIND_SERVICE
21 | fsGroup:
22 | rule: RunAsAny
23 | hostIPC: false
24 | hostNetwork: false
25 | hostPID: false
26 | privileged: false
27 | requiredDropCapabilities:
28 | - MKNOD
29 | - DAC_OVERRIDE
30 | - NET_RAW
31 | - SYS_CHROOT
32 | runAsUser:
33 | rule: RunAsAny
34 | seLinux:
35 | rule: RunAsAny
36 | supplementalGroups:
37 | rule: RunAsAny
38 | volumes:
39 | - secret
40 | - configMap
41 | - hostPath
42 | ---
Check: CKV_K8S_24: "Do not allow containers with added capability"
FAILED for resource: PodSecurityPolicy.kube-system.journalbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_035__gcp__journalbeat/04-pod-security-policy.yaml:1-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-23.html
1 | apiVersion: policy/v1beta1
2 | kind: PodSecurityPolicy
3 | metadata:
4 | annotations:
5 | seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
6 | seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
7 | name: journalbeat
8 | namespace: kube-system
9 | spec:
10 | allowedCapabilities:
11 | - KILL
12 | - CHOWN
13 | - FSETID
14 | - FOWNER
15 | - SETGID
16 | - SETUID
17 | - SETFCAP
18 | - SETPCAP
19 | - AUDIT_WRITE
20 | - NET_BIND_SERVICE
21 | fsGroup:
22 | rule: RunAsAny
23 | hostIPC: false
24 | hostNetwork: false
25 | hostPID: false
26 | privileged: false
27 | requiredDropCapabilities:
28 | - MKNOD
29 | - DAC_OVERRIDE
30 | - NET_RAW
31 | - SYS_CHROOT
32 | runAsUser:
33 | rule: RunAsAny
34 | seLinux:
35 | rule: RunAsAny
36 | supplementalGroups:
37 | rule: RunAsAny
38 | volumes:
39 | - secret
40 | - configMap
41 | - hostPath
42 | ---
Check: CKV_K8S_5: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: PodSecurityPolicy.kube-system.journalbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_035__gcp__journalbeat/04-pod-security-policy.yaml:1-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-containers-do-not-run-with-allowprivilegeescalation.html
1 | apiVersion: policy/v1beta1
2 | kind: PodSecurityPolicy
3 | metadata:
4 | annotations:
5 | seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
6 | seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
7 | name: journalbeat
8 | namespace: kube-system
9 | spec:
10 | allowedCapabilities:
11 | - KILL
12 | - CHOWN
13 | - FSETID
14 | - FOWNER
15 | - SETGID
16 | - SETUID
17 | - SETFCAP
18 | - SETPCAP
19 | - AUDIT_WRITE
20 | - NET_BIND_SERVICE
21 | fsGroup:
22 | rule: RunAsAny
23 | hostIPC: false
24 | hostNetwork: false
25 | hostPID: false
26 | privileged: false
27 | requiredDropCapabilities:
28 | - MKNOD
29 | - DAC_OVERRIDE
30 | - NET_RAW
31 | - SYS_CHROOT
32 | runAsUser:
33 | rule: RunAsAny
34 | seLinux:
35 | rule: RunAsAny
36 | supplementalGroups:
37 | rule: RunAsAny
38 | volumes:
39 | - secret
40 | - configMap
41 | - hostPath
42 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.ingress-wildcard-host
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_005__local__access_svc_nodeport_via_ingress/ingress.yaml:1-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: networking.k8s.io/v1
2 | kind: Ingress
3 | metadata:
4 | name: ingress-wildcard-host
5 | spec:
6 | rules:
7 | - host: "testingress.com"
8 | http:
9 | paths:
10 | - pathType: Prefix
11 | path: "/whoami"
12 | backend:
13 | service:
14 | name: whoami-dep-svc
15 | port:
16 | number: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.helloweb
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_033__gcp__configuring_dns_with_static_IPs_k8_using_Service/helloweb-deployment.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: helloweb
5 | labels:
6 | app: hello
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hello
11 | tier: web
12 | template:
13 | metadata:
14 | labels:
15 | app: hello
16 | tier: web
17 | spec:
18 | containers:
19 | - name: hello-app
20 | image: gcr.io/google-samples/hello-app:1.0
21 | ports:
22 | - containerPort: 8080
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.helloweb
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_033__gcp__configuring_dns_with_static_IPs_k8_using_Service/helloweb-deployment.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: helloweb
5 | labels:
6 | app: hello
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hello
11 | tier: web
12 | template:
13 | metadata:
14 | labels:
15 | app: hello
16 | tier: web
17 | spec:
18 | containers:
19 | - name: hello-app
20 | image: gcr.io/google-samples/hello-app:1.0
21 | ports:
22 | - containerPort: 8080
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.helloweb
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_033__gcp__configuring_dns_with_static_IPs_k8_using_Service/helloweb-deployment.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: helloweb
5 | labels:
6 | app: hello
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hello
11 | tier: web
12 | template:
13 | metadata:
14 | labels:
15 | app: hello
16 | tier: web
17 | spec:
18 | containers:
19 | - name: hello-app
20 | image: gcr.io/google-samples/hello-app:1.0
21 | ports:
22 | - containerPort: 8080
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.helloweb
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_033__gcp__configuring_dns_with_static_IPs_k8_using_Service/helloweb-deployment.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: helloweb
5 | labels:
6 | app: hello
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hello
11 | tier: web
12 | template:
13 | metadata:
14 | labels:
15 | app: hello
16 | tier: web
17 | spec:
18 | containers:
19 | - name: hello-app
20 | image: gcr.io/google-samples/hello-app:1.0
21 | ports:
22 | - containerPort: 8080
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.helloweb
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_033__gcp__configuring_dns_with_static_IPs_k8_using_Service/helloweb-deployment.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: helloweb
5 | labels:
6 | app: hello
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hello
11 | tier: web
12 | template:
13 | metadata:
14 | labels:
15 | app: hello
16 | tier: web
17 | spec:
18 | containers:
19 | - name: hello-app
20 | image: gcr.io/google-samples/hello-app:1.0
21 | ports:
22 | - containerPort: 8080
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.helloweb
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_033__gcp__configuring_dns_with_static_IPs_k8_using_Service/helloweb-deployment.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: helloweb
5 | labels:
6 | app: hello
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hello
11 | tier: web
12 | template:
13 | metadata:
14 | labels:
15 | app: hello
16 | tier: web
17 | spec:
18 | containers:
19 | - name: hello-app
20 | image: gcr.io/google-samples/hello-app:1.0
21 | ports:
22 | - containerPort: 8080
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.helloweb
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_033__gcp__configuring_dns_with_static_IPs_k8_using_Service/helloweb-deployment.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: helloweb
5 | labels:
6 | app: hello
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hello
11 | tier: web
12 | template:
13 | metadata:
14 | labels:
15 | app: hello
16 | tier: web
17 | spec:
18 | containers:
19 | - name: hello-app
20 | image: gcr.io/google-samples/hello-app:1.0
21 | ports:
22 | - containerPort: 8080
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.helloweb
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_033__gcp__configuring_dns_with_static_IPs_k8_using_Service/helloweb-deployment.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: helloweb
5 | labels:
6 | app: hello
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hello
11 | tier: web
12 | template:
13 | metadata:
14 | labels:
15 | app: hello
16 | tier: web
17 | spec:
18 | containers:
19 | - name: hello-app
20 | image: gcr.io/google-samples/hello-app:1.0
21 | ports:
22 | - containerPort: 8080
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.helloweb
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_033__gcp__configuring_dns_with_static_IPs_k8_using_Service/helloweb-deployment.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: helloweb
5 | labels:
6 | app: hello
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hello
11 | tier: web
12 | template:
13 | metadata:
14 | labels:
15 | app: hello
16 | tier: web
17 | spec:
18 | containers:
19 | - name: hello-app
20 | image: gcr.io/google-samples/hello-app:1.0
21 | ports:
22 | - containerPort: 8080
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.helloweb
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_033__gcp__configuring_dns_with_static_IPs_k8_using_Service/helloweb-deployment.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: helloweb
5 | labels:
6 | app: hello
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hello
11 | tier: web
12 | template:
13 | metadata:
14 | labels:
15 | app: hello
16 | tier: web
17 | spec:
18 | containers:
19 | - name: hello-app
20 | image: gcr.io/google-samples/hello-app:1.0
21 | ports:
22 | - containerPort: 8080
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.helloweb
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_033__gcp__configuring_dns_with_static_IPs_k8_using_Service/helloweb-deployment.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: helloweb
5 | labels:
6 | app: hello
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hello
11 | tier: web
12 | template:
13 | metadata:
14 | labels:
15 | app: hello
16 | tier: web
17 | spec:
18 | containers:
19 | - name: hello-app
20 | image: gcr.io/google-samples/hello-app:1.0
21 | ports:
22 | - containerPort: 8080
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.helloweb
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_033__gcp__configuring_dns_with_static_IPs_k8_using_Service/helloweb-deployment.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: helloweb
5 | labels:
6 | app: hello
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hello
11 | tier: web
12 | template:
13 | metadata:
14 | labels:
15 | app: hello
16 | tier: web
17 | spec:
18 | containers:
19 | - name: hello-app
20 | image: gcr.io/google-samples/hello-app:1.0
21 | ports:
22 | - containerPort: 8080
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.helloweb
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_033__gcp__configuring_dns_with_static_IPs_k8_using_Service/helloweb-deployment.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: helloweb
5 | labels:
6 | app: hello
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hello
11 | tier: web
12 | template:
13 | metadata:
14 | labels:
15 | app: hello
16 | tier: web
17 | spec:
18 | containers:
19 | - name: hello-app
20 | image: gcr.io/google-samples/hello-app:1.0
21 | ports:
22 | - containerPort: 8080
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.helloweb
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_033__gcp__configuring_dns_with_static_IPs_k8_using_Service/helloweb-deployment.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: helloweb
5 | labels:
6 | app: hello
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hello
11 | tier: web
12 | template:
13 | metadata:
14 | labels:
15 | app: hello
16 | tier: web
17 | spec:
18 | containers:
19 | - name: hello-app
20 | image: gcr.io/google-samples/hello-app:1.0
21 | ports:
22 | - containerPort: 8080
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.helloweb
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_033__gcp__configuring_dns_with_static_IPs_k8_using_Service/helloweb-deployment.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: helloweb
5 | labels:
6 | app: hello
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hello
11 | tier: web
12 | template:
13 | metadata:
14 | labels:
15 | app: hello
16 | tier: web
17 | spec:
18 | containers:
19 | - name: hello-app
20 | image: gcr.io/google-samples/hello-app:1.0
21 | ports:
22 | - containerPort: 8080
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.helloweb
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_033__gcp__configuring_dns_with_static_IPs_k8_using_Service/helloweb-deployment.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: helloweb
5 | labels:
6 | app: hello
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hello
11 | tier: web
12 | template:
13 | metadata:
14 | labels:
15 | app: hello
16 | tier: web
17 | spec:
18 | containers:
19 | - name: hello-app
20 | image: gcr.io/google-samples/hello-app:1.0
21 | ports:
22 | - containerPort: 8080
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.helloweb
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_033__gcp__configuring_dns_with_static_IPs_k8_using_Service/helloweb-deployment.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: helloweb
5 | labels:
6 | app: hello
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hello
11 | tier: web
12 | template:
13 | metadata:
14 | labels:
15 | app: hello
16 | tier: web
17 | spec:
18 | containers:
19 | - name: hello-app
20 | image: gcr.io/google-samples/hello-app:1.0
21 | ports:
22 | - containerPort: 8080
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.helloweb
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_033__gcp__configuring_dns_with_static_IPs_k8_using_Service/helloweb-deployment.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: helloweb
5 | labels:
6 | app: hello
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hello
11 | tier: web
12 | template:
13 | metadata:
14 | labels:
15 | app: hello
16 | tier: web
17 | spec:
18 | containers:
19 | - name: hello-app
20 | image: gcr.io/google-samples/hello-app:1.0
21 | ports:
22 | - containerPort: 8080
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.helloweb
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_033__gcp__configuring_dns_with_static_IPs_k8_using_Service/helloweb-deployment.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: helloweb
5 | labels:
6 | app: hello
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hello
11 | tier: web
12 | template:
13 | metadata:
14 | labels:
15 | app: hello
16 | tier: web
17 | spec:
18 | containers:
19 | - name: hello-app
20 | image: gcr.io/google-samples/hello-app:1.0
21 | ports:
22 | - containerPort: 8080
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.helloweb
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_033__gcp__configuring_dns_with_static_IPs_k8_using_Service/helloweb-service.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: helloweb
5 | labels:
6 | app: hello
7 | spec:
8 | selector:
9 | app: hello
10 | tier: web
11 | ports:
12 | - port: 80
13 | targetPort: 8080
14 | type: LoadBalancer
15 | loadBalancerIP: "34.67.51.160"
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: StatefulSet.keycloak.keycloak-keycloakx
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/build/keycloakx_all.yaml:99-277
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: StatefulSet.keycloak.keycloak-keycloakx
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/build/keycloakx_all.yaml:99-277
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: StatefulSet.keycloak.keycloak-keycloakx
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/build/keycloakx_all.yaml:99-277
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: StatefulSet.keycloak.keycloak-keycloakx
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/build/keycloakx_all.yaml:99-277
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: StatefulSet.keycloak.keycloak-keycloakx
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/build/keycloakx_all.yaml:99-277
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: StatefulSet.keycloak.keycloak-keycloakx
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/build/keycloakx_all.yaml:99-277
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: StatefulSet.keycloak.keycloak-keycloakx
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/build/keycloakx_all.yaml:99-277
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: StatefulSet.keycloak.keycloak-keycloakx
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/build/keycloakx_all.yaml:99-277
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: StatefulSet.keycloak.keycloak-keycloakx
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/build/keycloakx_all.yaml:99-277
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: StatefulSet.keycloak.keycloak-keycloakx
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/build/keycloakx_all.yaml:99-277
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: StatefulSet.keycloak.keycloak-keycloakx
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/build/keycloakx_all.yaml:99-277
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: StatefulSet.keycloak.keycloak-keycloakx
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/build/keycloakx_all.yaml:99-277
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: StatefulSet.keycloak.keycloak-db-postgresql
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/vendor/postgresql/keycloak-db-manifest-vendor.yaml:78-237
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: StatefulSet.keycloak.keycloak-db-postgresql
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/vendor/postgresql/keycloak-db-manifest-vendor.yaml:78-237
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: StatefulSet.keycloak.keycloak-db-postgresql
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/vendor/postgresql/keycloak-db-manifest-vendor.yaml:78-237
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: StatefulSet.keycloak.keycloak-db-postgresql
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/vendor/postgresql/keycloak-db-manifest-vendor.yaml:78-237
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: StatefulSet.keycloak.keycloak-db-postgresql
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/vendor/postgresql/keycloak-db-manifest-vendor.yaml:78-237
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: StatefulSet.keycloak.keycloak-db-postgresql
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/vendor/postgresql/keycloak-db-manifest-vendor.yaml:78-237
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: StatefulSet.keycloak.keycloak-db-postgresql
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/vendor/postgresql/keycloak-db-manifest-vendor.yaml:78-237
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: StatefulSet.keycloak.keycloak-db-postgresql
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/vendor/postgresql/keycloak-db-manifest-vendor.yaml:78-237
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: StatefulSet.keycloak.keycloak-db-postgresql
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/vendor/postgresql/keycloak-db-manifest-vendor.yaml:78-237
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: StatefulSet.keycloak.keycloak-db-postgresql
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/vendor/postgresql/keycloak-db-manifest-vendor.yaml:78-237
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: StatefulSet.keycloak.keycloak-db-postgresql
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/vendor/postgresql/keycloak-db-manifest-vendor.yaml:78-237
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: StatefulSet.keycloak.keycloak-db-postgresql
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/vendor/postgresql/keycloak-db-manifest-vendor.yaml:78-237
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: StatefulSet.keycloak.keycloak-keycloakx
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/vendor/keycloakx/keycloak-server-manifest-vendor.yaml:107-293
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: StatefulSet.keycloak.keycloak-keycloakx
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/vendor/keycloakx/keycloak-server-manifest-vendor.yaml:107-293
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: StatefulSet.keycloak.keycloak-keycloakx
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/vendor/keycloakx/keycloak-server-manifest-vendor.yaml:107-293
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: StatefulSet.keycloak.keycloak-keycloakx
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/vendor/keycloakx/keycloak-server-manifest-vendor.yaml:107-293
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: StatefulSet.keycloak.keycloak-keycloakx
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/vendor/keycloakx/keycloak-server-manifest-vendor.yaml:107-293
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: StatefulSet.keycloak.keycloak-keycloakx
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/vendor/keycloakx/keycloak-server-manifest-vendor.yaml:107-293
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: StatefulSet.keycloak.keycloak-keycloakx
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/vendor/keycloakx/keycloak-server-manifest-vendor.yaml:107-293
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: StatefulSet.keycloak.keycloak-keycloakx
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/vendor/keycloakx/keycloak-server-manifest-vendor.yaml:107-293
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: StatefulSet.keycloak.keycloak-keycloakx
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/vendor/keycloakx/keycloak-server-manifest-vendor.yaml:107-293
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: StatefulSet.keycloak.keycloak-keycloakx
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/vendor/keycloakx/keycloak-server-manifest-vendor.yaml:107-293
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: StatefulSet.keycloak.keycloak-keycloakx
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/vendor/keycloakx/keycloak-server-manifest-vendor.yaml:107-293
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: StatefulSet.keycloak.keycloak-keycloakx
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/vendor/keycloakx/keycloak-server-manifest-vendor.yaml:107-293
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_014__aws__traefik_kops_whoami_middleware/whoami.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
25 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_014__aws__traefik_kops_whoami_middleware/whoami.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
25 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_014__aws__traefik_kops_whoami_middleware/whoami.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
25 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_014__aws__traefik_kops_whoami_middleware/whoami.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
25 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_014__aws__traefik_kops_whoami_middleware/whoami.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
25 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_014__aws__traefik_kops_whoami_middleware/whoami.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
25 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_014__aws__traefik_kops_whoami_middleware/whoami.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
25 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_014__aws__traefik_kops_whoami_middleware/whoami.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
25 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_014__aws__traefik_kops_whoami_middleware/whoami.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
25 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_014__aws__traefik_kops_whoami_middleware/whoami.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
25 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_014__aws__traefik_kops_whoami_middleware/whoami.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
25 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_014__aws__traefik_kops_whoami_middleware/whoami.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
25 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_014__aws__traefik_kops_whoami_middleware/whoami.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
25 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_014__aws__traefik_kops_whoami_middleware/whoami.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
25 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_014__aws__traefik_kops_whoami_middleware/whoami.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
25 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_014__aws__traefik_kops_whoami_middleware/whoami.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
25 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_014__aws__traefik_kops_whoami_middleware/whoami.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
25 | ---
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_014__aws__traefik_kops_whoami_middleware/whoami.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
25 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_014__aws__traefik_kops_whoami_middleware/whoami.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
25 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_014__aws__traefik_kops_whoami_middleware/whoami.yaml:27-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
27 | apiVersion: v1
28 | kind: Service
29 | metadata:
30 | name: whoami
31 |
32 | spec:
33 | ports:
34 | - protocol: TCP
35 | name: web
36 | port: 80
37 | selector:
38 | app: whoami
39 |
40 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ServiceAccount.default.traefik-helm-template-traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_014__aws__traefik_kops_whoami_middleware/traefik-resources.yaml:3-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
3 | kind: ServiceAccount
4 | apiVersion: v1
5 | metadata:
6 | name: traefik-helm-template-traefik
7 | labels:
8 | app.kubernetes.io/name: traefik
9 | helm.sh/chart: traefik-9.19.1
10 | app.kubernetes.io/managed-by: Helm
11 | app.kubernetes.io/instance: traefik-helm-template
12 | annotations:
13 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.traefik-helm-template-traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_014__aws__traefik_kops_whoami_middleware/traefik-resources.yaml:88-184
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.traefik-helm-template-traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_014__aws__traefik_kops_whoami_middleware/traefik-resources.yaml:88-184
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.traefik-helm-template-traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_014__aws__traefik_kops_whoami_middleware/traefik-resources.yaml:88-184
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.traefik-helm-template-traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_014__aws__traefik_kops_whoami_middleware/traefik-resources.yaml:88-184
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.traefik-helm-template-traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_014__aws__traefik_kops_whoami_middleware/traefik-resources.yaml:88-184
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.traefik-helm-template-traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_014__aws__traefik_kops_whoami_middleware/traefik-resources.yaml:88-184
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.traefik-helm-template-traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_014__aws__traefik_kops_whoami_middleware/traefik-resources.yaml:88-184
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.traefik-helm-template-traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_014__aws__traefik_kops_whoami_middleware/traefik-resources.yaml:88-184
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.traefik-helm-template-traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_014__aws__traefik_kops_whoami_middleware/traefik-resources.yaml:88-184
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.traefik-helm-template-traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_014__aws__traefik_kops_whoami_middleware/traefik-resources.yaml:88-184
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.traefik-helm-template-traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_014__aws__traefik_kops_whoami_middleware/traefik-resources.yaml:189-213
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
189 | - apiVersion: v1
190 | kind: Service
191 | metadata:
192 | name: traefik-helm-template-traefik
193 | labels:
194 | app.kubernetes.io/name: traefik
195 | helm.sh/chart: traefik-9.19.1
196 | app.kubernetes.io/managed-by: Helm
197 | app.kubernetes.io/instance: traefik-helm-template
198 | annotations:
199 | spec:
200 | type: LoadBalancer
201 | selector:
202 | app.kubernetes.io/name: traefik
203 | app.kubernetes.io/instance: traefik-helm-template
204 | ports:
205 | - port: 80
206 | name: web
207 | targetPort: "web"
208 | protocol: "TCP"
209 | - port: 443
210 | name: websecure
211 | targetPort: "websecure"
212 | protocol: "TCP"
213 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.kafdrop
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_013__aws__oauth2_proxy/kafdrop-chart/kafdrop-manifests.yaml:3-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
3 | apiVersion: v1
4 | kind: Service
5 | metadata:
6 | name: kafdrop
7 | labels:
8 | app.kubernetes.io/name: kafdrop
9 | helm.sh/chart: kafdrop-0.1.0
10 | app.kubernetes.io/instance: kafdrop
11 | app.kubernetes.io/managed-by: Helm
12 | spec:
13 | type: NodePort
14 | ports:
15 | - port: 9000
16 | targetPort: http
17 | protocol: TCP
18 | name: http
19 |
20 | nodePort: 30900
21 |
22 | selector:
23 | app.kubernetes.io/name: kafdrop
24 | app.kubernetes.io/instance: kafdrop
25 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.kafdrop
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_013__aws__oauth2_proxy/kafdrop-chart/kafdrop-manifests.yaml:27-103
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.kafdrop
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_013__aws__oauth2_proxy/kafdrop-chart/kafdrop-manifests.yaml:27-103
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.kafdrop
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_013__aws__oauth2_proxy/kafdrop-chart/kafdrop-manifests.yaml:27-103
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.kafdrop
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_013__aws__oauth2_proxy/kafdrop-chart/kafdrop-manifests.yaml:27-103
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.kafdrop
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_013__aws__oauth2_proxy/kafdrop-chart/kafdrop-manifests.yaml:27-103
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.kafdrop
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_013__aws__oauth2_proxy/kafdrop-chart/kafdrop-manifests.yaml:27-103
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.kafdrop
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_013__aws__oauth2_proxy/kafdrop-chart/kafdrop-manifests.yaml:27-103
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.kafdrop
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_013__aws__oauth2_proxy/kafdrop-chart/kafdrop-manifests.yaml:27-103
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.kafdrop
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_013__aws__oauth2_proxy/kafdrop-chart/kafdrop-manifests.yaml:27-103
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.kafdrop
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_013__aws__oauth2_proxy/kafdrop-chart/kafdrop-manifests.yaml:27-103
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.kafdrop
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_013__aws__oauth2_proxy/kafdrop-chart/kafdrop-manifests.yaml:27-103
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.kafdrop
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_013__aws__oauth2_proxy/kafdrop-chart/kafdrop-manifests.yaml:27-103
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.kafdrop
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_013__aws__oauth2_proxy/kafdrop-chart/kafdrop-manifests.yaml:27-103
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.kafdrop
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_013__aws__oauth2_proxy/kafdrop-chart/kafdrop-manifests.yaml:27-103
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.kafdrop
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_013__aws__oauth2_proxy/kafdrop-chart/kafdrop-manifests.yaml:27-103
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ServiceAccount.default.oauth2-oauth2-proxy
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_013__aws__oauth2_proxy/oauth2-proxy/oauth2-manifests.yaml:3-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
3 | apiVersion: v1
4 | kind: ServiceAccount
5 | metadata:
6 | name: oauth2-oauth2-proxy
7 | namespace: "default"
8 | labels:
9 | app.kubernetes.io/name: oauth2-proxy
10 | helm.sh/chart: oauth2-proxy-0.1.8
11 | app.kubernetes.io/instance: oauth2
12 | app.kubernetes.io/managed-by: Helm
13 | app.kubernetes.io/component: oauth2-proxy
14 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Secret.default.oauth2-oauth2-proxy-access-list
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_013__aws__oauth2_proxy/oauth2-proxy/oauth2-manifests.yaml:16-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
16 | apiVersion: v1
17 | kind: Secret
18 | metadata:
19 | name: oauth2-oauth2-proxy-access-list
20 | namespace: "default"
21 | labels:
22 | app.kubernetes.io/name: oauth2-proxy
23 | helm.sh/chart: oauth2-proxy-0.1.8
24 | app.kubernetes.io/instance: oauth2
25 | app.kubernetes.io/managed-by: Helm
26 | app.kubernetes.io/component: oauth2-proxy
27 | type: Opaque
28 | data:
29 | authenticated-emails-list: "YW5raXRzaW5naHJhdGhpMUBnbWFpbC5jb20="
30 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Secret.default.oauth2-oauth2-proxy-google
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_013__aws__oauth2_proxy/oauth2-proxy/oauth2-manifests.yaml:32-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
32 | apiVersion: v1
33 | kind: Secret
34 | metadata:
35 | name: oauth2-oauth2-proxy-google
36 | namespace: "default"
37 | labels:
38 | app.kubernetes.io/name: oauth2-proxy
39 | helm.sh/chart: oauth2-proxy-0.1.8
40 | app.kubernetes.io/instance: oauth2
41 | app.kubernetes.io/managed-by: Helm
42 | app.kubernetes.io/component: oauth2-proxy
43 | type: Opaque
44 | data:
45 | service-account.json: ""
46 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Secret.default.oauth2-oauth2-proxy
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_013__aws__oauth2_proxy/oauth2-proxy/oauth2-manifests.yaml:48-64
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
48 | apiVersion: v1
49 | kind: Secret
50 | metadata:
51 | name: oauth2-oauth2-proxy
52 | namespace: "default"
53 | labels:
54 | app.kubernetes.io/name: oauth2-proxy
55 | helm.sh/chart: oauth2-proxy-0.1.8
56 | app.kubernetes.io/instance: oauth2
57 | app.kubernetes.io/managed-by: Helm
58 | app.kubernetes.io/component: oauth2-proxy
59 | type: Opaque
60 | data:
61 | cookie-secret: "WTI5dmEybGxDZ3NrZG5mcw=="
62 | client-secret: "WEkzZl9ZRXlSdWJmUGtxUFhlVjlCV1Rs"
63 | client-id: "MTAzOTc1ODgzMDkwLWE5NW8xMzM4ZjBja2swczMyaGVzbjdvNDQxaWNlcDJsLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29t"
64 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.oauth2-oauth2-proxy
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_013__aws__oauth2_proxy/oauth2-proxy/oauth2-manifests.yaml:66-98
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
66 | apiVersion: v1
67 | kind: ConfigMap
68 | metadata:
69 | name: oauth2-oauth2-proxy
70 | namespace: "default"
71 | labels:
72 | app.kubernetes.io/name: oauth2-proxy
73 | helm.sh/chart: oauth2-proxy-0.1.8
74 | app.kubernetes.io/instance: oauth2
75 | app.kubernetes.io/managed-by: Helm
76 | app.kubernetes.io/component: oauth2-proxy
77 | data:
78 | oauth2_proxy.cfg: |
79 | email_domains = [ "*" ]
80 | # upstreams = [ "file:///dev/null" ]
81 | http_address="0.0.0.0:4180"
82 | provider="google"
83 | cookie_secure="true"
84 | redirect_url="https://auth.somedomain.com/oauth2/callback"
85 | cookie_domains=".somedomain.com" # Required so cookie can be read on all subdomains.
86 | whitelist_domains=".somedomain.com" # Required to allow redirection back to original requested target.
87 | # Mandatory option when using oauth2-proxy with traefik
88 | reverse_proxy="true"
89 | # Required for traefik with ForwardAuth and static upstream configuration
90 | upstreams="static://202"
91 | # The following option skip the page requesting the user
92 | # to click on a button to be redirected to the identity provider
93 | # It can be activated only when traefik is not configure with
94 | # the error redirection middleware as this example.
95 | skip_provider_button="true"
96 | set_authorization_header="true"
97 | set_xauthrequest="true"
98 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.oauth2-oauth2-proxy
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_013__aws__oauth2_proxy/oauth2-proxy/oauth2-manifests.yaml:100-124
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
100 | apiVersion: v1
101 | kind: Service
102 | metadata:
103 | name: oauth2-oauth2-proxy
104 | namespace: "default"
105 | labels:
106 | app.kubernetes.io/name: oauth2-proxy
107 | helm.sh/chart: oauth2-proxy-0.1.8
108 | app.kubernetes.io/instance: oauth2
109 | app.kubernetes.io/managed-by: Helm
110 | app.kubernetes.io/component: oauth2-proxy
111 | spec:
112 | type: ClusterIP
113 |
114 | ports:
115 | - name: http
116 | port: 8080
117 | protocol: TCP
118 | targetPort: http
119 | nodePort: null
120 | selector:
121 | app.kubernetes.io/name: oauth2-proxy
122 | app.kubernetes.io/instance: oauth2
123 | app.kubernetes.io/component: oauth2-proxy
124 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.oauth2-oauth2-proxy
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_013__aws__oauth2_proxy/oauth2-proxy/oauth2-manifests.yaml:126-251
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.oauth2-oauth2-proxy
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_013__aws__oauth2_proxy/oauth2-proxy/oauth2-manifests.yaml:126-251
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.oauth2-oauth2-proxy
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_013__aws__oauth2_proxy/oauth2-proxy/oauth2-manifests.yaml:126-251
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.oauth2-oauth2-proxy
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_013__aws__oauth2_proxy/oauth2-proxy/oauth2-manifests.yaml:126-251
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.oauth2-oauth2-proxy
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_013__aws__oauth2_proxy/oauth2-proxy/oauth2-manifests.yaml:126-251
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.oauth2-oauth2-proxy
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_013__aws__oauth2_proxy/oauth2-proxy/oauth2-manifests.yaml:126-251
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.oauth2-oauth2-proxy
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_013__aws__oauth2_proxy/oauth2-proxy/oauth2-manifests.yaml:126-251
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_35: "Prefer using secrets as files over secrets as environment variables"
FAILED for resource: Deployment.default.oauth2-oauth2-proxy
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_013__aws__oauth2_proxy/oauth2-proxy/oauth2-manifests.yaml:126-251
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-33.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.oauth2-oauth2-proxy
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_013__aws__oauth2_proxy/oauth2-proxy/oauth2-manifests.yaml:126-251
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.oauth2-oauth2-proxy
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_013__aws__oauth2_proxy/oauth2-proxy/oauth2-manifests.yaml:126-251
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.oauth2-oauth2-proxy
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_013__aws__oauth2_proxy/oauth2-proxy/oauth2-manifests.yaml:126-251
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.oauth2-oauth2-proxy
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_013__aws__oauth2_proxy/oauth2-proxy/oauth2-manifests.yaml:126-251
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.oauth2-oauth2-proxy
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_013__aws__oauth2_proxy/oauth2-proxy/oauth2-manifests.yaml:126-251
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.oauth2-oauth2-proxy
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_013__aws__oauth2_proxy/oauth2-proxy/oauth2-manifests.yaml:126-251
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.oauth2-oauth2-proxy
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_013__aws__oauth2_proxy/oauth2-proxy/oauth2-manifests.yaml:126-251
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.ingress-wildcard-host
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_006__local__access_svc_clusterip_via_ingress/ingress.yaml:1-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: networking.k8s.io/v1
2 | kind: Ingress
3 | metadata:
4 | name: ingress-wildcard-host
5 | spec:
6 | rules:
7 | - host: "testingress.com"
8 | http:
9 | paths:
10 | - pathType: Prefix
11 | path: "/whoami"
12 | backend:
13 | service:
14 | name: whoami-dep-svc
15 | port:
16 | number: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_022__gcp__k8s_dashboard/55-service-dashboard-metrics-scraper.yaml:1-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_022__gcp__k8s_dashboard/55-service-dashboard-metrics-scraper.yaml:1-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_022__gcp__k8s_dashboard/55-service-dashboard-metrics-scraper.yaml:1-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_022__gcp__k8s_dashboard/55-service-dashboard-metrics-scraper.yaml:1-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_022__gcp__k8s_dashboard/55-service-dashboard-metrics-scraper.yaml:1-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_022__gcp__k8s_dashboard/55-service-dashboard-metrics-scraper.yaml:1-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_33: "Ensure the Kubernetes dashboard is not deployed"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_022__gcp__k8s_dashboard/55-service-dashboard-metrics-scraper.yaml:1-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-31.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_022__gcp__k8s_dashboard/55-service-dashboard-metrics-scraper.yaml:1-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_022__gcp__k8s_dashboard/55-service-dashboard-metrics-scraper.yaml:1-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_022__gcp__k8s_dashboard/55-service-dashboard-metrics-scraper.yaml:1-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_022__gcp__k8s_dashboard/55-service-dashboard-metrics-scraper.yaml:1-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_022__gcp__k8s_dashboard/55-service-dashboard-metrics-scraper.yaml:1-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.kubernetes-dashboard.dashboard-metrics-scraper
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_022__gcp__k8s_dashboard/55-service-dashboard-metrics-scraper.yaml:1-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_022__gcp__k8s_dashboard/45-deployment.yaml:1-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_022__gcp__k8s_dashboard/45-deployment.yaml:1-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_022__gcp__k8s_dashboard/45-deployment.yaml:1-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_022__gcp__k8s_dashboard/45-deployment.yaml:1-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_022__gcp__k8s_dashboard/45-deployment.yaml:1-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_022__gcp__k8s_dashboard/45-deployment.yaml:1-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_022__gcp__k8s_dashboard/45-deployment.yaml:1-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_33: "Ensure the Kubernetes dashboard is not deployed"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_022__gcp__k8s_dashboard/45-deployment.yaml:1-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-31.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_022__gcp__k8s_dashboard/45-deployment.yaml:1-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_022__gcp__k8s_dashboard/45-deployment.yaml:1-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_022__gcp__k8s_dashboard/45-deployment.yaml:1-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_022__gcp__k8s_dashboard/45-deployment.yaml:1-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.kubernetes-dashboard.kubernetes-dashboard
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_022__gcp__k8s_dashboard/45-deployment.yaml:1-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.default.nginx-pod-1
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: nginx-pod-1
5 | labels:
6 | app: nginx-app
7 | spec:
8 | containers:
9 | - name: nginx
10 | image: nginx
11 |
12 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.default.nginx-pod-1
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: nginx-pod-1
5 | labels:
6 | app: nginx-app
7 | spec:
8 | containers:
9 | - name: nginx
10 | image: nginx
11 |
12 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Pod.default.nginx-pod-1
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: nginx-pod-1
5 | labels:
6 | app: nginx-app
7 | spec:
8 | containers:
9 | - name: nginx
10 | image: nginx
11 |
12 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Pod.default.nginx-pod-1
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: nginx-pod-1
5 | labels:
6 | app: nginx-app
7 | spec:
8 | containers:
9 | - name: nginx
10 | image: nginx
11 |
12 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.default.nginx-pod-1
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: nginx-pod-1
5 | labels:
6 | app: nginx-app
7 | spec:
8 | containers:
9 | - name: nginx
10 | image: nginx
11 |
12 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.default.nginx-pod-1
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: nginx-pod-1
5 | labels:
6 | app: nginx-app
7 | spec:
8 | containers:
9 | - name: nginx
10 | image: nginx
11 |
12 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.default.nginx-pod-1
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: nginx-pod-1
5 | labels:
6 | app: nginx-app
7 | spec:
8 | containers:
9 | - name: nginx
10 | image: nginx
11 |
12 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.default.nginx-pod-1
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: nginx-pod-1
5 | labels:
6 | app: nginx-app
7 | spec:
8 | containers:
9 | - name: nginx
10 | image: nginx
11 |
12 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.default.nginx-pod-1
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: nginx-pod-1
5 | labels:
6 | app: nginx-app
7 | spec:
8 | containers:
9 | - name: nginx
10 | image: nginx
11 |
12 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.default.nginx-pod-1
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: nginx-pod-1
5 | labels:
6 | app: nginx-app
7 | spec:
8 | containers:
9 | - name: nginx
10 | image: nginx
11 |
12 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.default.nginx-pod-1
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: nginx-pod-1
5 | labels:
6 | app: nginx-app
7 | spec:
8 | containers:
9 | - name: nginx
10 | image: nginx
11 |
12 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.default.nginx-pod-1
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: nginx-pod-1
5 | labels:
6 | app: nginx-app
7 | spec:
8 | containers:
9 | - name: nginx
10 | image: nginx
11 |
12 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.default.nginx-pod-1
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: nginx-pod-1
5 | labels:
6 | app: nginx-app
7 | spec:
8 | containers:
9 | - name: nginx
10 | image: nginx
11 |
12 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.default.nginx-pod-1
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: nginx-pod-1
5 | labels:
6 | app: nginx-app
7 | spec:
8 | containers:
9 | - name: nginx
10 | image: nginx
11 |
12 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.default.nginx-pod-1
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: nginx-pod-1
5 | labels:
6 | app: nginx-app
7 | spec:
8 | containers:
9 | - name: nginx
10 | image: nginx
11 |
12 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.default.nginx-pod-1
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: nginx-pod-1
5 | labels:
6 | app: nginx-app
7 | spec:
8 | containers:
9 | - name: nginx
10 | image: nginx
11 |
12 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Pod.default.nginx-pod-1
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: nginx-pod-1
5 | labels:
6 | app: nginx-app
7 | spec:
8 | containers:
9 | - name: nginx
10 | image: nginx
11 |
12 | ---
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.default.nginx-pod-1
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: nginx-pod-1
5 | labels:
6 | app: nginx-app
7 | spec:
8 | containers:
9 | - name: nginx
10 | image: nginx
11 |
12 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.default.nginx-pod-1
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: nginx-pod-1
5 | labels:
6 | app: nginx-app
7 | spec:
8 | containers:
9 | - name: nginx
10 | image: nginx
11 |
12 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.default.nginx-pod-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:13-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
13 | apiVersion: v1
14 | kind: Pod
15 | metadata:
16 | name: nginx-pod-2
17 | labels:
18 | app: nginx-app
19 | spec:
20 | containers:
21 | - name: nginx
22 | image: nginx
23 |
24 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.default.nginx-pod-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:13-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
13 | apiVersion: v1
14 | kind: Pod
15 | metadata:
16 | name: nginx-pod-2
17 | labels:
18 | app: nginx-app
19 | spec:
20 | containers:
21 | - name: nginx
22 | image: nginx
23 |
24 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Pod.default.nginx-pod-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:13-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
13 | apiVersion: v1
14 | kind: Pod
15 | metadata:
16 | name: nginx-pod-2
17 | labels:
18 | app: nginx-app
19 | spec:
20 | containers:
21 | - name: nginx
22 | image: nginx
23 |
24 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Pod.default.nginx-pod-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:13-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
13 | apiVersion: v1
14 | kind: Pod
15 | metadata:
16 | name: nginx-pod-2
17 | labels:
18 | app: nginx-app
19 | spec:
20 | containers:
21 | - name: nginx
22 | image: nginx
23 |
24 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.default.nginx-pod-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:13-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
13 | apiVersion: v1
14 | kind: Pod
15 | metadata:
16 | name: nginx-pod-2
17 | labels:
18 | app: nginx-app
19 | spec:
20 | containers:
21 | - name: nginx
22 | image: nginx
23 |
24 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.default.nginx-pod-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:13-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
13 | apiVersion: v1
14 | kind: Pod
15 | metadata:
16 | name: nginx-pod-2
17 | labels:
18 | app: nginx-app
19 | spec:
20 | containers:
21 | - name: nginx
22 | image: nginx
23 |
24 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.default.nginx-pod-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:13-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
13 | apiVersion: v1
14 | kind: Pod
15 | metadata:
16 | name: nginx-pod-2
17 | labels:
18 | app: nginx-app
19 | spec:
20 | containers:
21 | - name: nginx
22 | image: nginx
23 |
24 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.default.nginx-pod-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:13-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
13 | apiVersion: v1
14 | kind: Pod
15 | metadata:
16 | name: nginx-pod-2
17 | labels:
18 | app: nginx-app
19 | spec:
20 | containers:
21 | - name: nginx
22 | image: nginx
23 |
24 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.default.nginx-pod-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:13-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
13 | apiVersion: v1
14 | kind: Pod
15 | metadata:
16 | name: nginx-pod-2
17 | labels:
18 | app: nginx-app
19 | spec:
20 | containers:
21 | - name: nginx
22 | image: nginx
23 |
24 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.default.nginx-pod-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:13-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
13 | apiVersion: v1
14 | kind: Pod
15 | metadata:
16 | name: nginx-pod-2
17 | labels:
18 | app: nginx-app
19 | spec:
20 | containers:
21 | - name: nginx
22 | image: nginx
23 |
24 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.default.nginx-pod-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:13-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
13 | apiVersion: v1
14 | kind: Pod
15 | metadata:
16 | name: nginx-pod-2
17 | labels:
18 | app: nginx-app
19 | spec:
20 | containers:
21 | - name: nginx
22 | image: nginx
23 |
24 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.default.nginx-pod-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:13-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
13 | apiVersion: v1
14 | kind: Pod
15 | metadata:
16 | name: nginx-pod-2
17 | labels:
18 | app: nginx-app
19 | spec:
20 | containers:
21 | - name: nginx
22 | image: nginx
23 |
24 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.default.nginx-pod-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:13-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
13 | apiVersion: v1
14 | kind: Pod
15 | metadata:
16 | name: nginx-pod-2
17 | labels:
18 | app: nginx-app
19 | spec:
20 | containers:
21 | - name: nginx
22 | image: nginx
23 |
24 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.default.nginx-pod-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:13-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
13 | apiVersion: v1
14 | kind: Pod
15 | metadata:
16 | name: nginx-pod-2
17 | labels:
18 | app: nginx-app
19 | spec:
20 | containers:
21 | - name: nginx
22 | image: nginx
23 |
24 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.default.nginx-pod-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:13-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
13 | apiVersion: v1
14 | kind: Pod
15 | metadata:
16 | name: nginx-pod-2
17 | labels:
18 | app: nginx-app
19 | spec:
20 | containers:
21 | - name: nginx
22 | image: nginx
23 |
24 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.default.nginx-pod-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:13-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
13 | apiVersion: v1
14 | kind: Pod
15 | metadata:
16 | name: nginx-pod-2
17 | labels:
18 | app: nginx-app
19 | spec:
20 | containers:
21 | - name: nginx
22 | image: nginx
23 |
24 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Pod.default.nginx-pod-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:13-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
13 | apiVersion: v1
14 | kind: Pod
15 | metadata:
16 | name: nginx-pod-2
17 | labels:
18 | app: nginx-app
19 | spec:
20 | containers:
21 | - name: nginx
22 | image: nginx
23 |
24 | ---
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.default.nginx-pod-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:13-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
13 | apiVersion: v1
14 | kind: Pod
15 | metadata:
16 | name: nginx-pod-2
17 | labels:
18 | app: nginx-app
19 | spec:
20 | containers:
21 | - name: nginx
22 | image: nginx
23 |
24 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.default.nginx-pod-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:13-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
13 | apiVersion: v1
14 | kind: Pod
15 | metadata:
16 | name: nginx-pod-2
17 | labels:
18 | app: nginx-app
19 | spec:
20 | containers:
21 | - name: nginx
22 | image: nginx
23 |
24 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.default.nginx-pod-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:25-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
25 | apiVersion: v1
26 | kind: Pod
27 | metadata:
28 | name: nginx-pod-3
29 | labels:
30 | app: nginx-app
31 | spec:
32 | containers:
33 | - name: nginx
34 | image: nginx
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.default.nginx-pod-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:25-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
25 | apiVersion: v1
26 | kind: Pod
27 | metadata:
28 | name: nginx-pod-3
29 | labels:
30 | app: nginx-app
31 | spec:
32 | containers:
33 | - name: nginx
34 | image: nginx
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Pod.default.nginx-pod-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:25-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
25 | apiVersion: v1
26 | kind: Pod
27 | metadata:
28 | name: nginx-pod-3
29 | labels:
30 | app: nginx-app
31 | spec:
32 | containers:
33 | - name: nginx
34 | image: nginx
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Pod.default.nginx-pod-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:25-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
25 | apiVersion: v1
26 | kind: Pod
27 | metadata:
28 | name: nginx-pod-3
29 | labels:
30 | app: nginx-app
31 | spec:
32 | containers:
33 | - name: nginx
34 | image: nginx
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.default.nginx-pod-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:25-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
25 | apiVersion: v1
26 | kind: Pod
27 | metadata:
28 | name: nginx-pod-3
29 | labels:
30 | app: nginx-app
31 | spec:
32 | containers:
33 | - name: nginx
34 | image: nginx
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.default.nginx-pod-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:25-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
25 | apiVersion: v1
26 | kind: Pod
27 | metadata:
28 | name: nginx-pod-3
29 | labels:
30 | app: nginx-app
31 | spec:
32 | containers:
33 | - name: nginx
34 | image: nginx
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.default.nginx-pod-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:25-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
25 | apiVersion: v1
26 | kind: Pod
27 | metadata:
28 | name: nginx-pod-3
29 | labels:
30 | app: nginx-app
31 | spec:
32 | containers:
33 | - name: nginx
34 | image: nginx
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.default.nginx-pod-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:25-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
25 | apiVersion: v1
26 | kind: Pod
27 | metadata:
28 | name: nginx-pod-3
29 | labels:
30 | app: nginx-app
31 | spec:
32 | containers:
33 | - name: nginx
34 | image: nginx
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.default.nginx-pod-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:25-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
25 | apiVersion: v1
26 | kind: Pod
27 | metadata:
28 | name: nginx-pod-3
29 | labels:
30 | app: nginx-app
31 | spec:
32 | containers:
33 | - name: nginx
34 | image: nginx
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.default.nginx-pod-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:25-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
25 | apiVersion: v1
26 | kind: Pod
27 | metadata:
28 | name: nginx-pod-3
29 | labels:
30 | app: nginx-app
31 | spec:
32 | containers:
33 | - name: nginx
34 | image: nginx
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.default.nginx-pod-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:25-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
25 | apiVersion: v1
26 | kind: Pod
27 | metadata:
28 | name: nginx-pod-3
29 | labels:
30 | app: nginx-app
31 | spec:
32 | containers:
33 | - name: nginx
34 | image: nginx
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.default.nginx-pod-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:25-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
25 | apiVersion: v1
26 | kind: Pod
27 | metadata:
28 | name: nginx-pod-3
29 | labels:
30 | app: nginx-app
31 | spec:
32 | containers:
33 | - name: nginx
34 | image: nginx
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.default.nginx-pod-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:25-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
25 | apiVersion: v1
26 | kind: Pod
27 | metadata:
28 | name: nginx-pod-3
29 | labels:
30 | app: nginx-app
31 | spec:
32 | containers:
33 | - name: nginx
34 | image: nginx
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.default.nginx-pod-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:25-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
25 | apiVersion: v1
26 | kind: Pod
27 | metadata:
28 | name: nginx-pod-3
29 | labels:
30 | app: nginx-app
31 | spec:
32 | containers:
33 | - name: nginx
34 | image: nginx
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.default.nginx-pod-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:25-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
25 | apiVersion: v1
26 | kind: Pod
27 | metadata:
28 | name: nginx-pod-3
29 | labels:
30 | app: nginx-app
31 | spec:
32 | containers:
33 | - name: nginx
34 | image: nginx
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.default.nginx-pod-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:25-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
25 | apiVersion: v1
26 | kind: Pod
27 | metadata:
28 | name: nginx-pod-3
29 | labels:
30 | app: nginx-app
31 | spec:
32 | containers:
33 | - name: nginx
34 | image: nginx
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Pod.default.nginx-pod-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:25-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
25 | apiVersion: v1
26 | kind: Pod
27 | metadata:
28 | name: nginx-pod-3
29 | labels:
30 | app: nginx-app
31 | spec:
32 | containers:
33 | - name: nginx
34 | image: nginx
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.default.nginx-pod-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:25-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
25 | apiVersion: v1
26 | kind: Pod
27 | metadata:
28 | name: nginx-pod-3
29 | labels:
30 | app: nginx-app
31 | spec:
32 | containers:
33 | - name: nginx
34 | image: nginx
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.default.nginx-pod-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:25-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
25 | apiVersion: v1
26 | kind: Pod
27 | metadata:
28 | name: nginx-pod-3
29 | labels:
30 | app: nginx-app
31 | spec:
32 | containers:
33 | - name: nginx
34 | image: nginx
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.nginx-headless
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/headless-svc.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: nginx-headless
5 | spec:
6 | selector:
7 | app: nginx-app
8 | ports:
9 | - protocol: TCP
10 | port: 80
11 | clusterIP: None # This makes the service headless
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.default.default-cpu-demo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-no-limit-specified.yaml:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-ctr
8 | image: nginx
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.default.default-cpu-demo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-no-limit-specified.yaml:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-ctr
8 | image: nginx
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Pod.default.default-cpu-demo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-no-limit-specified.yaml:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-ctr
8 | image: nginx
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Pod.default.default-cpu-demo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-no-limit-specified.yaml:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-ctr
8 | image: nginx
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.default.default-cpu-demo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-no-limit-specified.yaml:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-ctr
8 | image: nginx
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.default.default-cpu-demo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-no-limit-specified.yaml:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-ctr
8 | image: nginx
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.default.default-cpu-demo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-no-limit-specified.yaml:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-ctr
8 | image: nginx
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.default.default-cpu-demo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-no-limit-specified.yaml:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-ctr
8 | image: nginx
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.default.default-cpu-demo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-no-limit-specified.yaml:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-ctr
8 | image: nginx
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.default.default-cpu-demo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-no-limit-specified.yaml:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-ctr
8 | image: nginx
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.default.default-cpu-demo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-no-limit-specified.yaml:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-ctr
8 | image: nginx
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.default.default-cpu-demo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-no-limit-specified.yaml:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-ctr
8 | image: nginx
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.default.default-cpu-demo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-no-limit-specified.yaml:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-ctr
8 | image: nginx
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.default.default-cpu-demo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-no-limit-specified.yaml:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-ctr
8 | image: nginx
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.default.default-cpu-demo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-no-limit-specified.yaml:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-ctr
8 | image: nginx
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.default.default-cpu-demo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-no-limit-specified.yaml:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-ctr
8 | image: nginx
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Pod.default.default-cpu-demo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-no-limit-specified.yaml:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-ctr
8 | image: nginx
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.default.default-cpu-demo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-no-limit-specified.yaml:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-ctr
8 | image: nginx
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.default.default-cpu-demo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-no-limit-specified.yaml:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-ctr
8 | image: nginx
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.default.default-cpu-demo-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-limit-cpu.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo-2
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-2-ctr
8 | image: nginx
9 | resources:
10 | limits:
11 | cpu: "1"
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Pod.default.default-cpu-demo-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-limit-cpu.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo-2
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-2-ctr
8 | image: nginx
9 | resources:
10 | limits:
11 | cpu: "1"
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.default.default-cpu-demo-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-limit-cpu.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo-2
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-2-ctr
8 | image: nginx
9 | resources:
10 | limits:
11 | cpu: "1"
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.default.default-cpu-demo-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-limit-cpu.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo-2
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-2-ctr
8 | image: nginx
9 | resources:
10 | limits:
11 | cpu: "1"
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.default.default-cpu-demo-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-limit-cpu.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo-2
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-2-ctr
8 | image: nginx
9 | resources:
10 | limits:
11 | cpu: "1"
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.default.default-cpu-demo-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-limit-cpu.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo-2
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-2-ctr
8 | image: nginx
9 | resources:
10 | limits:
11 | cpu: "1"
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.default.default-cpu-demo-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-limit-cpu.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo-2
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-2-ctr
8 | image: nginx
9 | resources:
10 | limits:
11 | cpu: "1"
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.default.default-cpu-demo-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-limit-cpu.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo-2
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-2-ctr
8 | image: nginx
9 | resources:
10 | limits:
11 | cpu: "1"
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.default.default-cpu-demo-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-limit-cpu.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo-2
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-2-ctr
8 | image: nginx
9 | resources:
10 | limits:
11 | cpu: "1"
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.default.default-cpu-demo-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-limit-cpu.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo-2
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-2-ctr
8 | image: nginx
9 | resources:
10 | limits:
11 | cpu: "1"
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.default.default-cpu-demo-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-limit-cpu.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo-2
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-2-ctr
8 | image: nginx
9 | resources:
10 | limits:
11 | cpu: "1"
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.default.default-cpu-demo-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-limit-cpu.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo-2
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-2-ctr
8 | image: nginx
9 | resources:
10 | limits:
11 | cpu: "1"
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.default.default-cpu-demo-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-limit-cpu.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo-2
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-2-ctr
8 | image: nginx
9 | resources:
10 | limits:
11 | cpu: "1"
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.default.default-cpu-demo-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-limit-cpu.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo-2
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-2-ctr
8 | image: nginx
9 | resources:
10 | limits:
11 | cpu: "1"
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.default.default-cpu-demo-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-limit-cpu.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo-2
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-2-ctr
8 | image: nginx
9 | resources:
10 | limits:
11 | cpu: "1"
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.default.default-cpu-demo-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-limit-cpu.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo-2
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-2-ctr
8 | image: nginx
9 | resources:
10 | limits:
11 | cpu: "1"
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.default.default-cpu-demo-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-request-cpu.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo-3
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-3-ctr
8 | image: nginx
9 | resources:
10 | requests:
11 | cpu: "0.75"
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.default.default-cpu-demo-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-request-cpu.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo-3
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-3-ctr
8 | image: nginx
9 | resources:
10 | requests:
11 | cpu: "0.75"
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Pod.default.default-cpu-demo-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-request-cpu.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo-3
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-3-ctr
8 | image: nginx
9 | resources:
10 | requests:
11 | cpu: "0.75"
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.default.default-cpu-demo-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-request-cpu.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo-3
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-3-ctr
8 | image: nginx
9 | resources:
10 | requests:
11 | cpu: "0.75"
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.default.default-cpu-demo-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-request-cpu.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo-3
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-3-ctr
8 | image: nginx
9 | resources:
10 | requests:
11 | cpu: "0.75"
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.default.default-cpu-demo-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-request-cpu.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo-3
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-3-ctr
8 | image: nginx
9 | resources:
10 | requests:
11 | cpu: "0.75"
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.default.default-cpu-demo-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-request-cpu.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo-3
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-3-ctr
8 | image: nginx
9 | resources:
10 | requests:
11 | cpu: "0.75"
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.default.default-cpu-demo-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-request-cpu.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo-3
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-3-ctr
8 | image: nginx
9 | resources:
10 | requests:
11 | cpu: "0.75"
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.default.default-cpu-demo-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-request-cpu.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo-3
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-3-ctr
8 | image: nginx
9 | resources:
10 | requests:
11 | cpu: "0.75"
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.default.default-cpu-demo-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-request-cpu.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo-3
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-3-ctr
8 | image: nginx
9 | resources:
10 | requests:
11 | cpu: "0.75"
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.default.default-cpu-demo-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-request-cpu.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo-3
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-3-ctr
8 | image: nginx
9 | resources:
10 | requests:
11 | cpu: "0.75"
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.default.default-cpu-demo-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-request-cpu.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo-3
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-3-ctr
8 | image: nginx
9 | resources:
10 | requests:
11 | cpu: "0.75"
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.default.default-cpu-demo-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-request-cpu.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo-3
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-3-ctr
8 | image: nginx
9 | resources:
10 | requests:
11 | cpu: "0.75"
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.default.default-cpu-demo-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-request-cpu.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo-3
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-3-ctr
8 | image: nginx
9 | resources:
10 | requests:
11 | cpu: "0.75"
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.default.default-cpu-demo-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-request-cpu.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo-3
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-3-ctr
8 | image: nginx
9 | resources:
10 | requests:
11 | cpu: "0.75"
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Pod.default.default-cpu-demo-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-request-cpu.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo-3
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-3-ctr
8 | image: nginx
9 | resources:
10 | requests:
11 | cpu: "0.75"
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.default.default-cpu-demo-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-request-cpu.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo-3
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-3-ctr
8 | image: nginx
9 | resources:
10 | requests:
11 | cpu: "0.75"
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.default.default-cpu-demo-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_001__local__configure_default_CPU_requests_and_limits_for_a_namespace/pod-request-cpu.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-cpu-demo-3
5 | spec:
6 | containers:
7 | - name: default-cpu-demo-3-ctr
8 | image: nginx
9 | resources:
10 | requests:
11 | cpu: "0.75"
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.default.default-mem-demo-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-limit-memory.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo-2
5 | spec:
6 | containers:
7 | - name: default-mem-demo-2-ctr
8 | image: nginx
9 | resources:
10 | limits:
11 | memory: "1Gi"
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.default.default-mem-demo-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-limit-memory.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo-2
5 | spec:
6 | containers:
7 | - name: default-mem-demo-2-ctr
8 | image: nginx
9 | resources:
10 | limits:
11 | memory: "1Gi"
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Pod.default.default-mem-demo-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-limit-memory.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo-2
5 | spec:
6 | containers:
7 | - name: default-mem-demo-2-ctr
8 | image: nginx
9 | resources:
10 | limits:
11 | memory: "1Gi"
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.default.default-mem-demo-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-limit-memory.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo-2
5 | spec:
6 | containers:
7 | - name: default-mem-demo-2-ctr
8 | image: nginx
9 | resources:
10 | limits:
11 | memory: "1Gi"
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.default.default-mem-demo-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-limit-memory.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo-2
5 | spec:
6 | containers:
7 | - name: default-mem-demo-2-ctr
8 | image: nginx
9 | resources:
10 | limits:
11 | memory: "1Gi"
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.default.default-mem-demo-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-limit-memory.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo-2
5 | spec:
6 | containers:
7 | - name: default-mem-demo-2-ctr
8 | image: nginx
9 | resources:
10 | limits:
11 | memory: "1Gi"
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.default.default-mem-demo-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-limit-memory.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo-2
5 | spec:
6 | containers:
7 | - name: default-mem-demo-2-ctr
8 | image: nginx
9 | resources:
10 | limits:
11 | memory: "1Gi"
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.default.default-mem-demo-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-limit-memory.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo-2
5 | spec:
6 | containers:
7 | - name: default-mem-demo-2-ctr
8 | image: nginx
9 | resources:
10 | limits:
11 | memory: "1Gi"
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.default.default-mem-demo-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-limit-memory.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo-2
5 | spec:
6 | containers:
7 | - name: default-mem-demo-2-ctr
8 | image: nginx
9 | resources:
10 | limits:
11 | memory: "1Gi"
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.default.default-mem-demo-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-limit-memory.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo-2
5 | spec:
6 | containers:
7 | - name: default-mem-demo-2-ctr
8 | image: nginx
9 | resources:
10 | limits:
11 | memory: "1Gi"
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.default.default-mem-demo-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-limit-memory.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo-2
5 | spec:
6 | containers:
7 | - name: default-mem-demo-2-ctr
8 | image: nginx
9 | resources:
10 | limits:
11 | memory: "1Gi"
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.default.default-mem-demo-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-limit-memory.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo-2
5 | spec:
6 | containers:
7 | - name: default-mem-demo-2-ctr
8 | image: nginx
9 | resources:
10 | limits:
11 | memory: "1Gi"
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.default.default-mem-demo-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-limit-memory.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo-2
5 | spec:
6 | containers:
7 | - name: default-mem-demo-2-ctr
8 | image: nginx
9 | resources:
10 | limits:
11 | memory: "1Gi"
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.default.default-mem-demo-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-limit-memory.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo-2
5 | spec:
6 | containers:
7 | - name: default-mem-demo-2-ctr
8 | image: nginx
9 | resources:
10 | limits:
11 | memory: "1Gi"
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.default.default-mem-demo-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-limit-memory.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo-2
5 | spec:
6 | containers:
7 | - name: default-mem-demo-2-ctr
8 | image: nginx
9 | resources:
10 | limits:
11 | memory: "1Gi"
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.default.default-mem-demo-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-limit-memory.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo-2
5 | spec:
6 | containers:
7 | - name: default-mem-demo-2-ctr
8 | image: nginx
9 | resources:
10 | limits:
11 | memory: "1Gi"
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.default.default-mem-demo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-no-limit-specified.yaml:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo
5 | spec:
6 | containers:
7 | - name: default-mem-demo-ctr
8 | image: nginx
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.default.default-mem-demo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-no-limit-specified.yaml:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo
5 | spec:
6 | containers:
7 | - name: default-mem-demo-ctr
8 | image: nginx
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Pod.default.default-mem-demo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-no-limit-specified.yaml:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo
5 | spec:
6 | containers:
7 | - name: default-mem-demo-ctr
8 | image: nginx
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Pod.default.default-mem-demo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-no-limit-specified.yaml:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo
5 | spec:
6 | containers:
7 | - name: default-mem-demo-ctr
8 | image: nginx
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.default.default-mem-demo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-no-limit-specified.yaml:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo
5 | spec:
6 | containers:
7 | - name: default-mem-demo-ctr
8 | image: nginx
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.default.default-mem-demo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-no-limit-specified.yaml:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo
5 | spec:
6 | containers:
7 | - name: default-mem-demo-ctr
8 | image: nginx
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.default.default-mem-demo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-no-limit-specified.yaml:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo
5 | spec:
6 | containers:
7 | - name: default-mem-demo-ctr
8 | image: nginx
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.default.default-mem-demo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-no-limit-specified.yaml:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo
5 | spec:
6 | containers:
7 | - name: default-mem-demo-ctr
8 | image: nginx
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.default.default-mem-demo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-no-limit-specified.yaml:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo
5 | spec:
6 | containers:
7 | - name: default-mem-demo-ctr
8 | image: nginx
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.default.default-mem-demo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-no-limit-specified.yaml:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo
5 | spec:
6 | containers:
7 | - name: default-mem-demo-ctr
8 | image: nginx
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.default.default-mem-demo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-no-limit-specified.yaml:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo
5 | spec:
6 | containers:
7 | - name: default-mem-demo-ctr
8 | image: nginx
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.default.default-mem-demo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-no-limit-specified.yaml:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo
5 | spec:
6 | containers:
7 | - name: default-mem-demo-ctr
8 | image: nginx
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.default.default-mem-demo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-no-limit-specified.yaml:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo
5 | spec:
6 | containers:
7 | - name: default-mem-demo-ctr
8 | image: nginx
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.default.default-mem-demo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-no-limit-specified.yaml:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo
5 | spec:
6 | containers:
7 | - name: default-mem-demo-ctr
8 | image: nginx
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.default.default-mem-demo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-no-limit-specified.yaml:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo
5 | spec:
6 | containers:
7 | - name: default-mem-demo-ctr
8 | image: nginx
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.default.default-mem-demo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-no-limit-specified.yaml:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo
5 | spec:
6 | containers:
7 | - name: default-mem-demo-ctr
8 | image: nginx
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Pod.default.default-mem-demo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-no-limit-specified.yaml:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo
5 | spec:
6 | containers:
7 | - name: default-mem-demo-ctr
8 | image: nginx
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.default.default-mem-demo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-no-limit-specified.yaml:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo
5 | spec:
6 | containers:
7 | - name: default-mem-demo-ctr
8 | image: nginx
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.default.default-mem-demo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-no-limit-specified.yaml:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo
5 | spec:
6 | containers:
7 | - name: default-mem-demo-ctr
8 | image: nginx
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.default.default-mem-demo-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-request-memory.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo-3
5 | spec:
6 | containers:
7 | - name: default-mem-demo-3-ctr
8 | image: nginx
9 | resources:
10 | requests:
11 | memory: "128Mi"
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.default.default-mem-demo-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-request-memory.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo-3
5 | spec:
6 | containers:
7 | - name: default-mem-demo-3-ctr
8 | image: nginx
9 | resources:
10 | requests:
11 | memory: "128Mi"
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Pod.default.default-mem-demo-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-request-memory.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo-3
5 | spec:
6 | containers:
7 | - name: default-mem-demo-3-ctr
8 | image: nginx
9 | resources:
10 | requests:
11 | memory: "128Mi"
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Pod.default.default-mem-demo-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-request-memory.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo-3
5 | spec:
6 | containers:
7 | - name: default-mem-demo-3-ctr
8 | image: nginx
9 | resources:
10 | requests:
11 | memory: "128Mi"
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.default.default-mem-demo-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-request-memory.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo-3
5 | spec:
6 | containers:
7 | - name: default-mem-demo-3-ctr
8 | image: nginx
9 | resources:
10 | requests:
11 | memory: "128Mi"
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.default.default-mem-demo-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-request-memory.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo-3
5 | spec:
6 | containers:
7 | - name: default-mem-demo-3-ctr
8 | image: nginx
9 | resources:
10 | requests:
11 | memory: "128Mi"
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.default.default-mem-demo-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-request-memory.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo-3
5 | spec:
6 | containers:
7 | - name: default-mem-demo-3-ctr
8 | image: nginx
9 | resources:
10 | requests:
11 | memory: "128Mi"
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.default.default-mem-demo-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-request-memory.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo-3
5 | spec:
6 | containers:
7 | - name: default-mem-demo-3-ctr
8 | image: nginx
9 | resources:
10 | requests:
11 | memory: "128Mi"
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.default.default-mem-demo-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-request-memory.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo-3
5 | spec:
6 | containers:
7 | - name: default-mem-demo-3-ctr
8 | image: nginx
9 | resources:
10 | requests:
11 | memory: "128Mi"
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.default.default-mem-demo-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-request-memory.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo-3
5 | spec:
6 | containers:
7 | - name: default-mem-demo-3-ctr
8 | image: nginx
9 | resources:
10 | requests:
11 | memory: "128Mi"
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.default.default-mem-demo-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-request-memory.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo-3
5 | spec:
6 | containers:
7 | - name: default-mem-demo-3-ctr
8 | image: nginx
9 | resources:
10 | requests:
11 | memory: "128Mi"
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.default.default-mem-demo-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-request-memory.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo-3
5 | spec:
6 | containers:
7 | - name: default-mem-demo-3-ctr
8 | image: nginx
9 | resources:
10 | requests:
11 | memory: "128Mi"
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.default.default-mem-demo-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-request-memory.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo-3
5 | spec:
6 | containers:
7 | - name: default-mem-demo-3-ctr
8 | image: nginx
9 | resources:
10 | requests:
11 | memory: "128Mi"
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.default.default-mem-demo-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-request-memory.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo-3
5 | spec:
6 | containers:
7 | - name: default-mem-demo-3-ctr
8 | image: nginx
9 | resources:
10 | requests:
11 | memory: "128Mi"
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.default.default-mem-demo-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-request-memory.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo-3
5 | spec:
6 | containers:
7 | - name: default-mem-demo-3-ctr
8 | image: nginx
9 | resources:
10 | requests:
11 | memory: "128Mi"
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.default.default-mem-demo-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-request-memory.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo-3
5 | spec:
6 | containers:
7 | - name: default-mem-demo-3-ctr
8 | image: nginx
9 | resources:
10 | requests:
11 | memory: "128Mi"
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.default.default-mem-demo-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-request-memory.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo-3
5 | spec:
6 | containers:
7 | - name: default-mem-demo-3-ctr
8 | image: nginx
9 | resources:
10 | requests:
11 | memory: "128Mi"
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.default.default-mem-demo-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_002__local__configure_default_memory_requests_and_limits_for_a_namespace/pod-request-memory.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: default-mem-demo-3
5 | spec:
6 | containers:
7 | - name: default-mem-demo-3-ctr
8 | image: nginx
9 | resources:
10 | requests:
11 | memory: "128Mi"
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.kube-system.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_027__gcp__intermediate_cluster_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: kube-system
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.kube-system.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_027__gcp__intermediate_cluster_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: kube-system
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.kube-system.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_027__gcp__intermediate_cluster_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: kube-system
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.kube-system.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_027__gcp__intermediate_cluster_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: kube-system
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.kube-system.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_027__gcp__intermediate_cluster_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: kube-system
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.kube-system.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_027__gcp__intermediate_cluster_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: kube-system
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.kube-system.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_027__gcp__intermediate_cluster_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: kube-system
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.kube-system.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_027__gcp__intermediate_cluster_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: kube-system
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.kube-system.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_027__gcp__intermediate_cluster_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: kube-system
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.kube-system.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_027__gcp__intermediate_cluster_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: kube-system
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.kube-system.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_027__gcp__intermediate_cluster_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: kube-system
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.kube-system.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_027__gcp__intermediate_cluster_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: kube-system
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.kube-system.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_027__gcp__intermediate_cluster_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: kube-system
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.kube-system.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_027__gcp__intermediate_cluster_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: kube-system
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.kube-system.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_027__gcp__intermediate_cluster_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: kube-system
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.kube-system.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_027__gcp__intermediate_cluster_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: kube-system
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.kube-system.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_027__gcp__intermediate_cluster_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: kube-system
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.kube-system.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_027__gcp__intermediate_cluster_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: kube-system
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/20-traefik-service.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: Service
4 | metadata:
5 | name: traefik
6 | spec:
7 | type: LoadBalancer
8 | selector:
9 | app: traefik
10 | ports:
11 | - protocol: TCP
12 | port: 80
13 | name: web
14 | targetPort: 80
15 | - protocol: TCP
16 | port: 443
17 | name: websecure
18 | targetPort: 80
19 | - protocol: TCP
20 | port: 8080
21 | name: admin
22 | targetPort: 8080
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 2
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 2
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 2
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 2
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 2
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 2
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 2
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 2
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 2
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 2
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 2
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 2
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 2
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 2
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 2
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 2
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 2
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 2
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 2
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ServiceAccount.default.traefik-ingress-controller
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/10-service-account.yaml:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: ServiceAccount
3 | metadata:
4 | name: traefik-ingress-controller
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/30-whoami-service.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: whoami
5 |
6 | spec:
7 | ports:
8 | - protocol: TCP
9 | name: web
10 | port: 80
11 | selector:
12 | app: whoami
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/15-traefik-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | kind: Deployment
3 | apiVersion: apps/v1
4 | metadata:
5 | namespace: default
6 | name: traefik
7 | labels:
8 | app: traefik
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | containers:
21 | - name: traefik
22 | image: traefik:v2.1
23 | args:
24 | - --api
25 | - --log.level=DEBUG
26 | - --api.insecure
27 | - --accesslog
28 | - --entrypoints.web.address=:80
29 | - --entrypoints.websecure.address=:443
30 | - --providers.kubernetescrd
31 | - --certificatesresolvers.default.acme.tlschallenge
32 | - --certificatesresolvers.default.acme.email=emailexample@gmail.com
33 | - --certificatesresolvers.default.acme.storage=acme.json
34 | # Please note that this is the staging Let's Encrypt server.
35 | # Once you get things working, you should remove that whole line altogether.
36 | # - --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
37 | ports:
38 | - name: web
39 | containerPort: 80
40 | - name: admin
41 | containerPort: 8080
42 | - name: websecure
43 | containerPort: 443
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/15-traefik-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | kind: Deployment
3 | apiVersion: apps/v1
4 | metadata:
5 | namespace: default
6 | name: traefik
7 | labels:
8 | app: traefik
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | containers:
21 | - name: traefik
22 | image: traefik:v2.1
23 | args:
24 | - --api
25 | - --log.level=DEBUG
26 | - --api.insecure
27 | - --accesslog
28 | - --entrypoints.web.address=:80
29 | - --entrypoints.websecure.address=:443
30 | - --providers.kubernetescrd
31 | - --certificatesresolvers.default.acme.tlschallenge
32 | - --certificatesresolvers.default.acme.email=emailexample@gmail.com
33 | - --certificatesresolvers.default.acme.storage=acme.json
34 | # Please note that this is the staging Let's Encrypt server.
35 | # Once you get things working, you should remove that whole line altogether.
36 | # - --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
37 | ports:
38 | - name: web
39 | containerPort: 80
40 | - name: admin
41 | containerPort: 8080
42 | - name: websecure
43 | containerPort: 443
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/15-traefik-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | kind: Deployment
3 | apiVersion: apps/v1
4 | metadata:
5 | namespace: default
6 | name: traefik
7 | labels:
8 | app: traefik
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | containers:
21 | - name: traefik
22 | image: traefik:v2.1
23 | args:
24 | - --api
25 | - --log.level=DEBUG
26 | - --api.insecure
27 | - --accesslog
28 | - --entrypoints.web.address=:80
29 | - --entrypoints.websecure.address=:443
30 | - --providers.kubernetescrd
31 | - --certificatesresolvers.default.acme.tlschallenge
32 | - --certificatesresolvers.default.acme.email=emailexample@gmail.com
33 | - --certificatesresolvers.default.acme.storage=acme.json
34 | # Please note that this is the staging Let's Encrypt server.
35 | # Once you get things working, you should remove that whole line altogether.
36 | # - --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
37 | ports:
38 | - name: web
39 | containerPort: 80
40 | - name: admin
41 | containerPort: 8080
42 | - name: websecure
43 | containerPort: 443
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/15-traefik-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | kind: Deployment
3 | apiVersion: apps/v1
4 | metadata:
5 | namespace: default
6 | name: traefik
7 | labels:
8 | app: traefik
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | containers:
21 | - name: traefik
22 | image: traefik:v2.1
23 | args:
24 | - --api
25 | - --log.level=DEBUG
26 | - --api.insecure
27 | - --accesslog
28 | - --entrypoints.web.address=:80
29 | - --entrypoints.websecure.address=:443
30 | - --providers.kubernetescrd
31 | - --certificatesresolvers.default.acme.tlschallenge
32 | - --certificatesresolvers.default.acme.email=emailexample@gmail.com
33 | - --certificatesresolvers.default.acme.storage=acme.json
34 | # Please note that this is the staging Let's Encrypt server.
35 | # Once you get things working, you should remove that whole line altogether.
36 | # - --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
37 | ports:
38 | - name: web
39 | containerPort: 80
40 | - name: admin
41 | containerPort: 8080
42 | - name: websecure
43 | containerPort: 443
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/15-traefik-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | kind: Deployment
3 | apiVersion: apps/v1
4 | metadata:
5 | namespace: default
6 | name: traefik
7 | labels:
8 | app: traefik
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | containers:
21 | - name: traefik
22 | image: traefik:v2.1
23 | args:
24 | - --api
25 | - --log.level=DEBUG
26 | - --api.insecure
27 | - --accesslog
28 | - --entrypoints.web.address=:80
29 | - --entrypoints.websecure.address=:443
30 | - --providers.kubernetescrd
31 | - --certificatesresolvers.default.acme.tlschallenge
32 | - --certificatesresolvers.default.acme.email=emailexample@gmail.com
33 | - --certificatesresolvers.default.acme.storage=acme.json
34 | # Please note that this is the staging Let's Encrypt server.
35 | # Once you get things working, you should remove that whole line altogether.
36 | # - --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
37 | ports:
38 | - name: web
39 | containerPort: 80
40 | - name: admin
41 | containerPort: 8080
42 | - name: websecure
43 | containerPort: 443
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/15-traefik-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | kind: Deployment
3 | apiVersion: apps/v1
4 | metadata:
5 | namespace: default
6 | name: traefik
7 | labels:
8 | app: traefik
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | containers:
21 | - name: traefik
22 | image: traefik:v2.1
23 | args:
24 | - --api
25 | - --log.level=DEBUG
26 | - --api.insecure
27 | - --accesslog
28 | - --entrypoints.web.address=:80
29 | - --entrypoints.websecure.address=:443
30 | - --providers.kubernetescrd
31 | - --certificatesresolvers.default.acme.tlschallenge
32 | - --certificatesresolvers.default.acme.email=emailexample@gmail.com
33 | - --certificatesresolvers.default.acme.storage=acme.json
34 | # Please note that this is the staging Let's Encrypt server.
35 | # Once you get things working, you should remove that whole line altogether.
36 | # - --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
37 | ports:
38 | - name: web
39 | containerPort: 80
40 | - name: admin
41 | containerPort: 8080
42 | - name: websecure
43 | containerPort: 443
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/15-traefik-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | kind: Deployment
3 | apiVersion: apps/v1
4 | metadata:
5 | namespace: default
6 | name: traefik
7 | labels:
8 | app: traefik
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | containers:
21 | - name: traefik
22 | image: traefik:v2.1
23 | args:
24 | - --api
25 | - --log.level=DEBUG
26 | - --api.insecure
27 | - --accesslog
28 | - --entrypoints.web.address=:80
29 | - --entrypoints.websecure.address=:443
30 | - --providers.kubernetescrd
31 | - --certificatesresolvers.default.acme.tlschallenge
32 | - --certificatesresolvers.default.acme.email=emailexample@gmail.com
33 | - --certificatesresolvers.default.acme.storage=acme.json
34 | # Please note that this is the staging Let's Encrypt server.
35 | # Once you get things working, you should remove that whole line altogether.
36 | # - --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
37 | ports:
38 | - name: web
39 | containerPort: 80
40 | - name: admin
41 | containerPort: 8080
42 | - name: websecure
43 | containerPort: 443
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/15-traefik-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | kind: Deployment
3 | apiVersion: apps/v1
4 | metadata:
5 | namespace: default
6 | name: traefik
7 | labels:
8 | app: traefik
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | containers:
21 | - name: traefik
22 | image: traefik:v2.1
23 | args:
24 | - --api
25 | - --log.level=DEBUG
26 | - --api.insecure
27 | - --accesslog
28 | - --entrypoints.web.address=:80
29 | - --entrypoints.websecure.address=:443
30 | - --providers.kubernetescrd
31 | - --certificatesresolvers.default.acme.tlschallenge
32 | - --certificatesresolvers.default.acme.email=emailexample@gmail.com
33 | - --certificatesresolvers.default.acme.storage=acme.json
34 | # Please note that this is the staging Let's Encrypt server.
35 | # Once you get things working, you should remove that whole line altogether.
36 | # - --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
37 | ports:
38 | - name: web
39 | containerPort: 80
40 | - name: admin
41 | containerPort: 8080
42 | - name: websecure
43 | containerPort: 443
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/15-traefik-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | kind: Deployment
3 | apiVersion: apps/v1
4 | metadata:
5 | namespace: default
6 | name: traefik
7 | labels:
8 | app: traefik
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | containers:
21 | - name: traefik
22 | image: traefik:v2.1
23 | args:
24 | - --api
25 | - --log.level=DEBUG
26 | - --api.insecure
27 | - --accesslog
28 | - --entrypoints.web.address=:80
29 | - --entrypoints.websecure.address=:443
30 | - --providers.kubernetescrd
31 | - --certificatesresolvers.default.acme.tlschallenge
32 | - --certificatesresolvers.default.acme.email=emailexample@gmail.com
33 | - --certificatesresolvers.default.acme.storage=acme.json
34 | # Please note that this is the staging Let's Encrypt server.
35 | # Once you get things working, you should remove that whole line altogether.
36 | # - --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
37 | ports:
38 | - name: web
39 | containerPort: 80
40 | - name: admin
41 | containerPort: 8080
42 | - name: websecure
43 | containerPort: 443
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/15-traefik-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | kind: Deployment
3 | apiVersion: apps/v1
4 | metadata:
5 | namespace: default
6 | name: traefik
7 | labels:
8 | app: traefik
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | containers:
21 | - name: traefik
22 | image: traefik:v2.1
23 | args:
24 | - --api
25 | - --log.level=DEBUG
26 | - --api.insecure
27 | - --accesslog
28 | - --entrypoints.web.address=:80
29 | - --entrypoints.websecure.address=:443
30 | - --providers.kubernetescrd
31 | - --certificatesresolvers.default.acme.tlschallenge
32 | - --certificatesresolvers.default.acme.email=emailexample@gmail.com
33 | - --certificatesresolvers.default.acme.storage=acme.json
34 | # Please note that this is the staging Let's Encrypt server.
35 | # Once you get things working, you should remove that whole line altogether.
36 | # - --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
37 | ports:
38 | - name: web
39 | containerPort: 80
40 | - name: admin
41 | containerPort: 8080
42 | - name: websecure
43 | containerPort: 443
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/15-traefik-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | kind: Deployment
3 | apiVersion: apps/v1
4 | metadata:
5 | namespace: default
6 | name: traefik
7 | labels:
8 | app: traefik
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | containers:
21 | - name: traefik
22 | image: traefik:v2.1
23 | args:
24 | - --api
25 | - --log.level=DEBUG
26 | - --api.insecure
27 | - --accesslog
28 | - --entrypoints.web.address=:80
29 | - --entrypoints.websecure.address=:443
30 | - --providers.kubernetescrd
31 | - --certificatesresolvers.default.acme.tlschallenge
32 | - --certificatesresolvers.default.acme.email=emailexample@gmail.com
33 | - --certificatesresolvers.default.acme.storage=acme.json
34 | # Please note that this is the staging Let's Encrypt server.
35 | # Once you get things working, you should remove that whole line altogether.
36 | # - --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
37 | ports:
38 | - name: web
39 | containerPort: 80
40 | - name: admin
41 | containerPort: 8080
42 | - name: websecure
43 | containerPort: 443
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/15-traefik-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | kind: Deployment
3 | apiVersion: apps/v1
4 | metadata:
5 | namespace: default
6 | name: traefik
7 | labels:
8 | app: traefik
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | containers:
21 | - name: traefik
22 | image: traefik:v2.1
23 | args:
24 | - --api
25 | - --log.level=DEBUG
26 | - --api.insecure
27 | - --accesslog
28 | - --entrypoints.web.address=:80
29 | - --entrypoints.websecure.address=:443
30 | - --providers.kubernetescrd
31 | - --certificatesresolvers.default.acme.tlschallenge
32 | - --certificatesresolvers.default.acme.email=emailexample@gmail.com
33 | - --certificatesresolvers.default.acme.storage=acme.json
34 | # Please note that this is the staging Let's Encrypt server.
35 | # Once you get things working, you should remove that whole line altogether.
36 | # - --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
37 | ports:
38 | - name: web
39 | containerPort: 80
40 | - name: admin
41 | containerPort: 8080
42 | - name: websecure
43 | containerPort: 443
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/15-traefik-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | kind: Deployment
3 | apiVersion: apps/v1
4 | metadata:
5 | namespace: default
6 | name: traefik
7 | labels:
8 | app: traefik
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | containers:
21 | - name: traefik
22 | image: traefik:v2.1
23 | args:
24 | - --api
25 | - --log.level=DEBUG
26 | - --api.insecure
27 | - --accesslog
28 | - --entrypoints.web.address=:80
29 | - --entrypoints.websecure.address=:443
30 | - --providers.kubernetescrd
31 | - --certificatesresolvers.default.acme.tlschallenge
32 | - --certificatesresolvers.default.acme.email=emailexample@gmail.com
33 | - --certificatesresolvers.default.acme.storage=acme.json
34 | # Please note that this is the staging Let's Encrypt server.
35 | # Once you get things working, you should remove that whole line altogether.
36 | # - --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
37 | ports:
38 | - name: web
39 | containerPort: 80
40 | - name: admin
41 | containerPort: 8080
42 | - name: websecure
43 | containerPort: 443
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/15-traefik-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | kind: Deployment
3 | apiVersion: apps/v1
4 | metadata:
5 | namespace: default
6 | name: traefik
7 | labels:
8 | app: traefik
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | containers:
21 | - name: traefik
22 | image: traefik:v2.1
23 | args:
24 | - --api
25 | - --log.level=DEBUG
26 | - --api.insecure
27 | - --accesslog
28 | - --entrypoints.web.address=:80
29 | - --entrypoints.websecure.address=:443
30 | - --providers.kubernetescrd
31 | - --certificatesresolvers.default.acme.tlschallenge
32 | - --certificatesresolvers.default.acme.email=emailexample@gmail.com
33 | - --certificatesresolvers.default.acme.storage=acme.json
34 | # Please note that this is the staging Let's Encrypt server.
35 | # Once you get things working, you should remove that whole line altogether.
36 | # - --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
37 | ports:
38 | - name: web
39 | containerPort: 80
40 | - name: admin
41 | containerPort: 8080
42 | - name: websecure
43 | containerPort: 443
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/15-traefik-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | kind: Deployment
3 | apiVersion: apps/v1
4 | metadata:
5 | namespace: default
6 | name: traefik
7 | labels:
8 | app: traefik
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | containers:
21 | - name: traefik
22 | image: traefik:v2.1
23 | args:
24 | - --api
25 | - --log.level=DEBUG
26 | - --api.insecure
27 | - --accesslog
28 | - --entrypoints.web.address=:80
29 | - --entrypoints.websecure.address=:443
30 | - --providers.kubernetescrd
31 | - --certificatesresolvers.default.acme.tlschallenge
32 | - --certificatesresolvers.default.acme.email=emailexample@gmail.com
33 | - --certificatesresolvers.default.acme.storage=acme.json
34 | # Please note that this is the staging Let's Encrypt server.
35 | # Once you get things working, you should remove that whole line altogether.
36 | # - --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
37 | ports:
38 | - name: web
39 | containerPort: 80
40 | - name: admin
41 | containerPort: 8080
42 | - name: websecure
43 | containerPort: 443
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/15-traefik-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | kind: Deployment
3 | apiVersion: apps/v1
4 | metadata:
5 | namespace: default
6 | name: traefik
7 | labels:
8 | app: traefik
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | containers:
21 | - name: traefik
22 | image: traefik:v2.1
23 | args:
24 | - --api
25 | - --log.level=DEBUG
26 | - --api.insecure
27 | - --accesslog
28 | - --entrypoints.web.address=:80
29 | - --entrypoints.websecure.address=:443
30 | - --providers.kubernetescrd
31 | - --certificatesresolvers.default.acme.tlschallenge
32 | - --certificatesresolvers.default.acme.email=emailexample@gmail.com
33 | - --certificatesresolvers.default.acme.storage=acme.json
34 | # Please note that this is the staging Let's Encrypt server.
35 | # Once you get things working, you should remove that whole line altogether.
36 | # - --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
37 | ports:
38 | - name: web
39 | containerPort: 80
40 | - name: admin
41 | containerPort: 8080
42 | - name: websecure
43 | containerPort: 443
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/15-traefik-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | kind: Deployment
3 | apiVersion: apps/v1
4 | metadata:
5 | namespace: default
6 | name: traefik
7 | labels:
8 | app: traefik
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | containers:
21 | - name: traefik
22 | image: traefik:v2.1
23 | args:
24 | - --api
25 | - --log.level=DEBUG
26 | - --api.insecure
27 | - --accesslog
28 | - --entrypoints.web.address=:80
29 | - --entrypoints.websecure.address=:443
30 | - --providers.kubernetescrd
31 | - --certificatesresolvers.default.acme.tlschallenge
32 | - --certificatesresolvers.default.acme.email=emailexample@gmail.com
33 | - --certificatesresolvers.default.acme.storage=acme.json
34 | # Please note that this is the staging Let's Encrypt server.
35 | # Once you get things working, you should remove that whole line altogether.
36 | # - --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
37 | ports:
38 | - name: web
39 | containerPort: 80
40 | - name: admin
41 | containerPort: 8080
42 | - name: websecure
43 | containerPort: 443
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/15-traefik-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | kind: Deployment
3 | apiVersion: apps/v1
4 | metadata:
5 | namespace: default
6 | name: traefik
7 | labels:
8 | app: traefik
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | containers:
21 | - name: traefik
22 | image: traefik:v2.1
23 | args:
24 | - --api
25 | - --log.level=DEBUG
26 | - --api.insecure
27 | - --accesslog
28 | - --entrypoints.web.address=:80
29 | - --entrypoints.websecure.address=:443
30 | - --providers.kubernetescrd
31 | - --certificatesresolvers.default.acme.tlschallenge
32 | - --certificatesresolvers.default.acme.email=emailexample@gmail.com
33 | - --certificatesresolvers.default.acme.storage=acme.json
34 | # Please note that this is the staging Let's Encrypt server.
35 | # Once you get things working, you should remove that whole line altogether.
36 | # - --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
37 | ports:
38 | - name: web
39 | containerPort: 80
40 | - name: admin
41 | containerPort: 8080
42 | - name: websecure
43 | containerPort: 443
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/15-traefik-deployment.yaml:2-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | kind: Deployment
3 | apiVersion: apps/v1
4 | metadata:
5 | namespace: default
6 | name: traefik
7 | labels:
8 | app: traefik
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | containers:
21 | - name: traefik
22 | image: traefik:v2.1
23 | args:
24 | - --api
25 | - --log.level=DEBUG
26 | - --api.insecure
27 | - --accesslog
28 | - --entrypoints.web.address=:80
29 | - --entrypoints.websecure.address=:443
30 | - --providers.kubernetescrd
31 | - --certificatesresolvers.default.acme.tlschallenge
32 | - --certificatesresolvers.default.acme.email=emailexample@gmail.com
33 | - --certificatesresolvers.default.acme.storage=acme.json
34 | # Please note that this is the staging Let's Encrypt server.
35 | # Once you get things working, you should remove that whole line altogether.
36 | # - --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
37 | ports:
38 | - name: web
39 | containerPort: 80
40 | - name: admin
41 | containerPort: 8080
42 | - name: websecure
43 | containerPort: 443
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: ClusterRole.monitoring.resource-metrics-server-resources
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_044_gcp_k8s__prometheus_operator__kube_prometheus_grafana_alertmanager___using_41_42_43/vendor/kube_prometheus/manifests/prometheusAdapter-clusterRoleServerResources.yaml:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
1 | apiVersion: rbac.authorization.k8s.io/v1
2 | kind: ClusterRole
3 | metadata:
4 | labels:
5 | app.kubernetes.io/component: metrics-adapter
6 | app.kubernetes.io/name: prometheus-adapter
7 | app.kubernetes.io/part-of: kube-prometheus
8 | app.kubernetes.io/version: 0.10.0
9 | name: resource-metrics-server-resources
10 | namespace: monitoring
11 | rules:
12 | - apiGroups:
13 | - metrics.k8s.io
14 | resources:
15 | - '*'
16 | verbs:
17 | - '*'
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
FAILED for resource: ClusterRole.default.prometheus-operator
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_044_gcp_k8s__prometheus_operator__kube_prometheus_grafana_alertmanager___using_41_42_43/vendor/kube_prometheus/manifests/prometheusOperator-clusterRole.yaml:1-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.grafana
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_044_gcp_k8s__prometheus_operator__kube_prometheus_grafana_alertmanager___using_41_42_43/vendor/kube_prometheus/manifests/grafana-deployment.yaml:1-250
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.grafana
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_044_gcp_k8s__prometheus_operator__kube_prometheus_grafana_alertmanager___using_41_42_43/vendor/kube_prometheus/manifests/grafana-deployment.yaml:1-250
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.grafana
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_044_gcp_k8s__prometheus_operator__kube_prometheus_grafana_alertmanager___using_41_42_43/vendor/kube_prometheus/manifests/grafana-deployment.yaml:1-250
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.grafana
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_044_gcp_k8s__prometheus_operator__kube_prometheus_grafana_alertmanager___using_41_42_43/vendor/kube_prometheus/manifests/grafana-deployment.yaml:1-250
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_044_gcp_k8s__prometheus_operator__kube_prometheus_grafana_alertmanager___using_41_42_43/vendor/kube_prometheus/manifests/kubeStateMetrics-deployment.yaml:1-108
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_044_gcp_k8s__prometheus_operator__kube_prometheus_grafana_alertmanager___using_41_42_43/vendor/kube_prometheus/manifests/kubeStateMetrics-deployment.yaml:1-108
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_044_gcp_k8s__prometheus_operator__kube_prometheus_grafana_alertmanager___using_41_42_43/vendor/kube_prometheus/manifests/kubeStateMetrics-deployment.yaml:1-108
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_044_gcp_k8s__prometheus_operator__kube_prometheus_grafana_alertmanager___using_41_42_43/vendor/kube_prometheus/manifests/kubeStateMetrics-deployment.yaml:1-108
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_044_gcp_k8s__prometheus_operator__kube_prometheus_grafana_alertmanager___using_41_42_43/vendor/kube_prometheus/manifests/kubeStateMetrics-deployment.yaml:1-108
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_044_gcp_k8s__prometheus_operator__kube_prometheus_grafana_alertmanager___using_41_42_43/vendor/kube_prometheus/manifests/kubeStateMetrics-deployment.yaml:1-108
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.kube-state-metrics
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_044_gcp_k8s__prometheus_operator__kube_prometheus_grafana_alertmanager___using_41_42_43/vendor/kube_prometheus/manifests/kubeStateMetrics-deployment.yaml:1-108
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_044_gcp_k8s__prometheus_operator__kube_prometheus_grafana_alertmanager___using_41_42_43/vendor/kube_prometheus/manifests/prometheusOperator-deployment.yaml:1-84
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_044_gcp_k8s__prometheus_operator__kube_prometheus_grafana_alertmanager___using_41_42_43/vendor/kube_prometheus/manifests/prometheusOperator-deployment.yaml:1-84
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_044_gcp_k8s__prometheus_operator__kube_prometheus_grafana_alertmanager___using_41_42_43/vendor/kube_prometheus/manifests/prometheusOperator-deployment.yaml:1-84
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_044_gcp_k8s__prometheus_operator__kube_prometheus_grafana_alertmanager___using_41_42_43/vendor/kube_prometheus/manifests/prometheusOperator-deployment.yaml:1-84
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.prometheus-operator
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_044_gcp_k8s__prometheus_operator__kube_prometheus_grafana_alertmanager___using_41_42_43/vendor/kube_prometheus/manifests/prometheusOperator-deployment.yaml:1-84
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_044_gcp_k8s__prometheus_operator__kube_prometheus_grafana_alertmanager___using_41_42_43/vendor/kube_prometheus/manifests/nodeExporter-daemonset.yaml:1-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_26: "Do not specify hostPort unless absolutely necessary"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_044_gcp_k8s__prometheus_operator__kube_prometheus_grafana_alertmanager___using_41_42_43/vendor/kube_prometheus/manifests/nodeExporter-daemonset.yaml:1-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-25.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_25: "Minimize the admission of containers with added capability"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_044_gcp_k8s__prometheus_operator__kube_prometheus_grafana_alertmanager___using_41_42_43/vendor/kube_prometheus/manifests/nodeExporter-daemonset.yaml:1-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-24.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_044_gcp_k8s__prometheus_operator__kube_prometheus_grafana_alertmanager___using_41_42_43/vendor/kube_prometheus/manifests/nodeExporter-daemonset.yaml:1-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_19: "Containers should not share the host network namespace"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_044_gcp_k8s__prometheus_operator__kube_prometheus_grafana_alertmanager___using_41_42_43/vendor/kube_prometheus/manifests/nodeExporter-daemonset.yaml:1-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-18.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_044_gcp_k8s__prometheus_operator__kube_prometheus_grafana_alertmanager___using_41_42_43/vendor/kube_prometheus/manifests/nodeExporter-daemonset.yaml:1-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_044_gcp_k8s__prometheus_operator__kube_prometheus_grafana_alertmanager___using_41_42_43/vendor/kube_prometheus/manifests/nodeExporter-daemonset.yaml:1-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_17: "Containers should not share the host process ID namespace"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_044_gcp_k8s__prometheus_operator__kube_prometheus_grafana_alertmanager___using_41_42_43/vendor/kube_prometheus/manifests/nodeExporter-daemonset.yaml:1-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-16.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_044_gcp_k8s__prometheus_operator__kube_prometheus_grafana_alertmanager___using_41_42_43/vendor/kube_prometheus/manifests/nodeExporter-daemonset.yaml:1-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: DaemonSet.monitoring.node-exporter
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_044_gcp_k8s__prometheus_operator__kube_prometheus_grafana_alertmanager___using_41_42_43/vendor/kube_prometheus/manifests/nodeExporter-daemonset.yaml:1-119
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.blackbox-exporter
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_044_gcp_k8s__prometheus_operator__kube_prometheus_grafana_alertmanager___using_41_42_43/vendor/kube_prometheus/manifests/blackboxExporter-deployment.yaml:1-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.monitoring.blackbox-exporter
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_044_gcp_k8s__prometheus_operator__kube_prometheus_grafana_alertmanager___using_41_42_43/vendor/kube_prometheus/manifests/blackboxExporter-deployment.yaml:1-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.blackbox-exporter
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_044_gcp_k8s__prometheus_operator__kube_prometheus_grafana_alertmanager___using_41_42_43/vendor/kube_prometheus/manifests/blackboxExporter-deployment.yaml:1-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.blackbox-exporter
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_044_gcp_k8s__prometheus_operator__kube_prometheus_grafana_alertmanager___using_41_42_43/vendor/kube_prometheus/manifests/blackboxExporter-deployment.yaml:1-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.monitoring.blackbox-exporter
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_044_gcp_k8s__prometheus_operator__kube_prometheus_grafana_alertmanager___using_41_42_43/vendor/kube_prometheus/manifests/blackboxExporter-deployment.yaml:1-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.blackbox-exporter
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_044_gcp_k8s__prometheus_operator__kube_prometheus_grafana_alertmanager___using_41_42_43/vendor/kube_prometheus/manifests/blackboxExporter-deployment.yaml:1-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.blackbox-exporter
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_044_gcp_k8s__prometheus_operator__kube_prometheus_grafana_alertmanager___using_41_42_43/vendor/kube_prometheus/manifests/blackboxExporter-deployment.yaml:1-115
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.monitoring.prometheus-adapter
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_044_gcp_k8s__prometheus_operator__kube_prometheus_grafana_alertmanager___using_41_42_43/vendor/kube_prometheus/manifests/prometheusAdapter-deployment.yaml:1-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.monitoring.prometheus-adapter
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_044_gcp_k8s__prometheus_operator__kube_prometheus_grafana_alertmanager___using_41_42_43/vendor/kube_prometheus/manifests/prometheusAdapter-deployment.yaml:1-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.monitoring.prometheus-adapter
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_044_gcp_k8s__prometheus_operator__kube_prometheus_grafana_alertmanager___using_41_42_43/vendor/kube_prometheus/manifests/prometheusAdapter-deployment.yaml:1-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.monitoring.prometheus-adapter
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_044_gcp_k8s__prometheus_operator__kube_prometheus_grafana_alertmanager___using_41_42_43/vendor/kube_prometheus/manifests/prometheusAdapter-deployment.yaml:1-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.monitoring.prometheus-adapter
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_044_gcp_k8s__prometheus_operator__kube_prometheus_grafana_alertmanager___using_41_42_43/vendor/kube_prometheus/manifests/prometheusAdapter-deployment.yaml:1-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.monitoring.prometheus-adapter
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_044_gcp_k8s__prometheus_operator__kube_prometheus_grafana_alertmanager___using_41_42_43/vendor/kube_prometheus/manifests/prometheusAdapter-deployment.yaml:1-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.monitoring.prometheus-adapter
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_044_gcp_k8s__prometheus_operator__kube_prometheus_grafana_alertmanager___using_41_42_43/vendor/kube_prometheus/manifests/prometheusAdapter-deployment.yaml:1-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.hello-world
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_026__gcp__external_IP_to_access_Application_In_Cluster/service/load-balancer-example.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: load-balancer-example
6 | name: hello-world
7 | spec:
8 | replicas: 5
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: load-balancer-example
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: load-balancer-example
16 | spec:
17 | containers:
18 | - image: gcr.io/google-samples/node-hello:1.0
19 | name: hello-world
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.hello-world
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_026__gcp__external_IP_to_access_Application_In_Cluster/service/load-balancer-example.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: load-balancer-example
6 | name: hello-world
7 | spec:
8 | replicas: 5
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: load-balancer-example
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: load-balancer-example
16 | spec:
17 | containers:
18 | - image: gcr.io/google-samples/node-hello:1.0
19 | name: hello-world
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.hello-world
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_026__gcp__external_IP_to_access_Application_In_Cluster/service/load-balancer-example.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: load-balancer-example
6 | name: hello-world
7 | spec:
8 | replicas: 5
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: load-balancer-example
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: load-balancer-example
16 | spec:
17 | containers:
18 | - image: gcr.io/google-samples/node-hello:1.0
19 | name: hello-world
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.hello-world
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_026__gcp__external_IP_to_access_Application_In_Cluster/service/load-balancer-example.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: load-balancer-example
6 | name: hello-world
7 | spec:
8 | replicas: 5
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: load-balancer-example
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: load-balancer-example
16 | spec:
17 | containers:
18 | - image: gcr.io/google-samples/node-hello:1.0
19 | name: hello-world
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.hello-world
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_026__gcp__external_IP_to_access_Application_In_Cluster/service/load-balancer-example.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: load-balancer-example
6 | name: hello-world
7 | spec:
8 | replicas: 5
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: load-balancer-example
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: load-balancer-example
16 | spec:
17 | containers:
18 | - image: gcr.io/google-samples/node-hello:1.0
19 | name: hello-world
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.hello-world
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_026__gcp__external_IP_to_access_Application_In_Cluster/service/load-balancer-example.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: load-balancer-example
6 | name: hello-world
7 | spec:
8 | replicas: 5
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: load-balancer-example
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: load-balancer-example
16 | spec:
17 | containers:
18 | - image: gcr.io/google-samples/node-hello:1.0
19 | name: hello-world
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.hello-world
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_026__gcp__external_IP_to_access_Application_In_Cluster/service/load-balancer-example.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: load-balancer-example
6 | name: hello-world
7 | spec:
8 | replicas: 5
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: load-balancer-example
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: load-balancer-example
16 | spec:
17 | containers:
18 | - image: gcr.io/google-samples/node-hello:1.0
19 | name: hello-world
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.hello-world
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_026__gcp__external_IP_to_access_Application_In_Cluster/service/load-balancer-example.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: load-balancer-example
6 | name: hello-world
7 | spec:
8 | replicas: 5
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: load-balancer-example
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: load-balancer-example
16 | spec:
17 | containers:
18 | - image: gcr.io/google-samples/node-hello:1.0
19 | name: hello-world
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.hello-world
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_026__gcp__external_IP_to_access_Application_In_Cluster/service/load-balancer-example.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: load-balancer-example
6 | name: hello-world
7 | spec:
8 | replicas: 5
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: load-balancer-example
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: load-balancer-example
16 | spec:
17 | containers:
18 | - image: gcr.io/google-samples/node-hello:1.0
19 | name: hello-world
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.hello-world
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_026__gcp__external_IP_to_access_Application_In_Cluster/service/load-balancer-example.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: load-balancer-example
6 | name: hello-world
7 | spec:
8 | replicas: 5
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: load-balancer-example
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: load-balancer-example
16 | spec:
17 | containers:
18 | - image: gcr.io/google-samples/node-hello:1.0
19 | name: hello-world
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.hello-world
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_026__gcp__external_IP_to_access_Application_In_Cluster/service/load-balancer-example.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: load-balancer-example
6 | name: hello-world
7 | spec:
8 | replicas: 5
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: load-balancer-example
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: load-balancer-example
16 | spec:
17 | containers:
18 | - image: gcr.io/google-samples/node-hello:1.0
19 | name: hello-world
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.hello-world
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_026__gcp__external_IP_to_access_Application_In_Cluster/service/load-balancer-example.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: load-balancer-example
6 | name: hello-world
7 | spec:
8 | replicas: 5
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: load-balancer-example
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: load-balancer-example
16 | spec:
17 | containers:
18 | - image: gcr.io/google-samples/node-hello:1.0
19 | name: hello-world
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.hello-world
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_026__gcp__external_IP_to_access_Application_In_Cluster/service/load-balancer-example.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: load-balancer-example
6 | name: hello-world
7 | spec:
8 | replicas: 5
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: load-balancer-example
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: load-balancer-example
16 | spec:
17 | containers:
18 | - image: gcr.io/google-samples/node-hello:1.0
19 | name: hello-world
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.hello-world
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_026__gcp__external_IP_to_access_Application_In_Cluster/service/load-balancer-example.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: load-balancer-example
6 | name: hello-world
7 | spec:
8 | replicas: 5
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: load-balancer-example
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: load-balancer-example
16 | spec:
17 | containers:
18 | - image: gcr.io/google-samples/node-hello:1.0
19 | name: hello-world
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.hello-world
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_026__gcp__external_IP_to_access_Application_In_Cluster/service/load-balancer-example.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: load-balancer-example
6 | name: hello-world
7 | spec:
8 | replicas: 5
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: load-balancer-example
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: load-balancer-example
16 | spec:
17 | containers:
18 | - image: gcr.io/google-samples/node-hello:1.0
19 | name: hello-world
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.hello-world
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_026__gcp__external_IP_to_access_Application_In_Cluster/service/load-balancer-example.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: load-balancer-example
6 | name: hello-world
7 | spec:
8 | replicas: 5
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: load-balancer-example
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: load-balancer-example
16 | spec:
17 | containers:
18 | - image: gcr.io/google-samples/node-hello:1.0
19 | name: hello-world
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.hello-world
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_026__gcp__external_IP_to_access_Application_In_Cluster/service/load-balancer-example.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: load-balancer-example
6 | name: hello-world
7 | spec:
8 | replicas: 5
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: load-balancer-example
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: load-balancer-example
16 | spec:
17 | containers:
18 | - image: gcr.io/google-samples/node-hello:1.0
19 | name: hello-world
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.hello-world
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_026__gcp__external_IP_to_access_Application_In_Cluster/service/load-balancer-example.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: load-balancer-example
6 | name: hello-world
7 | spec:
8 | replicas: 5
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: load-balancer-example
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: load-balancer-example
16 | spec:
17 | containers:
18 | - image: gcr.io/google-samples/node-hello:1.0
19 | name: hello-world
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.hello-world
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_026__gcp__external_IP_to_access_Application_In_Cluster/service/load-balancer-example.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: load-balancer-example
6 | name: hello-world
7 | spec:
8 | replicas: 5
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: load-balancer-example
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: load-balancer-example
16 | spec:
17 | containers:
18 | - image: gcr.io/google-samples/node-hello:1.0
19 | name: hello-world
20 | ports:
21 | - containerPort: 8080
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.development.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_020__gcp__basic_namespace_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: development
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.development.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_020__gcp__basic_namespace_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: development
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.development.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_020__gcp__basic_namespace_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: development
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.development.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_020__gcp__basic_namespace_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: development
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.development.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_020__gcp__basic_namespace_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: development
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.development.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_020__gcp__basic_namespace_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: development
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.development.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_020__gcp__basic_namespace_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: development
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.development.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_020__gcp__basic_namespace_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: development
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.development.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_020__gcp__basic_namespace_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: development
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.development.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_020__gcp__basic_namespace_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: development
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.development.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_020__gcp__basic_namespace_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: development
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.development.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_020__gcp__basic_namespace_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: development
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.development.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_020__gcp__basic_namespace_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: development
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.development.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_020__gcp__basic_namespace_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: development
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.development.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_020__gcp__basic_namespace_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: development
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.development.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_020__gcp__basic_namespace_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: development
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.development.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_020__gcp__basic_namespace_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: development
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.development.www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_020__gcp__basic_namespace_wide_kubeconfig/www.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: development
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.default.local-pod
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_038__local__kind__extramounts_for_pv_and_pvc/pod.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: local-pod
5 | spec:
6 | containers:
7 | - name: local-container
8 | image: nginx
9 | volumeMounts:
10 | - name: local-volume
11 | mountPath: "/mnt/data"
12 | volumes:
13 | - name: local-volume
14 | persistentVolumeClaim:
15 | claimName: local-pvc
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.default.local-pod
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_038__local__kind__extramounts_for_pv_and_pvc/pod.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: local-pod
5 | spec:
6 | containers:
7 | - name: local-container
8 | image: nginx
9 | volumeMounts:
10 | - name: local-volume
11 | mountPath: "/mnt/data"
12 | volumes:
13 | - name: local-volume
14 | persistentVolumeClaim:
15 | claimName: local-pvc
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Pod.default.local-pod
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_038__local__kind__extramounts_for_pv_and_pvc/pod.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: local-pod
5 | spec:
6 | containers:
7 | - name: local-container
8 | image: nginx
9 | volumeMounts:
10 | - name: local-volume
11 | mountPath: "/mnt/data"
12 | volumes:
13 | - name: local-volume
14 | persistentVolumeClaim:
15 | claimName: local-pvc
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Pod.default.local-pod
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_038__local__kind__extramounts_for_pv_and_pvc/pod.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: local-pod
5 | spec:
6 | containers:
7 | - name: local-container
8 | image: nginx
9 | volumeMounts:
10 | - name: local-volume
11 | mountPath: "/mnt/data"
12 | volumes:
13 | - name: local-volume
14 | persistentVolumeClaim:
15 | claimName: local-pvc
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.default.local-pod
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_038__local__kind__extramounts_for_pv_and_pvc/pod.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: local-pod
5 | spec:
6 | containers:
7 | - name: local-container
8 | image: nginx
9 | volumeMounts:
10 | - name: local-volume
11 | mountPath: "/mnt/data"
12 | volumes:
13 | - name: local-volume
14 | persistentVolumeClaim:
15 | claimName: local-pvc
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.default.local-pod
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_038__local__kind__extramounts_for_pv_and_pvc/pod.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: local-pod
5 | spec:
6 | containers:
7 | - name: local-container
8 | image: nginx
9 | volumeMounts:
10 | - name: local-volume
11 | mountPath: "/mnt/data"
12 | volumes:
13 | - name: local-volume
14 | persistentVolumeClaim:
15 | claimName: local-pvc
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.default.local-pod
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_038__local__kind__extramounts_for_pv_and_pvc/pod.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: local-pod
5 | spec:
6 | containers:
7 | - name: local-container
8 | image: nginx
9 | volumeMounts:
10 | - name: local-volume
11 | mountPath: "/mnt/data"
12 | volumes:
13 | - name: local-volume
14 | persistentVolumeClaim:
15 | claimName: local-pvc
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.default.local-pod
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_038__local__kind__extramounts_for_pv_and_pvc/pod.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: local-pod
5 | spec:
6 | containers:
7 | - name: local-container
8 | image: nginx
9 | volumeMounts:
10 | - name: local-volume
11 | mountPath: "/mnt/data"
12 | volumes:
13 | - name: local-volume
14 | persistentVolumeClaim:
15 | claimName: local-pvc
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.default.local-pod
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_038__local__kind__extramounts_for_pv_and_pvc/pod.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: local-pod
5 | spec:
6 | containers:
7 | - name: local-container
8 | image: nginx
9 | volumeMounts:
10 | - name: local-volume
11 | mountPath: "/mnt/data"
12 | volumes:
13 | - name: local-volume
14 | persistentVolumeClaim:
15 | claimName: local-pvc
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.default.local-pod
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_038__local__kind__extramounts_for_pv_and_pvc/pod.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: local-pod
5 | spec:
6 | containers:
7 | - name: local-container
8 | image: nginx
9 | volumeMounts:
10 | - name: local-volume
11 | mountPath: "/mnt/data"
12 | volumes:
13 | - name: local-volume
14 | persistentVolumeClaim:
15 | claimName: local-pvc
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.default.local-pod
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_038__local__kind__extramounts_for_pv_and_pvc/pod.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: local-pod
5 | spec:
6 | containers:
7 | - name: local-container
8 | image: nginx
9 | volumeMounts:
10 | - name: local-volume
11 | mountPath: "/mnt/data"
12 | volumes:
13 | - name: local-volume
14 | persistentVolumeClaim:
15 | claimName: local-pvc
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.default.local-pod
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_038__local__kind__extramounts_for_pv_and_pvc/pod.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: local-pod
5 | spec:
6 | containers:
7 | - name: local-container
8 | image: nginx
9 | volumeMounts:
10 | - name: local-volume
11 | mountPath: "/mnt/data"
12 | volumes:
13 | - name: local-volume
14 | persistentVolumeClaim:
15 | claimName: local-pvc
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.default.local-pod
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_038__local__kind__extramounts_for_pv_and_pvc/pod.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: local-pod
5 | spec:
6 | containers:
7 | - name: local-container
8 | image: nginx
9 | volumeMounts:
10 | - name: local-volume
11 | mountPath: "/mnt/data"
12 | volumes:
13 | - name: local-volume
14 | persistentVolumeClaim:
15 | claimName: local-pvc
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.default.local-pod
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_038__local__kind__extramounts_for_pv_and_pvc/pod.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: local-pod
5 | spec:
6 | containers:
7 | - name: local-container
8 | image: nginx
9 | volumeMounts:
10 | - name: local-volume
11 | mountPath: "/mnt/data"
12 | volumes:
13 | - name: local-volume
14 | persistentVolumeClaim:
15 | claimName: local-pvc
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.default.local-pod
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_038__local__kind__extramounts_for_pv_and_pvc/pod.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: local-pod
5 | spec:
6 | containers:
7 | - name: local-container
8 | image: nginx
9 | volumeMounts:
10 | - name: local-volume
11 | mountPath: "/mnt/data"
12 | volumes:
13 | - name: local-volume
14 | persistentVolumeClaim:
15 | claimName: local-pvc
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.default.local-pod
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_038__local__kind__extramounts_for_pv_and_pvc/pod.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: local-pod
5 | spec:
6 | containers:
7 | - name: local-container
8 | image: nginx
9 | volumeMounts:
10 | - name: local-volume
11 | mountPath: "/mnt/data"
12 | volumes:
13 | - name: local-volume
14 | persistentVolumeClaim:
15 | claimName: local-pvc
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Pod.default.local-pod
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_038__local__kind__extramounts_for_pv_and_pvc/pod.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: local-pod
5 | spec:
6 | containers:
7 | - name: local-container
8 | image: nginx
9 | volumeMounts:
10 | - name: local-volume
11 | mountPath: "/mnt/data"
12 | volumes:
13 | - name: local-volume
14 | persistentVolumeClaim:
15 | claimName: local-pvc
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.default.local-pod
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_038__local__kind__extramounts_for_pv_and_pvc/pod.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: local-pod
5 | spec:
6 | containers:
7 | - name: local-container
8 | image: nginx
9 | volumeMounts:
10 | - name: local-volume
11 | mountPath: "/mnt/data"
12 | volumes:
13 | - name: local-volume
14 | persistentVolumeClaim:
15 | claimName: local-pvc
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.default.local-pod
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_038__local__kind__extramounts_for_pv_and_pvc/pod.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: local-pod
5 | spec:
6 | containers:
7 | - name: local-container
8 | image: nginx
9 | volumeMounts:
10 | - name: local-volume
11 | mountPath: "/mnt/data"
12 | volumes:
13 | - name: local-volume
14 | persistentVolumeClaim:
15 | claimName: local-pvc
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_011__aws__traefik_kops_whoami/whoami.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
25 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_011__aws__traefik_kops_whoami/whoami.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
25 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_011__aws__traefik_kops_whoami/whoami.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
25 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_011__aws__traefik_kops_whoami/whoami.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
25 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_011__aws__traefik_kops_whoami/whoami.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
25 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_011__aws__traefik_kops_whoami/whoami.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
25 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_011__aws__traefik_kops_whoami/whoami.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
25 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_011__aws__traefik_kops_whoami/whoami.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
25 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_011__aws__traefik_kops_whoami/whoami.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
25 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_011__aws__traefik_kops_whoami/whoami.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
25 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_011__aws__traefik_kops_whoami/whoami.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
25 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_011__aws__traefik_kops_whoami/whoami.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
25 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_011__aws__traefik_kops_whoami/whoami.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
25 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_011__aws__traefik_kops_whoami/whoami.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
25 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_011__aws__traefik_kops_whoami/whoami.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
25 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_011__aws__traefik_kops_whoami/whoami.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
25 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_011__aws__traefik_kops_whoami/whoami.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
25 | ---
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_011__aws__traefik_kops_whoami/whoami.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
25 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_011__aws__traefik_kops_whoami/whoami.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
25 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_011__aws__traefik_kops_whoami/whoami.yaml:27-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
27 | apiVersion: v1
28 | kind: Service
29 | metadata:
30 | name: whoami
31 |
32 | spec:
33 | ports:
34 | - protocol: TCP
35 | name: web
36 | port: 80
37 | selector:
38 | app: whoami
39 |
40 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ServiceAccount.default.traefik-helm-template-traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_011__aws__traefik_kops_whoami/traefik-resources.yaml:3-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
3 | kind: ServiceAccount
4 | apiVersion: v1
5 | metadata:
6 | name: traefik-helm-template-traefik
7 | labels:
8 | app.kubernetes.io/name: traefik
9 | helm.sh/chart: traefik-9.19.1
10 | app.kubernetes.io/managed-by: Helm
11 | app.kubernetes.io/instance: traefik-helm-template
12 | annotations:
13 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.traefik-helm-template-traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_011__aws__traefik_kops_whoami/traefik-resources.yaml:88-184
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.traefik-helm-template-traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_011__aws__traefik_kops_whoami/traefik-resources.yaml:88-184
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.traefik-helm-template-traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_011__aws__traefik_kops_whoami/traefik-resources.yaml:88-184
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.traefik-helm-template-traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_011__aws__traefik_kops_whoami/traefik-resources.yaml:88-184
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.traefik-helm-template-traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_011__aws__traefik_kops_whoami/traefik-resources.yaml:88-184
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.traefik-helm-template-traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_011__aws__traefik_kops_whoami/traefik-resources.yaml:88-184
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.traefik-helm-template-traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_011__aws__traefik_kops_whoami/traefik-resources.yaml:88-184
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.traefik-helm-template-traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_011__aws__traefik_kops_whoami/traefik-resources.yaml:88-184
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.traefik-helm-template-traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_011__aws__traefik_kops_whoami/traefik-resources.yaml:88-184
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.traefik-helm-template-traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_011__aws__traefik_kops_whoami/traefik-resources.yaml:88-184
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.traefik-helm-template-traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_011__aws__traefik_kops_whoami/traefik-resources.yaml:189-213
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
189 | - apiVersion: v1
190 | kind: Service
191 | metadata:
192 | name: traefik-helm-template-traefik
193 | labels:
194 | app.kubernetes.io/name: traefik
195 | helm.sh/chart: traefik-9.19.1
196 | app.kubernetes.io/managed-by: Helm
197 | app.kubernetes.io/instance: traefik-helm-template
198 | annotations:
199 | spec:
200 | type: LoadBalancer
201 | selector:
202 | app.kubernetes.io/name: traefik
203 | app.kubernetes.io/instance: traefik-helm-template
204 | ports:
205 | - port: 80
206 | name: web
207 | targetPort: "web"
208 | protocol: "TCP"
209 | - port: 443
210 | name: websecure
211 | targetPort: "websecure"
212 | protocol: "TCP"
213 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ServiceAccount.default.traefik-helm-template-traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_010__aws__deploy_traefik_kops_k8s_helm/traefik-resources.yaml:3-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
3 | kind: ServiceAccount
4 | apiVersion: v1
5 | metadata:
6 | name: traefik-helm-template-traefik
7 | labels:
8 | app.kubernetes.io/name: traefik
9 | helm.sh/chart: traefik-9.19.1
10 | app.kubernetes.io/managed-by: Helm
11 | app.kubernetes.io/instance: traefik-helm-template
12 | annotations:
13 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.traefik-helm-template-traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_010__aws__deploy_traefik_kops_k8s_helm/traefik-resources.yaml:88-184
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.traefik-helm-template-traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_010__aws__deploy_traefik_kops_k8s_helm/traefik-resources.yaml:88-184
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.traefik-helm-template-traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_010__aws__deploy_traefik_kops_k8s_helm/traefik-resources.yaml:88-184
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.traefik-helm-template-traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_010__aws__deploy_traefik_kops_k8s_helm/traefik-resources.yaml:88-184
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.traefik-helm-template-traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_010__aws__deploy_traefik_kops_k8s_helm/traefik-resources.yaml:88-184
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.traefik-helm-template-traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_010__aws__deploy_traefik_kops_k8s_helm/traefik-resources.yaml:88-184
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.traefik-helm-template-traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_010__aws__deploy_traefik_kops_k8s_helm/traefik-resources.yaml:88-184
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.traefik-helm-template-traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_010__aws__deploy_traefik_kops_k8s_helm/traefik-resources.yaml:88-184
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.traefik-helm-template-traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_010__aws__deploy_traefik_kops_k8s_helm/traefik-resources.yaml:88-184
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.traefik-helm-template-traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_010__aws__deploy_traefik_kops_k8s_helm/traefik-resources.yaml:88-184
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.traefik-helm-template-traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_010__aws__deploy_traefik_kops_k8s_helm/traefik-resources.yaml:189-213
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
189 | - apiVersion: v1
190 | kind: Service
191 | metadata:
192 | name: traefik-helm-template-traefik
193 | labels:
194 | app.kubernetes.io/name: traefik
195 | helm.sh/chart: traefik-9.19.1
196 | app.kubernetes.io/managed-by: Helm
197 | app.kubernetes.io/instance: traefik-helm-template
198 | annotations:
199 | spec:
200 | type: LoadBalancer
201 | selector:
202 | app.kubernetes.io/name: traefik
203 | app.kubernetes.io/instance: traefik-helm-template
204 | ports:
205 | - port: 80
206 | name: web
207 | targetPort: "web"
208 | protocol: "TCP"
209 | - port: 443
210 | name: websecure
211 | targetPort: "websecure"
212 | protocol: "TCP"
213 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: DaemonSet.loki.loki-grafana-loki-promtail
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:742-861
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: DaemonSet.loki.loki-grafana-loki-promtail
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:742-861
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: DaemonSet.loki.loki-grafana-loki-promtail
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:742-861
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: DaemonSet.loki.loki-grafana-loki-promtail
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:742-861
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: DaemonSet.loki.loki-grafana-loki-promtail
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:742-861
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: DaemonSet.loki.loki-grafana-loki-promtail
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:742-861
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: DaemonSet.loki.loki-grafana-loki-promtail
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:742-861
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: DaemonSet.loki.loki-grafana-loki-promtail
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:742-861
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: DaemonSet.loki.loki-grafana-loki-promtail
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:742-861
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: DaemonSet.loki.loki-grafana-loki-promtail
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:742-861
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: DaemonSet.loki.loki-grafana-loki-promtail
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:742-861
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: DaemonSet.loki.loki-grafana-loki-promtail
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:742-861
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: DaemonSet.loki.loki-grafana-loki-promtail
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:742-861
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: DaemonSet.loki.loki-grafana-loki-promtail
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:742-861
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.loki.loki-grafana-loki-compactor
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:863-970
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.loki.loki-grafana-loki-compactor
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:863-970
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.loki.loki-grafana-loki-compactor
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:863-970
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.loki.loki-grafana-loki-compactor
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:863-970
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.loki.loki-grafana-loki-compactor
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:863-970
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.loki.loki-grafana-loki-compactor
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:863-970
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.loki.loki-grafana-loki-compactor
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:863-970
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.loki.loki-grafana-loki-compactor
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:863-970
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.loki.loki-grafana-loki-compactor
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:863-970
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.loki.loki-grafana-loki-compactor
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:863-970
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.loki.loki-grafana-loki-compactor
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:863-970
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.loki.loki-grafana-loki-compactor
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:863-970
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.loki.loki-grafana-loki-compactor
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:863-970
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.loki.loki-grafana-loki-distributor
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:972-1077
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.loki.loki-grafana-loki-distributor
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:972-1077
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.loki.loki-grafana-loki-distributor
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:972-1077
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.loki.loki-grafana-loki-distributor
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:972-1077
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.loki.loki-grafana-loki-distributor
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:972-1077
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.loki.loki-grafana-loki-distributor
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:972-1077
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.loki.loki-grafana-loki-distributor
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:972-1077
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.loki.loki-grafana-loki-distributor
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:972-1077
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.loki.loki-grafana-loki-distributor
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:972-1077
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.loki.loki-grafana-loki-distributor
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:972-1077
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.loki.loki-grafana-loki-distributor
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:972-1077
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.loki.loki-grafana-loki-distributor
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:972-1077
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.loki.loki-grafana-loki-distributor
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:972-1077
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.loki.loki-grafana-loki-gateway
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1079-1182
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.loki.loki-grafana-loki-gateway
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1079-1182
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.loki.loki-grafana-loki-gateway
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1079-1182
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.loki.loki-grafana-loki-gateway
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1079-1182
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.loki.loki-grafana-loki-gateway
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1079-1182
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.loki.loki-grafana-loki-gateway
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1079-1182
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.loki.loki-grafana-loki-gateway
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1079-1182
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.loki.loki-grafana-loki-gateway
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1079-1182
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.loki.loki-grafana-loki-gateway
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1079-1182
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.loki.loki-grafana-loki-gateway
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1079-1182
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.loki.loki-grafana-loki-gateway
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1079-1182
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.loki.loki-grafana-loki-gateway
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1079-1182
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.loki.loki-grafana-loki-gateway
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1079-1182
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.loki.loki-grafana-loki-query-frontend
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1184-1285
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.loki.loki-grafana-loki-query-frontend
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1184-1285
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.loki.loki-grafana-loki-query-frontend
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1184-1285
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.loki.loki-grafana-loki-query-frontend
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1184-1285
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.loki.loki-grafana-loki-query-frontend
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1184-1285
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.loki.loki-grafana-loki-query-frontend
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1184-1285
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.loki.loki-grafana-loki-query-frontend
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1184-1285
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.loki.loki-grafana-loki-query-frontend
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1184-1285
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.loki.loki-grafana-loki-query-frontend
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1184-1285
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.loki.loki-grafana-loki-query-frontend
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1184-1285
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.loki.loki-grafana-loki-query-frontend
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1184-1285
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.loki.loki-grafana-loki-query-frontend
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1184-1285
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.loki.loki-grafana-loki-query-frontend
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1184-1285
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: StatefulSet.loki.loki-memcachedchunks
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1287-1377
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: StatefulSet.loki.loki-memcachedchunks
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1287-1377
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: StatefulSet.loki.loki-memcachedchunks
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1287-1377
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: StatefulSet.loki.loki-memcachedchunks
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1287-1377
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: StatefulSet.loki.loki-memcachedchunks
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1287-1377
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: StatefulSet.loki.loki-memcachedchunks
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1287-1377
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: StatefulSet.loki.loki-memcachedchunks
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1287-1377
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: StatefulSet.loki.loki-memcachedchunks
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1287-1377
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: StatefulSet.loki.loki-memcachedchunks
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1287-1377
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: StatefulSet.loki.loki-memcachedchunks
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1287-1377
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: StatefulSet.loki.loki-memcachedchunks
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1287-1377
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: StatefulSet.loki.loki-memcachedfrontend
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1379-1469
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: StatefulSet.loki.loki-memcachedfrontend
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1379-1469
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: StatefulSet.loki.loki-memcachedfrontend
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1379-1469
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: StatefulSet.loki.loki-memcachedfrontend
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1379-1469
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: StatefulSet.loki.loki-memcachedfrontend
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1379-1469
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: StatefulSet.loki.loki-memcachedfrontend
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1379-1469
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: StatefulSet.loki.loki-memcachedfrontend
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1379-1469
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: StatefulSet.loki.loki-memcachedfrontend
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1379-1469
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: StatefulSet.loki.loki-memcachedfrontend
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1379-1469
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: StatefulSet.loki.loki-memcachedfrontend
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1379-1469
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: StatefulSet.loki.loki-memcachedfrontend
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1379-1469
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: StatefulSet.loki.loki-memcachedindexqueries
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1471-1561
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: StatefulSet.loki.loki-memcachedindexqueries
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1471-1561
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: StatefulSet.loki.loki-memcachedindexqueries
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1471-1561
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: StatefulSet.loki.loki-memcachedindexqueries
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1471-1561
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: StatefulSet.loki.loki-memcachedindexqueries
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1471-1561
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: StatefulSet.loki.loki-memcachedindexqueries
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1471-1561
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: StatefulSet.loki.loki-memcachedindexqueries
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1471-1561
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: StatefulSet.loki.loki-memcachedindexqueries
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1471-1561
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: StatefulSet.loki.loki-memcachedindexqueries
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1471-1561
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: StatefulSet.loki.loki-memcachedindexqueries
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1471-1561
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: StatefulSet.loki.loki-memcachedindexqueries
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1471-1561
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: StatefulSet.loki.loki-grafana-loki-ingester
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1563-1678
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: StatefulSet.loki.loki-grafana-loki-ingester
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1563-1678
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: StatefulSet.loki.loki-grafana-loki-ingester
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1563-1678
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: StatefulSet.loki.loki-grafana-loki-ingester
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1563-1678
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: StatefulSet.loki.loki-grafana-loki-ingester
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1563-1678
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: StatefulSet.loki.loki-grafana-loki-ingester
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1563-1678
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: StatefulSet.loki.loki-grafana-loki-ingester
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1563-1678
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: StatefulSet.loki.loki-grafana-loki-ingester
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1563-1678
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: StatefulSet.loki.loki-grafana-loki-ingester
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1563-1678
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: StatefulSet.loki.loki-grafana-loki-ingester
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1563-1678
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: StatefulSet.loki.loki-grafana-loki-ingester
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1563-1678
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: StatefulSet.loki.loki-grafana-loki-ingester
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1563-1678
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: StatefulSet.loki.loki-grafana-loki-ingester
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1563-1678
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: StatefulSet.loki.loki-grafana-loki-querier
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1680-1796
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: StatefulSet.loki.loki-grafana-loki-querier
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1680-1796
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: StatefulSet.loki.loki-grafana-loki-querier
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1680-1796
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: StatefulSet.loki.loki-grafana-loki-querier
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1680-1796
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: StatefulSet.loki.loki-grafana-loki-querier
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1680-1796
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: StatefulSet.loki.loki-grafana-loki-querier
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1680-1796
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: StatefulSet.loki.loki-grafana-loki-querier
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1680-1796
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: StatefulSet.loki.loki-grafana-loki-querier
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1680-1796
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: StatefulSet.loki.loki-grafana-loki-querier
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1680-1796
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: StatefulSet.loki.loki-grafana-loki-querier
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1680-1796
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: StatefulSet.loki.loki-grafana-loki-querier
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1680-1796
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: StatefulSet.loki.loki-grafana-loki-querier
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1680-1796
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: StatefulSet.loki.loki-grafana-loki-querier
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1680-1796
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.default.log-generator
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/log-generator-pod.yaml:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: log-generator
5 | spec:
6 | containers:
7 | - name: log-generator
8 | image: alpine
9 | command:
10 | - sh
11 | - -c
12 | - while true; do echo $(date) Hello World!; sleep 1; done
13 | restartPolicy: Never
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.default.log-generator
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/log-generator-pod.yaml:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: log-generator
5 | spec:
6 | containers:
7 | - name: log-generator
8 | image: alpine
9 | command:
10 | - sh
11 | - -c
12 | - while true; do echo $(date) Hello World!; sleep 1; done
13 | restartPolicy: Never
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Pod.default.log-generator
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/log-generator-pod.yaml:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: log-generator
5 | spec:
6 | containers:
7 | - name: log-generator
8 | image: alpine
9 | command:
10 | - sh
11 | - -c
12 | - while true; do echo $(date) Hello World!; sleep 1; done
13 | restartPolicy: Never
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Pod.default.log-generator
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/log-generator-pod.yaml:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: log-generator
5 | spec:
6 | containers:
7 | - name: log-generator
8 | image: alpine
9 | command:
10 | - sh
11 | - -c
12 | - while true; do echo $(date) Hello World!; sleep 1; done
13 | restartPolicy: Never
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.default.log-generator
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/log-generator-pod.yaml:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: log-generator
5 | spec:
6 | containers:
7 | - name: log-generator
8 | image: alpine
9 | command:
10 | - sh
11 | - -c
12 | - while true; do echo $(date) Hello World!; sleep 1; done
13 | restartPolicy: Never
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.default.log-generator
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/log-generator-pod.yaml:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: log-generator
5 | spec:
6 | containers:
7 | - name: log-generator
8 | image: alpine
9 | command:
10 | - sh
11 | - -c
12 | - while true; do echo $(date) Hello World!; sleep 1; done
13 | restartPolicy: Never
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.default.log-generator
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/log-generator-pod.yaml:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: log-generator
5 | spec:
6 | containers:
7 | - name: log-generator
8 | image: alpine
9 | command:
10 | - sh
11 | - -c
12 | - while true; do echo $(date) Hello World!; sleep 1; done
13 | restartPolicy: Never
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.default.log-generator
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/log-generator-pod.yaml:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: log-generator
5 | spec:
6 | containers:
7 | - name: log-generator
8 | image: alpine
9 | command:
10 | - sh
11 | - -c
12 | - while true; do echo $(date) Hello World!; sleep 1; done
13 | restartPolicy: Never
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.default.log-generator
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/log-generator-pod.yaml:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: log-generator
5 | spec:
6 | containers:
7 | - name: log-generator
8 | image: alpine
9 | command:
10 | - sh
11 | - -c
12 | - while true; do echo $(date) Hello World!; sleep 1; done
13 | restartPolicy: Never
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.default.log-generator
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/log-generator-pod.yaml:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: log-generator
5 | spec:
6 | containers:
7 | - name: log-generator
8 | image: alpine
9 | command:
10 | - sh
11 | - -c
12 | - while true; do echo $(date) Hello World!; sleep 1; done
13 | restartPolicy: Never
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.default.log-generator
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/log-generator-pod.yaml:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: log-generator
5 | spec:
6 | containers:
7 | - name: log-generator
8 | image: alpine
9 | command:
10 | - sh
11 | - -c
12 | - while true; do echo $(date) Hello World!; sleep 1; done
13 | restartPolicy: Never
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.default.log-generator
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/log-generator-pod.yaml:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: log-generator
5 | spec:
6 | containers:
7 | - name: log-generator
8 | image: alpine
9 | command:
10 | - sh
11 | - -c
12 | - while true; do echo $(date) Hello World!; sleep 1; done
13 | restartPolicy: Never
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.default.log-generator
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/log-generator-pod.yaml:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: log-generator
5 | spec:
6 | containers:
7 | - name: log-generator
8 | image: alpine
9 | command:
10 | - sh
11 | - -c
12 | - while true; do echo $(date) Hello World!; sleep 1; done
13 | restartPolicy: Never
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.default.log-generator
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/log-generator-pod.yaml:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: log-generator
5 | spec:
6 | containers:
7 | - name: log-generator
8 | image: alpine
9 | command:
10 | - sh
11 | - -c
12 | - while true; do echo $(date) Hello World!; sleep 1; done
13 | restartPolicy: Never
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.default.log-generator
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/log-generator-pod.yaml:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: log-generator
5 | spec:
6 | containers:
7 | - name: log-generator
8 | image: alpine
9 | command:
10 | - sh
11 | - -c
12 | - while true; do echo $(date) Hello World!; sleep 1; done
13 | restartPolicy: Never
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.default.log-generator
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/log-generator-pod.yaml:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: log-generator
5 | spec:
6 | containers:
7 | - name: log-generator
8 | image: alpine
9 | command:
10 | - sh
11 | - -c
12 | - while true; do echo $(date) Hello World!; sleep 1; done
13 | restartPolicy: Never
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Pod.default.log-generator
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/log-generator-pod.yaml:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: log-generator
5 | spec:
6 | containers:
7 | - name: log-generator
8 | image: alpine
9 | command:
10 | - sh
11 | - -c
12 | - while true; do echo $(date) Hello World!; sleep 1; done
13 | restartPolicy: Never
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.default.log-generator
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/log-generator-pod.yaml:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: log-generator
5 | spec:
6 | containers:
7 | - name: log-generator
8 | image: alpine
9 | command:
10 | - sh
11 | - -c
12 | - while true; do echo $(date) Hello World!; sleep 1; done
13 | restartPolicy: Never
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.default.log-generator
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/log-generator-pod.yaml:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: log-generator
5 | spec:
6 | containers:
7 | - name: log-generator
8 | image: alpine
9 | command:
10 | - sh
11 | - -c
12 | - while true; do echo $(date) Hello World!; sleep 1; done
13 | restartPolicy: Never
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/dep-whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 |
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: traefik/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/dep-whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 |
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: traefik/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/dep-whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 |
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: traefik/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/dep-whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 |
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: traefik/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/dep-whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 |
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: traefik/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/dep-whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 |
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: traefik/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/dep-whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 |
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: traefik/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/dep-whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 |
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: traefik/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/dep-whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 |
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: traefik/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/dep-whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 |
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: traefik/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/dep-whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 |
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: traefik/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/dep-whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 |
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: traefik/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/dep-whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 |
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: traefik/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/dep-whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 |
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: traefik/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/dep-whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 |
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: traefik/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/dep-whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 |
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: traefik/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/dep-whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 |
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: traefik/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/dep-whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 |
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: traefik/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/dep-whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 |
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: traefik/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/svc.yaml:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: whoami
7 | name: whoami
8 | spec:
9 | ports:
10 | - port: 80
11 | protocol: TCP
12 | targetPort: 80
13 | selector:
14 | app: whoami
15 | type: NodePort
16 | status:
17 | loadBalancer: {}
Check: CKV_K8S_155: "Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations"
FAILED for resource: ClusterRole.default.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/cert-manager.yaml:4477-4506
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-control-over-validating-or-mutating-admission-webhook-configurations-are-minimized.html
4477 | apiVersion: rbac.authorization.k8s.io/v1
4478 | kind: ClusterRole
4479 | metadata:
4480 | name: cert-manager-cainjector
4481 | labels:
4482 | app: cainjector
4483 | app.kubernetes.io/name: cainjector
4484 | app.kubernetes.io/instance: cert-manager
4485 | app.kubernetes.io/component: "cainjector"
4486 | app.kubernetes.io/version: "v1.10.0"
4487 | rules:
4488 | - apiGroups: ["cert-manager.io"]
4489 | resources: ["certificates"]
4490 | verbs: ["get", "list", "watch"]
4491 | - apiGroups: [""]
4492 | resources: ["secrets"]
4493 | verbs: ["get", "list", "watch"]
4494 | - apiGroups: [""]
4495 | resources: ["events"]
4496 | verbs: ["get", "create", "update", "patch"]
4497 | - apiGroups: ["admissionregistration.k8s.io"]
4498 | resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
4499 | verbs: ["get", "list", "watch", "update"]
4500 | - apiGroups: ["apiregistration.k8s.io"]
4501 | resources: ["apiservices"]
4502 | verbs: ["get", "list", "watch", "update"]
4503 | - apiGroups: ["apiextensions.k8s.io"]
4504 | resources: ["customresourcedefinitions"]
4505 | verbs: ["get", "list", "watch", "update"]
4506 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5229-5280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5229-5280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5229-5280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5229-5280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5229-5280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5229-5280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5229-5280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5229-5280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5229-5280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5229-5280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5229-5280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5282-5342
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5282-5342
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5282-5342
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5282-5342
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5282-5342
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5282-5342
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5282-5342
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5282-5342
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5282-5342
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5282-5342
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5282-5342
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5344-5428
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5344-5428
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5344-5428
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5344-5428
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5344-5428
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5344-5428
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5344-5428
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5344-5428
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5344-5428
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.example-service
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/service.yaml:1-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: example-service
5 | labels:
6 | app: example-app
7 | spec:
8 | externalTrafficPolicy: Cluster
9 | type: NodePort
10 | selector:
11 | app: example-app
12 | ports:
13 | - protocol: TCP
14 | name: http
15 | port: 80
16 | targetPort: 5000
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.whoami-ingress
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/ingress.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: networking.k8s.io/v1
3 | kind: Ingress
4 | metadata:
5 | annotations:
6 | kubernetes.io/ingress.class: "nginx"
7 | nginx.ingress.kubernetes.io/ssl-redirect: "false"
8 | name: whoami-ingress
9 | spec:
10 | tls:
11 | - hosts:
12 | - testcertmanager.ankitrathi.info
13 | secretName: tls-secret
14 | rules:
15 | - host: testcertmanager.ankitrathi.info
16 | http:
17 | paths:
18 | - path: /test
19 | pathType: Prefix
20 | backend:
21 | service:
22 | name: whoami
23 | port:
24 | number: 80
25 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.kafdrop-template
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_009__local__kafdrop/kafdrop-manifests.yaml:3-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
3 | apiVersion: v1
4 | kind: Service
5 | metadata:
6 | name: kafdrop-template
7 | labels:
8 | app.kubernetes.io/name: kafdrop
9 | helm.sh/chart: kafdrop-0.1.0
10 | app.kubernetes.io/instance: kafdrop-template
11 | app.kubernetes.io/managed-by: Helm
12 | spec:
13 | type: NodePort
14 | ports:
15 | - port: 9000
16 | targetPort: http
17 | protocol: TCP
18 | name: http
19 |
20 | nodePort: 30900
21 |
22 | selector:
23 | app.kubernetes.io/name: kafdrop
24 | app.kubernetes.io/instance: kafdrop-template
25 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.kafdrop-template
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_009__local__kafdrop/kafdrop-manifests.yaml:27-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.kafdrop-template
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_009__local__kafdrop/kafdrop-manifests.yaml:27-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.kafdrop-template
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_009__local__kafdrop/kafdrop-manifests.yaml:27-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.kafdrop-template
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_009__local__kafdrop/kafdrop-manifests.yaml:27-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.kafdrop-template
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_009__local__kafdrop/kafdrop-manifests.yaml:27-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.kafdrop-template
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_009__local__kafdrop/kafdrop-manifests.yaml:27-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.kafdrop-template
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_009__local__kafdrop/kafdrop-manifests.yaml:27-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.kafdrop-template
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_009__local__kafdrop/kafdrop-manifests.yaml:27-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.kafdrop-template
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_009__local__kafdrop/kafdrop-manifests.yaml:27-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.kafdrop-template
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_009__local__kafdrop/kafdrop-manifests.yaml:27-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.kafdrop-template
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_009__local__kafdrop/kafdrop-manifests.yaml:27-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.kafdrop-template
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_009__local__kafdrop/kafdrop-manifests.yaml:27-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.kafdrop-template
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_009__local__kafdrop/kafdrop-manifests.yaml:27-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.kafdrop-template
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_009__local__kafdrop/kafdrop-manifests.yaml:27-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.kafdrop-template
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_009__local__kafdrop/kafdrop-manifests.yaml:27-102
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.kube-system.kube-state-metrics
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_031__gcp__kube_state_metrics/deployment.yaml:1-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: kube-state-metrics
6 | app.kubernetes.io/version: 1.9.7
7 | name: kube-state-metrics
8 | namespace: kube-system
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app.kubernetes.io/name: kube-state-metrics
14 | template:
15 | metadata:
16 | labels:
17 | app.kubernetes.io/name: kube-state-metrics
18 | app.kubernetes.io/version: 1.9.7
19 | spec:
20 | containers:
21 | - image: quay.io/coreos/kube-state-metrics:v1.9.7
22 | livenessProbe:
23 | httpGet:
24 | path: /healthz
25 | port: 8080
26 | initialDelaySeconds: 5
27 | timeoutSeconds: 5
28 | name: kube-state-metrics
29 | ports:
30 | - containerPort: 8080
31 | name: http-metrics
32 | - containerPort: 8081
33 | name: telemetry
34 | readinessProbe:
35 | httpGet:
36 | path: /
37 | port: 8081
38 | initialDelaySeconds: 5
39 | timeoutSeconds: 5
40 | securityContext:
41 | runAsUser: 65534
42 | nodeSelector:
43 | kubernetes.io/os: linux
44 | serviceAccountName: kube-state-metrics
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.kube-system.kube-state-metrics
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_031__gcp__kube_state_metrics/deployment.yaml:1-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: kube-state-metrics
6 | app.kubernetes.io/version: 1.9.7
7 | name: kube-state-metrics
8 | namespace: kube-system
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app.kubernetes.io/name: kube-state-metrics
14 | template:
15 | metadata:
16 | labels:
17 | app.kubernetes.io/name: kube-state-metrics
18 | app.kubernetes.io/version: 1.9.7
19 | spec:
20 | containers:
21 | - image: quay.io/coreos/kube-state-metrics:v1.9.7
22 | livenessProbe:
23 | httpGet:
24 | path: /healthz
25 | port: 8080
26 | initialDelaySeconds: 5
27 | timeoutSeconds: 5
28 | name: kube-state-metrics
29 | ports:
30 | - containerPort: 8080
31 | name: http-metrics
32 | - containerPort: 8081
33 | name: telemetry
34 | readinessProbe:
35 | httpGet:
36 | path: /
37 | port: 8081
38 | initialDelaySeconds: 5
39 | timeoutSeconds: 5
40 | securityContext:
41 | runAsUser: 65534
42 | nodeSelector:
43 | kubernetes.io/os: linux
44 | serviceAccountName: kube-state-metrics
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.kube-system.kube-state-metrics
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_031__gcp__kube_state_metrics/deployment.yaml:1-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: kube-state-metrics
6 | app.kubernetes.io/version: 1.9.7
7 | name: kube-state-metrics
8 | namespace: kube-system
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app.kubernetes.io/name: kube-state-metrics
14 | template:
15 | metadata:
16 | labels:
17 | app.kubernetes.io/name: kube-state-metrics
18 | app.kubernetes.io/version: 1.9.7
19 | spec:
20 | containers:
21 | - image: quay.io/coreos/kube-state-metrics:v1.9.7
22 | livenessProbe:
23 | httpGet:
24 | path: /healthz
25 | port: 8080
26 | initialDelaySeconds: 5
27 | timeoutSeconds: 5
28 | name: kube-state-metrics
29 | ports:
30 | - containerPort: 8080
31 | name: http-metrics
32 | - containerPort: 8081
33 | name: telemetry
34 | readinessProbe:
35 | httpGet:
36 | path: /
37 | port: 8081
38 | initialDelaySeconds: 5
39 | timeoutSeconds: 5
40 | securityContext:
41 | runAsUser: 65534
42 | nodeSelector:
43 | kubernetes.io/os: linux
44 | serviceAccountName: kube-state-metrics
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.kube-system.kube-state-metrics
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_031__gcp__kube_state_metrics/deployment.yaml:1-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: kube-state-metrics
6 | app.kubernetes.io/version: 1.9.7
7 | name: kube-state-metrics
8 | namespace: kube-system
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app.kubernetes.io/name: kube-state-metrics
14 | template:
15 | metadata:
16 | labels:
17 | app.kubernetes.io/name: kube-state-metrics
18 | app.kubernetes.io/version: 1.9.7
19 | spec:
20 | containers:
21 | - image: quay.io/coreos/kube-state-metrics:v1.9.7
22 | livenessProbe:
23 | httpGet:
24 | path: /healthz
25 | port: 8080
26 | initialDelaySeconds: 5
27 | timeoutSeconds: 5
28 | name: kube-state-metrics
29 | ports:
30 | - containerPort: 8080
31 | name: http-metrics
32 | - containerPort: 8081
33 | name: telemetry
34 | readinessProbe:
35 | httpGet:
36 | path: /
37 | port: 8081
38 | initialDelaySeconds: 5
39 | timeoutSeconds: 5
40 | securityContext:
41 | runAsUser: 65534
42 | nodeSelector:
43 | kubernetes.io/os: linux
44 | serviceAccountName: kube-state-metrics
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.kube-system.kube-state-metrics
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_031__gcp__kube_state_metrics/deployment.yaml:1-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: kube-state-metrics
6 | app.kubernetes.io/version: 1.9.7
7 | name: kube-state-metrics
8 | namespace: kube-system
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app.kubernetes.io/name: kube-state-metrics
14 | template:
15 | metadata:
16 | labels:
17 | app.kubernetes.io/name: kube-state-metrics
18 | app.kubernetes.io/version: 1.9.7
19 | spec:
20 | containers:
21 | - image: quay.io/coreos/kube-state-metrics:v1.9.7
22 | livenessProbe:
23 | httpGet:
24 | path: /healthz
25 | port: 8080
26 | initialDelaySeconds: 5
27 | timeoutSeconds: 5
28 | name: kube-state-metrics
29 | ports:
30 | - containerPort: 8080
31 | name: http-metrics
32 | - containerPort: 8081
33 | name: telemetry
34 | readinessProbe:
35 | httpGet:
36 | path: /
37 | port: 8081
38 | initialDelaySeconds: 5
39 | timeoutSeconds: 5
40 | securityContext:
41 | runAsUser: 65534
42 | nodeSelector:
43 | kubernetes.io/os: linux
44 | serviceAccountName: kube-state-metrics
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.kube-system.kube-state-metrics
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_031__gcp__kube_state_metrics/deployment.yaml:1-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: kube-state-metrics
6 | app.kubernetes.io/version: 1.9.7
7 | name: kube-state-metrics
8 | namespace: kube-system
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app.kubernetes.io/name: kube-state-metrics
14 | template:
15 | metadata:
16 | labels:
17 | app.kubernetes.io/name: kube-state-metrics
18 | app.kubernetes.io/version: 1.9.7
19 | spec:
20 | containers:
21 | - image: quay.io/coreos/kube-state-metrics:v1.9.7
22 | livenessProbe:
23 | httpGet:
24 | path: /healthz
25 | port: 8080
26 | initialDelaySeconds: 5
27 | timeoutSeconds: 5
28 | name: kube-state-metrics
29 | ports:
30 | - containerPort: 8080
31 | name: http-metrics
32 | - containerPort: 8081
33 | name: telemetry
34 | readinessProbe:
35 | httpGet:
36 | path: /
37 | port: 8081
38 | initialDelaySeconds: 5
39 | timeoutSeconds: 5
40 | securityContext:
41 | runAsUser: 65534
42 | nodeSelector:
43 | kubernetes.io/os: linux
44 | serviceAccountName: kube-state-metrics
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.kube-system.kube-state-metrics
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_031__gcp__kube_state_metrics/deployment.yaml:1-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: kube-state-metrics
6 | app.kubernetes.io/version: 1.9.7
7 | name: kube-state-metrics
8 | namespace: kube-system
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app.kubernetes.io/name: kube-state-metrics
14 | template:
15 | metadata:
16 | labels:
17 | app.kubernetes.io/name: kube-state-metrics
18 | app.kubernetes.io/version: 1.9.7
19 | spec:
20 | containers:
21 | - image: quay.io/coreos/kube-state-metrics:v1.9.7
22 | livenessProbe:
23 | httpGet:
24 | path: /healthz
25 | port: 8080
26 | initialDelaySeconds: 5
27 | timeoutSeconds: 5
28 | name: kube-state-metrics
29 | ports:
30 | - containerPort: 8080
31 | name: http-metrics
32 | - containerPort: 8081
33 | name: telemetry
34 | readinessProbe:
35 | httpGet:
36 | path: /
37 | port: 8081
38 | initialDelaySeconds: 5
39 | timeoutSeconds: 5
40 | securityContext:
41 | runAsUser: 65534
42 | nodeSelector:
43 | kubernetes.io/os: linux
44 | serviceAccountName: kube-state-metrics
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.kube-system.kube-state-metrics
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_031__gcp__kube_state_metrics/deployment.yaml:1-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: kube-state-metrics
6 | app.kubernetes.io/version: 1.9.7
7 | name: kube-state-metrics
8 | namespace: kube-system
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app.kubernetes.io/name: kube-state-metrics
14 | template:
15 | metadata:
16 | labels:
17 | app.kubernetes.io/name: kube-state-metrics
18 | app.kubernetes.io/version: 1.9.7
19 | spec:
20 | containers:
21 | - image: quay.io/coreos/kube-state-metrics:v1.9.7
22 | livenessProbe:
23 | httpGet:
24 | path: /healthz
25 | port: 8080
26 | initialDelaySeconds: 5
27 | timeoutSeconds: 5
28 | name: kube-state-metrics
29 | ports:
30 | - containerPort: 8080
31 | name: http-metrics
32 | - containerPort: 8081
33 | name: telemetry
34 | readinessProbe:
35 | httpGet:
36 | path: /
37 | port: 8081
38 | initialDelaySeconds: 5
39 | timeoutSeconds: 5
40 | securityContext:
41 | runAsUser: 65534
42 | nodeSelector:
43 | kubernetes.io/os: linux
44 | serviceAccountName: kube-state-metrics
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.kube-system.kube-state-metrics
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_031__gcp__kube_state_metrics/deployment.yaml:1-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: kube-state-metrics
6 | app.kubernetes.io/version: 1.9.7
7 | name: kube-state-metrics
8 | namespace: kube-system
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app.kubernetes.io/name: kube-state-metrics
14 | template:
15 | metadata:
16 | labels:
17 | app.kubernetes.io/name: kube-state-metrics
18 | app.kubernetes.io/version: 1.9.7
19 | spec:
20 | containers:
21 | - image: quay.io/coreos/kube-state-metrics:v1.9.7
22 | livenessProbe:
23 | httpGet:
24 | path: /healthz
25 | port: 8080
26 | initialDelaySeconds: 5
27 | timeoutSeconds: 5
28 | name: kube-state-metrics
29 | ports:
30 | - containerPort: 8080
31 | name: http-metrics
32 | - containerPort: 8081
33 | name: telemetry
34 | readinessProbe:
35 | httpGet:
36 | path: /
37 | port: 8081
38 | initialDelaySeconds: 5
39 | timeoutSeconds: 5
40 | securityContext:
41 | runAsUser: 65534
42 | nodeSelector:
43 | kubernetes.io/os: linux
44 | serviceAccountName: kube-state-metrics
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.kube-system.kube-state-metrics
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_031__gcp__kube_state_metrics/deployment.yaml:1-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: kube-state-metrics
6 | app.kubernetes.io/version: 1.9.7
7 | name: kube-state-metrics
8 | namespace: kube-system
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app.kubernetes.io/name: kube-state-metrics
14 | template:
15 | metadata:
16 | labels:
17 | app.kubernetes.io/name: kube-state-metrics
18 | app.kubernetes.io/version: 1.9.7
19 | spec:
20 | containers:
21 | - image: quay.io/coreos/kube-state-metrics:v1.9.7
22 | livenessProbe:
23 | httpGet:
24 | path: /healthz
25 | port: 8080
26 | initialDelaySeconds: 5
27 | timeoutSeconds: 5
28 | name: kube-state-metrics
29 | ports:
30 | - containerPort: 8080
31 | name: http-metrics
32 | - containerPort: 8081
33 | name: telemetry
34 | readinessProbe:
35 | httpGet:
36 | path: /
37 | port: 8081
38 | initialDelaySeconds: 5
39 | timeoutSeconds: 5
40 | securityContext:
41 | runAsUser: 65534
42 | nodeSelector:
43 | kubernetes.io/os: linux
44 | serviceAccountName: kube-state-metrics
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.kube-system.kube-state-metrics
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_031__gcp__kube_state_metrics/deployment.yaml:1-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: kube-state-metrics
6 | app.kubernetes.io/version: 1.9.7
7 | name: kube-state-metrics
8 | namespace: kube-system
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app.kubernetes.io/name: kube-state-metrics
14 | template:
15 | metadata:
16 | labels:
17 | app.kubernetes.io/name: kube-state-metrics
18 | app.kubernetes.io/version: 1.9.7
19 | spec:
20 | containers:
21 | - image: quay.io/coreos/kube-state-metrics:v1.9.7
22 | livenessProbe:
23 | httpGet:
24 | path: /healthz
25 | port: 8080
26 | initialDelaySeconds: 5
27 | timeoutSeconds: 5
28 | name: kube-state-metrics
29 | ports:
30 | - containerPort: 8080
31 | name: http-metrics
32 | - containerPort: 8081
33 | name: telemetry
34 | readinessProbe:
35 | httpGet:
36 | path: /
37 | port: 8081
38 | initialDelaySeconds: 5
39 | timeoutSeconds: 5
40 | securityContext:
41 | runAsUser: 65534
42 | nodeSelector:
43 | kubernetes.io/os: linux
44 | serviceAccountName: kube-state-metrics
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.kube-system.kube-state-metrics
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_031__gcp__kube_state_metrics/deployment.yaml:1-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: kube-state-metrics
6 | app.kubernetes.io/version: 1.9.7
7 | name: kube-state-metrics
8 | namespace: kube-system
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app.kubernetes.io/name: kube-state-metrics
14 | template:
15 | metadata:
16 | labels:
17 | app.kubernetes.io/name: kube-state-metrics
18 | app.kubernetes.io/version: 1.9.7
19 | spec:
20 | containers:
21 | - image: quay.io/coreos/kube-state-metrics:v1.9.7
22 | livenessProbe:
23 | httpGet:
24 | path: /healthz
25 | port: 8080
26 | initialDelaySeconds: 5
27 | timeoutSeconds: 5
28 | name: kube-state-metrics
29 | ports:
30 | - containerPort: 8080
31 | name: http-metrics
32 | - containerPort: 8081
33 | name: telemetry
34 | readinessProbe:
35 | httpGet:
36 | path: /
37 | port: 8081
38 | initialDelaySeconds: 5
39 | timeoutSeconds: 5
40 | securityContext:
41 | runAsUser: 65534
42 | nodeSelector:
43 | kubernetes.io/os: linux
44 | serviceAccountName: kube-state-metrics
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.kube-system.kube-state-metrics
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_031__gcp__kube_state_metrics/deployment.yaml:1-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: kube-state-metrics
6 | app.kubernetes.io/version: 1.9.7
7 | name: kube-state-metrics
8 | namespace: kube-system
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app.kubernetes.io/name: kube-state-metrics
14 | template:
15 | metadata:
16 | labels:
17 | app.kubernetes.io/name: kube-state-metrics
18 | app.kubernetes.io/version: 1.9.7
19 | spec:
20 | containers:
21 | - image: quay.io/coreos/kube-state-metrics:v1.9.7
22 | livenessProbe:
23 | httpGet:
24 | path: /healthz
25 | port: 8080
26 | initialDelaySeconds: 5
27 | timeoutSeconds: 5
28 | name: kube-state-metrics
29 | ports:
30 | - containerPort: 8080
31 | name: http-metrics
32 | - containerPort: 8081
33 | name: telemetry
34 | readinessProbe:
35 | httpGet:
36 | path: /
37 | port: 8081
38 | initialDelaySeconds: 5
39 | timeoutSeconds: 5
40 | securityContext:
41 | runAsUser: 65534
42 | nodeSelector:
43 | kubernetes.io/os: linux
44 | serviceAccountName: kube-state-metrics
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.helloweb
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_029__gcp__configuring_dns_with_static_IPs_k8_using_Ingress/helloweb-deployment.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: helloweb
5 | labels:
6 | app: hello
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hello
11 | tier: web
12 | template:
13 | metadata:
14 | labels:
15 | app: hello
16 | tier: web
17 | spec:
18 | containers:
19 | - name: hello-app
20 | image: gcr.io/google-samples/hello-app:1.0
21 | ports:
22 | - containerPort: 8080
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.helloweb
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_029__gcp__configuring_dns_with_static_IPs_k8_using_Ingress/helloweb-deployment.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: helloweb
5 | labels:
6 | app: hello
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hello
11 | tier: web
12 | template:
13 | metadata:
14 | labels:
15 | app: hello
16 | tier: web
17 | spec:
18 | containers:
19 | - name: hello-app
20 | image: gcr.io/google-samples/hello-app:1.0
21 | ports:
22 | - containerPort: 8080
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.helloweb
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_029__gcp__configuring_dns_with_static_IPs_k8_using_Ingress/helloweb-deployment.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: helloweb
5 | labels:
6 | app: hello
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hello
11 | tier: web
12 | template:
13 | metadata:
14 | labels:
15 | app: hello
16 | tier: web
17 | spec:
18 | containers:
19 | - name: hello-app
20 | image: gcr.io/google-samples/hello-app:1.0
21 | ports:
22 | - containerPort: 8080
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.helloweb
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_029__gcp__configuring_dns_with_static_IPs_k8_using_Ingress/helloweb-deployment.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: helloweb
5 | labels:
6 | app: hello
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hello
11 | tier: web
12 | template:
13 | metadata:
14 | labels:
15 | app: hello
16 | tier: web
17 | spec:
18 | containers:
19 | - name: hello-app
20 | image: gcr.io/google-samples/hello-app:1.0
21 | ports:
22 | - containerPort: 8080
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.helloweb
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_029__gcp__configuring_dns_with_static_IPs_k8_using_Ingress/helloweb-deployment.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: helloweb
5 | labels:
6 | app: hello
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hello
11 | tier: web
12 | template:
13 | metadata:
14 | labels:
15 | app: hello
16 | tier: web
17 | spec:
18 | containers:
19 | - name: hello-app
20 | image: gcr.io/google-samples/hello-app:1.0
21 | ports:
22 | - containerPort: 8080
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.helloweb
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_029__gcp__configuring_dns_with_static_IPs_k8_using_Ingress/helloweb-deployment.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: helloweb
5 | labels:
6 | app: hello
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hello
11 | tier: web
12 | template:
13 | metadata:
14 | labels:
15 | app: hello
16 | tier: web
17 | spec:
18 | containers:
19 | - name: hello-app
20 | image: gcr.io/google-samples/hello-app:1.0
21 | ports:
22 | - containerPort: 8080
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.helloweb
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_029__gcp__configuring_dns_with_static_IPs_k8_using_Ingress/helloweb-deployment.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: helloweb
5 | labels:
6 | app: hello
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hello
11 | tier: web
12 | template:
13 | metadata:
14 | labels:
15 | app: hello
16 | tier: web
17 | spec:
18 | containers:
19 | - name: hello-app
20 | image: gcr.io/google-samples/hello-app:1.0
21 | ports:
22 | - containerPort: 8080
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.helloweb
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_029__gcp__configuring_dns_with_static_IPs_k8_using_Ingress/helloweb-deployment.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: helloweb
5 | labels:
6 | app: hello
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hello
11 | tier: web
12 | template:
13 | metadata:
14 | labels:
15 | app: hello
16 | tier: web
17 | spec:
18 | containers:
19 | - name: hello-app
20 | image: gcr.io/google-samples/hello-app:1.0
21 | ports:
22 | - containerPort: 8080
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.helloweb
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_029__gcp__configuring_dns_with_static_IPs_k8_using_Ingress/helloweb-deployment.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: helloweb
5 | labels:
6 | app: hello
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hello
11 | tier: web
12 | template:
13 | metadata:
14 | labels:
15 | app: hello
16 | tier: web
17 | spec:
18 | containers:
19 | - name: hello-app
20 | image: gcr.io/google-samples/hello-app:1.0
21 | ports:
22 | - containerPort: 8080
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.helloweb
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_029__gcp__configuring_dns_with_static_IPs_k8_using_Ingress/helloweb-deployment.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: helloweb
5 | labels:
6 | app: hello
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hello
11 | tier: web
12 | template:
13 | metadata:
14 | labels:
15 | app: hello
16 | tier: web
17 | spec:
18 | containers:
19 | - name: hello-app
20 | image: gcr.io/google-samples/hello-app:1.0
21 | ports:
22 | - containerPort: 8080
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.helloweb
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_029__gcp__configuring_dns_with_static_IPs_k8_using_Ingress/helloweb-deployment.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: helloweb
5 | labels:
6 | app: hello
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hello
11 | tier: web
12 | template:
13 | metadata:
14 | labels:
15 | app: hello
16 | tier: web
17 | spec:
18 | containers:
19 | - name: hello-app
20 | image: gcr.io/google-samples/hello-app:1.0
21 | ports:
22 | - containerPort: 8080
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.helloweb
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_029__gcp__configuring_dns_with_static_IPs_k8_using_Ingress/helloweb-deployment.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: helloweb
5 | labels:
6 | app: hello
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hello
11 | tier: web
12 | template:
13 | metadata:
14 | labels:
15 | app: hello
16 | tier: web
17 | spec:
18 | containers:
19 | - name: hello-app
20 | image: gcr.io/google-samples/hello-app:1.0
21 | ports:
22 | - containerPort: 8080
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.helloweb
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_029__gcp__configuring_dns_with_static_IPs_k8_using_Ingress/helloweb-deployment.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: helloweb
5 | labels:
6 | app: hello
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hello
11 | tier: web
12 | template:
13 | metadata:
14 | labels:
15 | app: hello
16 | tier: web
17 | spec:
18 | containers:
19 | - name: hello-app
20 | image: gcr.io/google-samples/hello-app:1.0
21 | ports:
22 | - containerPort: 8080
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.helloweb
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_029__gcp__configuring_dns_with_static_IPs_k8_using_Ingress/helloweb-deployment.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: helloweb
5 | labels:
6 | app: hello
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hello
11 | tier: web
12 | template:
13 | metadata:
14 | labels:
15 | app: hello
16 | tier: web
17 | spec:
18 | containers:
19 | - name: hello-app
20 | image: gcr.io/google-samples/hello-app:1.0
21 | ports:
22 | - containerPort: 8080
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.helloweb
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_029__gcp__configuring_dns_with_static_IPs_k8_using_Ingress/helloweb-deployment.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: helloweb
5 | labels:
6 | app: hello
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hello
11 | tier: web
12 | template:
13 | metadata:
14 | labels:
15 | app: hello
16 | tier: web
17 | spec:
18 | containers:
19 | - name: hello-app
20 | image: gcr.io/google-samples/hello-app:1.0
21 | ports:
22 | - containerPort: 8080
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.helloweb
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_029__gcp__configuring_dns_with_static_IPs_k8_using_Ingress/helloweb-deployment.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: helloweb
5 | labels:
6 | app: hello
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hello
11 | tier: web
12 | template:
13 | metadata:
14 | labels:
15 | app: hello
16 | tier: web
17 | spec:
18 | containers:
19 | - name: hello-app
20 | image: gcr.io/google-samples/hello-app:1.0
21 | ports:
22 | - containerPort: 8080
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.helloweb
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_029__gcp__configuring_dns_with_static_IPs_k8_using_Ingress/helloweb-deployment.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: helloweb
5 | labels:
6 | app: hello
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hello
11 | tier: web
12 | template:
13 | metadata:
14 | labels:
15 | app: hello
16 | tier: web
17 | spec:
18 | containers:
19 | - name: hello-app
20 | image: gcr.io/google-samples/hello-app:1.0
21 | ports:
22 | - containerPort: 8080
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.helloweb
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_029__gcp__configuring_dns_with_static_IPs_k8_using_Ingress/helloweb-deployment.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: helloweb
5 | labels:
6 | app: hello
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hello
11 | tier: web
12 | template:
13 | metadata:
14 | labels:
15 | app: hello
16 | tier: web
17 | spec:
18 | containers:
19 | - name: hello-app
20 | image: gcr.io/google-samples/hello-app:1.0
21 | ports:
22 | - containerPort: 8080
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.helloweb
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_029__gcp__configuring_dns_with_static_IPs_k8_using_Ingress/helloweb-deployment.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: helloweb
5 | labels:
6 | app: hello
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hello
11 | tier: web
12 | template:
13 | metadata:
14 | labels:
15 | app: hello
16 | tier: web
17 | spec:
18 | containers:
19 | - name: hello-app
20 | image: gcr.io/google-samples/hello-app:1.0
21 | ports:
22 | - containerPort: 8080
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.helloweb
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_029__gcp__configuring_dns_with_static_IPs_k8_using_Ingress/helloweb-ingress.yaml:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: extensions/v1beta1
2 | kind: Ingress
3 | metadata:
4 | name: helloweb
5 | annotations:
6 | kubernetes.io/ingress.global-static-ip-name: helloweb-ip
7 | labels:
8 | app: hello
9 | spec:
10 | backend:
11 | serviceName: helloweb-backend
12 | servicePort: 8080
13 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.helloweb-backend
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_029__gcp__configuring_dns_with_static_IPs_k8_using_Ingress/helloweb-ingress.yaml:14-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
14 | apiVersion: v1
15 | kind: Service
16 | metadata:
17 | name: helloweb-backend
18 | labels:
19 | app: hello
20 | spec:
21 | type: NodePort
22 | selector:
23 | app: hello
24 | tier: web
25 | ports:
26 | - port: 8080
27 | targetPort: 8080
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.httpbin
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/httpbin-app/svc.yaml:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: httpbin
5 | labels:
6 | app: httpbin
7 | spec:
8 | ports:
9 | - name: http
10 | port: 80
11 | targetPort: 80
12 | selector:
13 | app: httpbin
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.httpbin
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/httpbin-app/dep.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: httpbin
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: httpbin
10 | template:
11 | metadata:
12 | labels:
13 | app: httpbin
14 | spec:
15 | containers:
16 | - image: docker.io/kennethreitz/httpbin
17 | name: httpbin
18 | ports:
19 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.httpbin
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/httpbin-app/dep.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: httpbin
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: httpbin
10 | template:
11 | metadata:
12 | labels:
13 | app: httpbin
14 | spec:
15 | containers:
16 | - image: docker.io/kennethreitz/httpbin
17 | name: httpbin
18 | ports:
19 | - containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.httpbin
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/httpbin-app/dep.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: httpbin
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: httpbin
10 | template:
11 | metadata:
12 | labels:
13 | app: httpbin
14 | spec:
15 | containers:
16 | - image: docker.io/kennethreitz/httpbin
17 | name: httpbin
18 | ports:
19 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.httpbin
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/httpbin-app/dep.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: httpbin
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: httpbin
10 | template:
11 | metadata:
12 | labels:
13 | app: httpbin
14 | spec:
15 | containers:
16 | - image: docker.io/kennethreitz/httpbin
17 | name: httpbin
18 | ports:
19 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.httpbin
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/httpbin-app/dep.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: httpbin
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: httpbin
10 | template:
11 | metadata:
12 | labels:
13 | app: httpbin
14 | spec:
15 | containers:
16 | - image: docker.io/kennethreitz/httpbin
17 | name: httpbin
18 | ports:
19 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.httpbin
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/httpbin-app/dep.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: httpbin
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: httpbin
10 | template:
11 | metadata:
12 | labels:
13 | app: httpbin
14 | spec:
15 | containers:
16 | - image: docker.io/kennethreitz/httpbin
17 | name: httpbin
18 | ports:
19 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.httpbin
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/httpbin-app/dep.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: httpbin
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: httpbin
10 | template:
11 | metadata:
12 | labels:
13 | app: httpbin
14 | spec:
15 | containers:
16 | - image: docker.io/kennethreitz/httpbin
17 | name: httpbin
18 | ports:
19 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.httpbin
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/httpbin-app/dep.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: httpbin
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: httpbin
10 | template:
11 | metadata:
12 | labels:
13 | app: httpbin
14 | spec:
15 | containers:
16 | - image: docker.io/kennethreitz/httpbin
17 | name: httpbin
18 | ports:
19 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.httpbin
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/httpbin-app/dep.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: httpbin
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: httpbin
10 | template:
11 | metadata:
12 | labels:
13 | app: httpbin
14 | spec:
15 | containers:
16 | - image: docker.io/kennethreitz/httpbin
17 | name: httpbin
18 | ports:
19 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.httpbin
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/httpbin-app/dep.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: httpbin
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: httpbin
10 | template:
11 | metadata:
12 | labels:
13 | app: httpbin
14 | spec:
15 | containers:
16 | - image: docker.io/kennethreitz/httpbin
17 | name: httpbin
18 | ports:
19 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.httpbin
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/httpbin-app/dep.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: httpbin
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: httpbin
10 | template:
11 | metadata:
12 | labels:
13 | app: httpbin
14 | spec:
15 | containers:
16 | - image: docker.io/kennethreitz/httpbin
17 | name: httpbin
18 | ports:
19 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.httpbin
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/httpbin-app/dep.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: httpbin
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: httpbin
10 | template:
11 | metadata:
12 | labels:
13 | app: httpbin
14 | spec:
15 | containers:
16 | - image: docker.io/kennethreitz/httpbin
17 | name: httpbin
18 | ports:
19 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.httpbin
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/httpbin-app/dep.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: httpbin
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: httpbin
10 | template:
11 | metadata:
12 | labels:
13 | app: httpbin
14 | spec:
15 | containers:
16 | - image: docker.io/kennethreitz/httpbin
17 | name: httpbin
18 | ports:
19 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.httpbin
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/httpbin-app/dep.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: httpbin
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: httpbin
10 | template:
11 | metadata:
12 | labels:
13 | app: httpbin
14 | spec:
15 | containers:
16 | - image: docker.io/kennethreitz/httpbin
17 | name: httpbin
18 | ports:
19 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.httpbin
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/httpbin-app/dep.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: httpbin
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: httpbin
10 | template:
11 | metadata:
12 | labels:
13 | app: httpbin
14 | spec:
15 | containers:
16 | - image: docker.io/kennethreitz/httpbin
17 | name: httpbin
18 | ports:
19 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.httpbin
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/httpbin-app/dep.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: httpbin
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: httpbin
10 | template:
11 | metadata:
12 | labels:
13 | app: httpbin
14 | spec:
15 | containers:
16 | - image: docker.io/kennethreitz/httpbin
17 | name: httpbin
18 | ports:
19 | - containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.httpbin
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/httpbin-app/dep.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: httpbin
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: httpbin
10 | template:
11 | metadata:
12 | labels:
13 | app: httpbin
14 | spec:
15 | containers:
16 | - image: docker.io/kennethreitz/httpbin
17 | name: httpbin
18 | ports:
19 | - containerPort: 80
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.httpbin
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/httpbin-app/dep.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: httpbin
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: httpbin
10 | template:
11 | metadata:
12 | labels:
13 | app: httpbin
14 | spec:
15 | containers:
16 | - image: docker.io/kennethreitz/httpbin
17 | name: httpbin
18 | ports:
19 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.httpbin
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/httpbin-app/dep.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: httpbin
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: httpbin
10 | template:
11 | metadata:
12 | labels:
13 | app: httpbin
14 | spec:
15 | containers:
16 | - image: docker.io/kennethreitz/httpbin
17 | name: httpbin
18 | ports:
19 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.demo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/httpbin-app/ingress.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: extensions/v1beta1
2 | kind: Ingress
3 | metadata:
4 | name: demo
5 | annotations:
6 | konghq.com/strip-path: "true"
7 | kubernetes.io/ingress.class: kong
8 | spec:
9 | rules:
10 | - http:
11 | paths:
12 | - path: /foo
13 | backend:
14 | serviceName: httpbin
15 | servicePort: 80
16 | - path: /bar
17 | backend:
18 | serviceName: echo
19 | servicePort: 80
20 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.demo-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/httpbin-app/ingress.yaml:21-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
21 | apiVersion: extensions/v1beta1
22 | kind: Ingress
23 | metadata:
24 | name: demo-2
25 | annotations:
26 | konghq.com/strip-path: "true"
27 | kubernetes.io/ingress.class: kong
28 | spec:
29 | rules:
30 | - http:
31 | paths:
32 | - path: /baz
33 | backend:
34 | serviceName: httpbin
35 | servicePort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/echo-app/svc.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | ports:
9 | - port: 8080
10 | name: high
11 | protocol: TCP
12 | targetPort: 8080
13 | - port: 80
14 | name: low
15 | protocol: TCP
16 | targetPort: 8080
17 | selector:
18 | app: echo
19 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/echo-app/dep.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | creationTimestamp: null
16 | labels:
17 | app: echo
18 | spec:
19 | containers:
20 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
21 | name: echo
22 | ports:
23 | - containerPort: 8080
24 | env:
25 | - name: NODE_NAME
26 | valueFrom:
27 | fieldRef:
28 | fieldPath: spec.nodeName
29 | - name: POD_NAME
30 | valueFrom:
31 | fieldRef:
32 | fieldPath: metadata.name
33 | - name: POD_NAMESPACE
34 | valueFrom:
35 | fieldRef:
36 | fieldPath: metadata.namespace
37 | - name: POD_IP
38 | valueFrom:
39 | fieldRef:
40 | fieldPath: status.podIP
41 | resources: {}
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/echo-app/dep.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | creationTimestamp: null
16 | labels:
17 | app: echo
18 | spec:
19 | containers:
20 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
21 | name: echo
22 | ports:
23 | - containerPort: 8080
24 | env:
25 | - name: NODE_NAME
26 | valueFrom:
27 | fieldRef:
28 | fieldPath: spec.nodeName
29 | - name: POD_NAME
30 | valueFrom:
31 | fieldRef:
32 | fieldPath: metadata.name
33 | - name: POD_NAMESPACE
34 | valueFrom:
35 | fieldRef:
36 | fieldPath: metadata.namespace
37 | - name: POD_IP
38 | valueFrom:
39 | fieldRef:
40 | fieldPath: status.podIP
41 | resources: {}
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/echo-app/dep.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | creationTimestamp: null
16 | labels:
17 | app: echo
18 | spec:
19 | containers:
20 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
21 | name: echo
22 | ports:
23 | - containerPort: 8080
24 | env:
25 | - name: NODE_NAME
26 | valueFrom:
27 | fieldRef:
28 | fieldPath: spec.nodeName
29 | - name: POD_NAME
30 | valueFrom:
31 | fieldRef:
32 | fieldPath: metadata.name
33 | - name: POD_NAMESPACE
34 | valueFrom:
35 | fieldRef:
36 | fieldPath: metadata.namespace
37 | - name: POD_IP
38 | valueFrom:
39 | fieldRef:
40 | fieldPath: status.podIP
41 | resources: {}
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/echo-app/dep.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | creationTimestamp: null
16 | labels:
17 | app: echo
18 | spec:
19 | containers:
20 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
21 | name: echo
22 | ports:
23 | - containerPort: 8080
24 | env:
25 | - name: NODE_NAME
26 | valueFrom:
27 | fieldRef:
28 | fieldPath: spec.nodeName
29 | - name: POD_NAME
30 | valueFrom:
31 | fieldRef:
32 | fieldPath: metadata.name
33 | - name: POD_NAMESPACE
34 | valueFrom:
35 | fieldRef:
36 | fieldPath: metadata.namespace
37 | - name: POD_IP
38 | valueFrom:
39 | fieldRef:
40 | fieldPath: status.podIP
41 | resources: {}
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/echo-app/dep.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | creationTimestamp: null
16 | labels:
17 | app: echo
18 | spec:
19 | containers:
20 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
21 | name: echo
22 | ports:
23 | - containerPort: 8080
24 | env:
25 | - name: NODE_NAME
26 | valueFrom:
27 | fieldRef:
28 | fieldPath: spec.nodeName
29 | - name: POD_NAME
30 | valueFrom:
31 | fieldRef:
32 | fieldPath: metadata.name
33 | - name: POD_NAMESPACE
34 | valueFrom:
35 | fieldRef:
36 | fieldPath: metadata.namespace
37 | - name: POD_IP
38 | valueFrom:
39 | fieldRef:
40 | fieldPath: status.podIP
41 | resources: {}
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/echo-app/dep.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | creationTimestamp: null
16 | labels:
17 | app: echo
18 | spec:
19 | containers:
20 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
21 | name: echo
22 | ports:
23 | - containerPort: 8080
24 | env:
25 | - name: NODE_NAME
26 | valueFrom:
27 | fieldRef:
28 | fieldPath: spec.nodeName
29 | - name: POD_NAME
30 | valueFrom:
31 | fieldRef:
32 | fieldPath: metadata.name
33 | - name: POD_NAMESPACE
34 | valueFrom:
35 | fieldRef:
36 | fieldPath: metadata.namespace
37 | - name: POD_IP
38 | valueFrom:
39 | fieldRef:
40 | fieldPath: status.podIP
41 | resources: {}
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/echo-app/dep.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | creationTimestamp: null
16 | labels:
17 | app: echo
18 | spec:
19 | containers:
20 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
21 | name: echo
22 | ports:
23 | - containerPort: 8080
24 | env:
25 | - name: NODE_NAME
26 | valueFrom:
27 | fieldRef:
28 | fieldPath: spec.nodeName
29 | - name: POD_NAME
30 | valueFrom:
31 | fieldRef:
32 | fieldPath: metadata.name
33 | - name: POD_NAMESPACE
34 | valueFrom:
35 | fieldRef:
36 | fieldPath: metadata.namespace
37 | - name: POD_IP
38 | valueFrom:
39 | fieldRef:
40 | fieldPath: status.podIP
41 | resources: {}
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/echo-app/dep.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | creationTimestamp: null
16 | labels:
17 | app: echo
18 | spec:
19 | containers:
20 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
21 | name: echo
22 | ports:
23 | - containerPort: 8080
24 | env:
25 | - name: NODE_NAME
26 | valueFrom:
27 | fieldRef:
28 | fieldPath: spec.nodeName
29 | - name: POD_NAME
30 | valueFrom:
31 | fieldRef:
32 | fieldPath: metadata.name
33 | - name: POD_NAMESPACE
34 | valueFrom:
35 | fieldRef:
36 | fieldPath: metadata.namespace
37 | - name: POD_IP
38 | valueFrom:
39 | fieldRef:
40 | fieldPath: status.podIP
41 | resources: {}
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/echo-app/dep.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | creationTimestamp: null
16 | labels:
17 | app: echo
18 | spec:
19 | containers:
20 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
21 | name: echo
22 | ports:
23 | - containerPort: 8080
24 | env:
25 | - name: NODE_NAME
26 | valueFrom:
27 | fieldRef:
28 | fieldPath: spec.nodeName
29 | - name: POD_NAME
30 | valueFrom:
31 | fieldRef:
32 | fieldPath: metadata.name
33 | - name: POD_NAMESPACE
34 | valueFrom:
35 | fieldRef:
36 | fieldPath: metadata.namespace
37 | - name: POD_IP
38 | valueFrom:
39 | fieldRef:
40 | fieldPath: status.podIP
41 | resources: {}
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/echo-app/dep.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | creationTimestamp: null
16 | labels:
17 | app: echo
18 | spec:
19 | containers:
20 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
21 | name: echo
22 | ports:
23 | - containerPort: 8080
24 | env:
25 | - name: NODE_NAME
26 | valueFrom:
27 | fieldRef:
28 | fieldPath: spec.nodeName
29 | - name: POD_NAME
30 | valueFrom:
31 | fieldRef:
32 | fieldPath: metadata.name
33 | - name: POD_NAMESPACE
34 | valueFrom:
35 | fieldRef:
36 | fieldPath: metadata.namespace
37 | - name: POD_IP
38 | valueFrom:
39 | fieldRef:
40 | fieldPath: status.podIP
41 | resources: {}
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/echo-app/dep.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | creationTimestamp: null
16 | labels:
17 | app: echo
18 | spec:
19 | containers:
20 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
21 | name: echo
22 | ports:
23 | - containerPort: 8080
24 | env:
25 | - name: NODE_NAME
26 | valueFrom:
27 | fieldRef:
28 | fieldPath: spec.nodeName
29 | - name: POD_NAME
30 | valueFrom:
31 | fieldRef:
32 | fieldPath: metadata.name
33 | - name: POD_NAMESPACE
34 | valueFrom:
35 | fieldRef:
36 | fieldPath: metadata.namespace
37 | - name: POD_IP
38 | valueFrom:
39 | fieldRef:
40 | fieldPath: status.podIP
41 | resources: {}
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/echo-app/dep.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | creationTimestamp: null
16 | labels:
17 | app: echo
18 | spec:
19 | containers:
20 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
21 | name: echo
22 | ports:
23 | - containerPort: 8080
24 | env:
25 | - name: NODE_NAME
26 | valueFrom:
27 | fieldRef:
28 | fieldPath: spec.nodeName
29 | - name: POD_NAME
30 | valueFrom:
31 | fieldRef:
32 | fieldPath: metadata.name
33 | - name: POD_NAMESPACE
34 | valueFrom:
35 | fieldRef:
36 | fieldPath: metadata.namespace
37 | - name: POD_IP
38 | valueFrom:
39 | fieldRef:
40 | fieldPath: status.podIP
41 | resources: {}
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/echo-app/dep.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | creationTimestamp: null
16 | labels:
17 | app: echo
18 | spec:
19 | containers:
20 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
21 | name: echo
22 | ports:
23 | - containerPort: 8080
24 | env:
25 | - name: NODE_NAME
26 | valueFrom:
27 | fieldRef:
28 | fieldPath: spec.nodeName
29 | - name: POD_NAME
30 | valueFrom:
31 | fieldRef:
32 | fieldPath: metadata.name
33 | - name: POD_NAMESPACE
34 | valueFrom:
35 | fieldRef:
36 | fieldPath: metadata.namespace
37 | - name: POD_IP
38 | valueFrom:
39 | fieldRef:
40 | fieldPath: status.podIP
41 | resources: {}
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/echo-app/dep.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | creationTimestamp: null
16 | labels:
17 | app: echo
18 | spec:
19 | containers:
20 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
21 | name: echo
22 | ports:
23 | - containerPort: 8080
24 | env:
25 | - name: NODE_NAME
26 | valueFrom:
27 | fieldRef:
28 | fieldPath: spec.nodeName
29 | - name: POD_NAME
30 | valueFrom:
31 | fieldRef:
32 | fieldPath: metadata.name
33 | - name: POD_NAMESPACE
34 | valueFrom:
35 | fieldRef:
36 | fieldPath: metadata.namespace
37 | - name: POD_IP
38 | valueFrom:
39 | fieldRef:
40 | fieldPath: status.podIP
41 | resources: {}
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/echo-app/dep.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | creationTimestamp: null
16 | labels:
17 | app: echo
18 | spec:
19 | containers:
20 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
21 | name: echo
22 | ports:
23 | - containerPort: 8080
24 | env:
25 | - name: NODE_NAME
26 | valueFrom:
27 | fieldRef:
28 | fieldPath: spec.nodeName
29 | - name: POD_NAME
30 | valueFrom:
31 | fieldRef:
32 | fieldPath: metadata.name
33 | - name: POD_NAMESPACE
34 | valueFrom:
35 | fieldRef:
36 | fieldPath: metadata.namespace
37 | - name: POD_IP
38 | valueFrom:
39 | fieldRef:
40 | fieldPath: status.podIP
41 | resources: {}
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/echo-app/dep.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | creationTimestamp: null
16 | labels:
17 | app: echo
18 | spec:
19 | containers:
20 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
21 | name: echo
22 | ports:
23 | - containerPort: 8080
24 | env:
25 | - name: NODE_NAME
26 | valueFrom:
27 | fieldRef:
28 | fieldPath: spec.nodeName
29 | - name: POD_NAME
30 | valueFrom:
31 | fieldRef:
32 | fieldPath: metadata.name
33 | - name: POD_NAMESPACE
34 | valueFrom:
35 | fieldRef:
36 | fieldPath: metadata.namespace
37 | - name: POD_IP
38 | valueFrom:
39 | fieldRef:
40 | fieldPath: status.podIP
41 | resources: {}
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/echo-app/dep.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | creationTimestamp: null
16 | labels:
17 | app: echo
18 | spec:
19 | containers:
20 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
21 | name: echo
22 | ports:
23 | - containerPort: 8080
24 | env:
25 | - name: NODE_NAME
26 | valueFrom:
27 | fieldRef:
28 | fieldPath: spec.nodeName
29 | - name: POD_NAME
30 | valueFrom:
31 | fieldRef:
32 | fieldPath: metadata.name
33 | - name: POD_NAMESPACE
34 | valueFrom:
35 | fieldRef:
36 | fieldPath: metadata.namespace
37 | - name: POD_IP
38 | valueFrom:
39 | fieldRef:
40 | fieldPath: status.podIP
41 | resources: {}
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.demo-example-com
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/echo-app/ingress-with-plugin.yaml:1-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: extensions/v1beta1
2 | kind: Ingress
3 | metadata:
4 | name: demo-example-com
5 | annotations:
6 | konghq.com/plugins: request-id
7 | kubernetes.io/ingress.class: kong
8 | spec:
9 | rules:
10 | - host: example.com
11 | http:
12 | paths:
13 | - path: /bar
14 | backend:
15 | serviceName: echo
16 | servicePort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.demo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/echo-app/ingress.yaml:1-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: extensions/v1beta1
2 | kind: Ingress
3 | metadata:
4 | name: demo
5 | annotations:
6 | kubernetes.io/ingress.class: kong
7 | spec:
8 | rules:
9 | - http:
10 | paths:
11 | - path: /foo
12 | backend:
13 | serviceName: echo
14 | servicePort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.default.bar-app
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/pod_bar_app.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: bar-app
5 | labels:
6 | app: bar
7 | spec:
8 | containers:
9 | - command:
10 | - /agnhost
11 | - netexec
12 | - --http-port
13 | - "8080"
14 | image: registry.k8s.io/e2e-test-images/agnhost:2.39
15 | name: bar-app
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.default.bar-app
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/pod_bar_app.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: bar-app
5 | labels:
6 | app: bar
7 | spec:
8 | containers:
9 | - command:
10 | - /agnhost
11 | - netexec
12 | - --http-port
13 | - "8080"
14 | image: registry.k8s.io/e2e-test-images/agnhost:2.39
15 | name: bar-app
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Pod.default.bar-app
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/pod_bar_app.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: bar-app
5 | labels:
6 | app: bar
7 | spec:
8 | containers:
9 | - command:
10 | - /agnhost
11 | - netexec
12 | - --http-port
13 | - "8080"
14 | image: registry.k8s.io/e2e-test-images/agnhost:2.39
15 | name: bar-app
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Pod.default.bar-app
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/pod_bar_app.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: bar-app
5 | labels:
6 | app: bar
7 | spec:
8 | containers:
9 | - command:
10 | - /agnhost
11 | - netexec
12 | - --http-port
13 | - "8080"
14 | image: registry.k8s.io/e2e-test-images/agnhost:2.39
15 | name: bar-app
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.default.bar-app
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/pod_bar_app.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: bar-app
5 | labels:
6 | app: bar
7 | spec:
8 | containers:
9 | - command:
10 | - /agnhost
11 | - netexec
12 | - --http-port
13 | - "8080"
14 | image: registry.k8s.io/e2e-test-images/agnhost:2.39
15 | name: bar-app
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.default.bar-app
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/pod_bar_app.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: bar-app
5 | labels:
6 | app: bar
7 | spec:
8 | containers:
9 | - command:
10 | - /agnhost
11 | - netexec
12 | - --http-port
13 | - "8080"
14 | image: registry.k8s.io/e2e-test-images/agnhost:2.39
15 | name: bar-app
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.default.bar-app
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/pod_bar_app.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: bar-app
5 | labels:
6 | app: bar
7 | spec:
8 | containers:
9 | - command:
10 | - /agnhost
11 | - netexec
12 | - --http-port
13 | - "8080"
14 | image: registry.k8s.io/e2e-test-images/agnhost:2.39
15 | name: bar-app
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.default.bar-app
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/pod_bar_app.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: bar-app
5 | labels:
6 | app: bar
7 | spec:
8 | containers:
9 | - command:
10 | - /agnhost
11 | - netexec
12 | - --http-port
13 | - "8080"
14 | image: registry.k8s.io/e2e-test-images/agnhost:2.39
15 | name: bar-app
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.default.bar-app
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/pod_bar_app.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: bar-app
5 | labels:
6 | app: bar
7 | spec:
8 | containers:
9 | - command:
10 | - /agnhost
11 | - netexec
12 | - --http-port
13 | - "8080"
14 | image: registry.k8s.io/e2e-test-images/agnhost:2.39
15 | name: bar-app
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.default.bar-app
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/pod_bar_app.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: bar-app
5 | labels:
6 | app: bar
7 | spec:
8 | containers:
9 | - command:
10 | - /agnhost
11 | - netexec
12 | - --http-port
13 | - "8080"
14 | image: registry.k8s.io/e2e-test-images/agnhost:2.39
15 | name: bar-app
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.default.bar-app
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/pod_bar_app.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: bar-app
5 | labels:
6 | app: bar
7 | spec:
8 | containers:
9 | - command:
10 | - /agnhost
11 | - netexec
12 | - --http-port
13 | - "8080"
14 | image: registry.k8s.io/e2e-test-images/agnhost:2.39
15 | name: bar-app
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.default.bar-app
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/pod_bar_app.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: bar-app
5 | labels:
6 | app: bar
7 | spec:
8 | containers:
9 | - command:
10 | - /agnhost
11 | - netexec
12 | - --http-port
13 | - "8080"
14 | image: registry.k8s.io/e2e-test-images/agnhost:2.39
15 | name: bar-app
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.default.bar-app
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/pod_bar_app.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: bar-app
5 | labels:
6 | app: bar
7 | spec:
8 | containers:
9 | - command:
10 | - /agnhost
11 | - netexec
12 | - --http-port
13 | - "8080"
14 | image: registry.k8s.io/e2e-test-images/agnhost:2.39
15 | name: bar-app
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.default.bar-app
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/pod_bar_app.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: bar-app
5 | labels:
6 | app: bar
7 | spec:
8 | containers:
9 | - command:
10 | - /agnhost
11 | - netexec
12 | - --http-port
13 | - "8080"
14 | image: registry.k8s.io/e2e-test-images/agnhost:2.39
15 | name: bar-app
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.default.bar-app
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/pod_bar_app.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: bar-app
5 | labels:
6 | app: bar
7 | spec:
8 | containers:
9 | - command:
10 | - /agnhost
11 | - netexec
12 | - --http-port
13 | - "8080"
14 | image: registry.k8s.io/e2e-test-images/agnhost:2.39
15 | name: bar-app
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.default.bar-app
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/pod_bar_app.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: bar-app
5 | labels:
6 | app: bar
7 | spec:
8 | containers:
9 | - command:
10 | - /agnhost
11 | - netexec
12 | - --http-port
13 | - "8080"
14 | image: registry.k8s.io/e2e-test-images/agnhost:2.39
15 | name: bar-app
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Pod.default.bar-app
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/pod_bar_app.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: bar-app
5 | labels:
6 | app: bar
7 | spec:
8 | containers:
9 | - command:
10 | - /agnhost
11 | - netexec
12 | - --http-port
13 | - "8080"
14 | image: registry.k8s.io/e2e-test-images/agnhost:2.39
15 | name: bar-app
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Pod.default.bar-app
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/pod_bar_app.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: bar-app
5 | labels:
6 | app: bar
7 | spec:
8 | containers:
9 | - command:
10 | - /agnhost
11 | - netexec
12 | - --http-port
13 | - "8080"
14 | image: registry.k8s.io/e2e-test-images/agnhost:2.39
15 | name: bar-app
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.default.bar-app
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/pod_bar_app.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: bar-app
5 | labels:
6 | app: bar
7 | spec:
8 | containers:
9 | - command:
10 | - /agnhost
11 | - netexec
12 | - --http-port
13 | - "8080"
14 | image: registry.k8s.io/e2e-test-images/agnhost:2.39
15 | name: bar-app
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.foo-service
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/svc_foo.yaml:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | kind: Service
2 | apiVersion: v1
3 | metadata:
4 | name: foo-service
5 | spec:
6 | selector:
7 | app: foo
8 | ports:
9 | # Default port used by the image
10 | - port: 8080
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.default.foo-app
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/pod_foo_app.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo-app
5 | labels:
6 | app: foo
7 | spec:
8 | containers:
9 | - command:
10 | - /agnhost
11 | - netexec
12 | - --http-port
13 | - "8080"
14 | image: registry.k8s.io/e2e-test-images/agnhost:2.39
15 | name: foo-app
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.default.foo-app
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/pod_foo_app.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo-app
5 | labels:
6 | app: foo
7 | spec:
8 | containers:
9 | - command:
10 | - /agnhost
11 | - netexec
12 | - --http-port
13 | - "8080"
14 | image: registry.k8s.io/e2e-test-images/agnhost:2.39
15 | name: foo-app
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Pod.default.foo-app
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/pod_foo_app.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo-app
5 | labels:
6 | app: foo
7 | spec:
8 | containers:
9 | - command:
10 | - /agnhost
11 | - netexec
12 | - --http-port
13 | - "8080"
14 | image: registry.k8s.io/e2e-test-images/agnhost:2.39
15 | name: foo-app
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Pod.default.foo-app
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/pod_foo_app.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo-app
5 | labels:
6 | app: foo
7 | spec:
8 | containers:
9 | - command:
10 | - /agnhost
11 | - netexec
12 | - --http-port
13 | - "8080"
14 | image: registry.k8s.io/e2e-test-images/agnhost:2.39
15 | name: foo-app
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.default.foo-app
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/pod_foo_app.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo-app
5 | labels:
6 | app: foo
7 | spec:
8 | containers:
9 | - command:
10 | - /agnhost
11 | - netexec
12 | - --http-port
13 | - "8080"
14 | image: registry.k8s.io/e2e-test-images/agnhost:2.39
15 | name: foo-app
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.default.foo-app
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/pod_foo_app.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo-app
5 | labels:
6 | app: foo
7 | spec:
8 | containers:
9 | - command:
10 | - /agnhost
11 | - netexec
12 | - --http-port
13 | - "8080"
14 | image: registry.k8s.io/e2e-test-images/agnhost:2.39
15 | name: foo-app
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.default.foo-app
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/pod_foo_app.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo-app
5 | labels:
6 | app: foo
7 | spec:
8 | containers:
9 | - command:
10 | - /agnhost
11 | - netexec
12 | - --http-port
13 | - "8080"
14 | image: registry.k8s.io/e2e-test-images/agnhost:2.39
15 | name: foo-app
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.default.foo-app
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/pod_foo_app.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo-app
5 | labels:
6 | app: foo
7 | spec:
8 | containers:
9 | - command:
10 | - /agnhost
11 | - netexec
12 | - --http-port
13 | - "8080"
14 | image: registry.k8s.io/e2e-test-images/agnhost:2.39
15 | name: foo-app
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.default.foo-app
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/pod_foo_app.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo-app
5 | labels:
6 | app: foo
7 | spec:
8 | containers:
9 | - command:
10 | - /agnhost
11 | - netexec
12 | - --http-port
13 | - "8080"
14 | image: registry.k8s.io/e2e-test-images/agnhost:2.39
15 | name: foo-app
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.default.foo-app
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/pod_foo_app.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo-app
5 | labels:
6 | app: foo
7 | spec:
8 | containers:
9 | - command:
10 | - /agnhost
11 | - netexec
12 | - --http-port
13 | - "8080"
14 | image: registry.k8s.io/e2e-test-images/agnhost:2.39
15 | name: foo-app
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.default.foo-app
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/pod_foo_app.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo-app
5 | labels:
6 | app: foo
7 | spec:
8 | containers:
9 | - command:
10 | - /agnhost
11 | - netexec
12 | - --http-port
13 | - "8080"
14 | image: registry.k8s.io/e2e-test-images/agnhost:2.39
15 | name: foo-app
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.default.foo-app
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/pod_foo_app.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo-app
5 | labels:
6 | app: foo
7 | spec:
8 | containers:
9 | - command:
10 | - /agnhost
11 | - netexec
12 | - --http-port
13 | - "8080"
14 | image: registry.k8s.io/e2e-test-images/agnhost:2.39
15 | name: foo-app
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.default.foo-app
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/pod_foo_app.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo-app
5 | labels:
6 | app: foo
7 | spec:
8 | containers:
9 | - command:
10 | - /agnhost
11 | - netexec
12 | - --http-port
13 | - "8080"
14 | image: registry.k8s.io/e2e-test-images/agnhost:2.39
15 | name: foo-app
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.default.foo-app
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/pod_foo_app.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo-app
5 | labels:
6 | app: foo
7 | spec:
8 | containers:
9 | - command:
10 | - /agnhost
11 | - netexec
12 | - --http-port
13 | - "8080"
14 | image: registry.k8s.io/e2e-test-images/agnhost:2.39
15 | name: foo-app
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.default.foo-app
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/pod_foo_app.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo-app
5 | labels:
6 | app: foo
7 | spec:
8 | containers:
9 | - command:
10 | - /agnhost
11 | - netexec
12 | - --http-port
13 | - "8080"
14 | image: registry.k8s.io/e2e-test-images/agnhost:2.39
15 | name: foo-app
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.default.foo-app
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/pod_foo_app.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo-app
5 | labels:
6 | app: foo
7 | spec:
8 | containers:
9 | - command:
10 | - /agnhost
11 | - netexec
12 | - --http-port
13 | - "8080"
14 | image: registry.k8s.io/e2e-test-images/agnhost:2.39
15 | name: foo-app
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Pod.default.foo-app
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/pod_foo_app.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo-app
5 | labels:
6 | app: foo
7 | spec:
8 | containers:
9 | - command:
10 | - /agnhost
11 | - netexec
12 | - --http-port
13 | - "8080"
14 | image: registry.k8s.io/e2e-test-images/agnhost:2.39
15 | name: foo-app
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Pod.default.foo-app
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/pod_foo_app.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo-app
5 | labels:
6 | app: foo
7 | spec:
8 | containers:
9 | - command:
10 | - /agnhost
11 | - netexec
12 | - --http-port
13 | - "8080"
14 | image: registry.k8s.io/e2e-test-images/agnhost:2.39
15 | name: foo-app
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.default.foo-app
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/pod_foo_app.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo-app
5 | labels:
6 | app: foo
7 | spec:
8 | containers:
9 | - command:
10 | - /agnhost
11 | - netexec
12 | - --http-port
13 | - "8080"
14 | image: registry.k8s.io/e2e-test-images/agnhost:2.39
15 | name: foo-app
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.bar-service
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/svc_bar.yaml:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | kind: Service
2 | apiVersion: v1
3 | metadata:
4 | name: bar-service
5 | spec:
6 | selector:
7 | app: bar
8 | ports:
9 | # Default port used by the image
10 | - port: 8080
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.example-ingress
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/ingress.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: networking.k8s.io/v1
2 | kind: Ingress
3 | metadata:
4 | name: example-ingress
5 | annotations:
6 | nginx.ingress.kubernetes.io/rewrite-target: /$2
7 | spec:
8 | rules:
9 | - http:
10 | paths:
11 | - pathType: Prefix
12 | path: /foo(/|$)(.*)
13 | backend:
14 | service:
15 | name: foo-service
16 | port:
17 | number: 8080
18 | - pathType: Prefix
19 | path: /bar(/|$)(.*)
20 | backend:
21 | service:
22 | name: bar-service
23 | port:
24 | number: 8080
Check: CKV_K8S_155: "Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations"
FAILED for resource: ClusterRole.default.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:8673-8742
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-control-over-validating-or-mutating-admission-webhook-configurations-are-minimized.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9695-9766
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9695-9766
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9695-9766
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9695-9766
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9695-9766
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9695-9766
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9695-9766
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9695-9766
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9695-9766
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9695-9766
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9695-9766
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9767-9822
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9767-9822
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9767-9822
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9767-9822
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9767-9822
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9767-9822
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9767-9822
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9767-9822
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9767-9822
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9767-9822
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9767-9822
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9823-9910
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9823-9910
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9823-9910
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9823-9910
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9823-9910
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9823-9910
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9823-9910
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9823-9910
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9823-9910
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Job.cert-manager.cert-manager-startupapicheck
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9911-9962
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Job.cert-manager.cert-manager-startupapicheck
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9911-9962
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Job.cert-manager.cert-manager-startupapicheck
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9911-9962
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Job.cert-manager.cert-manager-startupapicheck
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9911-9962
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Job.cert-manager.cert-manager-startupapicheck
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9911-9962
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Job.cert-manager.cert-manager-startupapicheck
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9911-9962
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Job.cert-manager.cert-manager-startupapicheck
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9911-9962
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Job.cert-manager.cert-manager-startupapicheck
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9911-9962
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Job.cert-manager.cert-manager-startupapicheck
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9911-9962
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/app_all.yaml:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | namespace: default
8 | spec:
9 | ports:
10 | - name: high
11 | port: 8080
12 | protocol: TCP
13 | targetPort: 8080
14 | - name: low
15 | port: 80
16 | protocol: TCP
17 | targetPort: 8080
18 | selector:
19 | app: echo
20 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.whoami-service
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/app_all.yaml:21-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
21 | apiVersion: v1
22 | kind: Service
23 | metadata:
24 | name: whoami-service
25 | namespace: default
26 | spec:
27 | ports:
28 | - port: 80
29 | protocol: TCP
30 | targetPort: 80
31 | selector:
32 | app: whoami
33 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/app_all.yaml:34-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
34 | apiVersion: apps/v1
35 | kind: Deployment
36 | metadata:
37 | labels:
38 | app: echo
39 | name: echo
40 | namespace: default
41 | spec:
42 | replicas: 1
43 | selector:
44 | matchLabels:
45 | app: echo
46 | strategy: {}
47 | template:
48 | metadata:
49 | labels:
50 | app: echo
51 | spec:
52 | containers:
53 | - env:
54 | - name: NODE_NAME
55 | valueFrom:
56 | fieldRef:
57 | fieldPath: spec.nodeName
58 | - name: POD_NAME
59 | valueFrom:
60 | fieldRef:
61 | fieldPath: metadata.name
62 | - name: POD_NAMESPACE
63 | valueFrom:
64 | fieldRef:
65 | fieldPath: metadata.namespace
66 | - name: POD_IP
67 | valueFrom:
68 | fieldRef:
69 | fieldPath: status.podIP
70 | image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
71 | name: echo
72 | ports:
73 | - containerPort: 8080
74 | resources: {}
75 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/app_all.yaml:34-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
34 | apiVersion: apps/v1
35 | kind: Deployment
36 | metadata:
37 | labels:
38 | app: echo
39 | name: echo
40 | namespace: default
41 | spec:
42 | replicas: 1
43 | selector:
44 | matchLabels:
45 | app: echo
46 | strategy: {}
47 | template:
48 | metadata:
49 | labels:
50 | app: echo
51 | spec:
52 | containers:
53 | - env:
54 | - name: NODE_NAME
55 | valueFrom:
56 | fieldRef:
57 | fieldPath: spec.nodeName
58 | - name: POD_NAME
59 | valueFrom:
60 | fieldRef:
61 | fieldPath: metadata.name
62 | - name: POD_NAMESPACE
63 | valueFrom:
64 | fieldRef:
65 | fieldPath: metadata.namespace
66 | - name: POD_IP
67 | valueFrom:
68 | fieldRef:
69 | fieldPath: status.podIP
70 | image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
71 | name: echo
72 | ports:
73 | - containerPort: 8080
74 | resources: {}
75 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/app_all.yaml:34-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
34 | apiVersion: apps/v1
35 | kind: Deployment
36 | metadata:
37 | labels:
38 | app: echo
39 | name: echo
40 | namespace: default
41 | spec:
42 | replicas: 1
43 | selector:
44 | matchLabels:
45 | app: echo
46 | strategy: {}
47 | template:
48 | metadata:
49 | labels:
50 | app: echo
51 | spec:
52 | containers:
53 | - env:
54 | - name: NODE_NAME
55 | valueFrom:
56 | fieldRef:
57 | fieldPath: spec.nodeName
58 | - name: POD_NAME
59 | valueFrom:
60 | fieldRef:
61 | fieldPath: metadata.name
62 | - name: POD_NAMESPACE
63 | valueFrom:
64 | fieldRef:
65 | fieldPath: metadata.namespace
66 | - name: POD_IP
67 | valueFrom:
68 | fieldRef:
69 | fieldPath: status.podIP
70 | image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
71 | name: echo
72 | ports:
73 | - containerPort: 8080
74 | resources: {}
75 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/app_all.yaml:34-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
34 | apiVersion: apps/v1
35 | kind: Deployment
36 | metadata:
37 | labels:
38 | app: echo
39 | name: echo
40 | namespace: default
41 | spec:
42 | replicas: 1
43 | selector:
44 | matchLabels:
45 | app: echo
46 | strategy: {}
47 | template:
48 | metadata:
49 | labels:
50 | app: echo
51 | spec:
52 | containers:
53 | - env:
54 | - name: NODE_NAME
55 | valueFrom:
56 | fieldRef:
57 | fieldPath: spec.nodeName
58 | - name: POD_NAME
59 | valueFrom:
60 | fieldRef:
61 | fieldPath: metadata.name
62 | - name: POD_NAMESPACE
63 | valueFrom:
64 | fieldRef:
65 | fieldPath: metadata.namespace
66 | - name: POD_IP
67 | valueFrom:
68 | fieldRef:
69 | fieldPath: status.podIP
70 | image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
71 | name: echo
72 | ports:
73 | - containerPort: 8080
74 | resources: {}
75 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/app_all.yaml:34-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
34 | apiVersion: apps/v1
35 | kind: Deployment
36 | metadata:
37 | labels:
38 | app: echo
39 | name: echo
40 | namespace: default
41 | spec:
42 | replicas: 1
43 | selector:
44 | matchLabels:
45 | app: echo
46 | strategy: {}
47 | template:
48 | metadata:
49 | labels:
50 | app: echo
51 | spec:
52 | containers:
53 | - env:
54 | - name: NODE_NAME
55 | valueFrom:
56 | fieldRef:
57 | fieldPath: spec.nodeName
58 | - name: POD_NAME
59 | valueFrom:
60 | fieldRef:
61 | fieldPath: metadata.name
62 | - name: POD_NAMESPACE
63 | valueFrom:
64 | fieldRef:
65 | fieldPath: metadata.namespace
66 | - name: POD_IP
67 | valueFrom:
68 | fieldRef:
69 | fieldPath: status.podIP
70 | image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
71 | name: echo
72 | ports:
73 | - containerPort: 8080
74 | resources: {}
75 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/app_all.yaml:34-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
34 | apiVersion: apps/v1
35 | kind: Deployment
36 | metadata:
37 | labels:
38 | app: echo
39 | name: echo
40 | namespace: default
41 | spec:
42 | replicas: 1
43 | selector:
44 | matchLabels:
45 | app: echo
46 | strategy: {}
47 | template:
48 | metadata:
49 | labels:
50 | app: echo
51 | spec:
52 | containers:
53 | - env:
54 | - name: NODE_NAME
55 | valueFrom:
56 | fieldRef:
57 | fieldPath: spec.nodeName
58 | - name: POD_NAME
59 | valueFrom:
60 | fieldRef:
61 | fieldPath: metadata.name
62 | - name: POD_NAMESPACE
63 | valueFrom:
64 | fieldRef:
65 | fieldPath: metadata.namespace
66 | - name: POD_IP
67 | valueFrom:
68 | fieldRef:
69 | fieldPath: status.podIP
70 | image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
71 | name: echo
72 | ports:
73 | - containerPort: 8080
74 | resources: {}
75 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/app_all.yaml:34-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
34 | apiVersion: apps/v1
35 | kind: Deployment
36 | metadata:
37 | labels:
38 | app: echo
39 | name: echo
40 | namespace: default
41 | spec:
42 | replicas: 1
43 | selector:
44 | matchLabels:
45 | app: echo
46 | strategy: {}
47 | template:
48 | metadata:
49 | labels:
50 | app: echo
51 | spec:
52 | containers:
53 | - env:
54 | - name: NODE_NAME
55 | valueFrom:
56 | fieldRef:
57 | fieldPath: spec.nodeName
58 | - name: POD_NAME
59 | valueFrom:
60 | fieldRef:
61 | fieldPath: metadata.name
62 | - name: POD_NAMESPACE
63 | valueFrom:
64 | fieldRef:
65 | fieldPath: metadata.namespace
66 | - name: POD_IP
67 | valueFrom:
68 | fieldRef:
69 | fieldPath: status.podIP
70 | image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
71 | name: echo
72 | ports:
73 | - containerPort: 8080
74 | resources: {}
75 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/app_all.yaml:34-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
34 | apiVersion: apps/v1
35 | kind: Deployment
36 | metadata:
37 | labels:
38 | app: echo
39 | name: echo
40 | namespace: default
41 | spec:
42 | replicas: 1
43 | selector:
44 | matchLabels:
45 | app: echo
46 | strategy: {}
47 | template:
48 | metadata:
49 | labels:
50 | app: echo
51 | spec:
52 | containers:
53 | - env:
54 | - name: NODE_NAME
55 | valueFrom:
56 | fieldRef:
57 | fieldPath: spec.nodeName
58 | - name: POD_NAME
59 | valueFrom:
60 | fieldRef:
61 | fieldPath: metadata.name
62 | - name: POD_NAMESPACE
63 | valueFrom:
64 | fieldRef:
65 | fieldPath: metadata.namespace
66 | - name: POD_IP
67 | valueFrom:
68 | fieldRef:
69 | fieldPath: status.podIP
70 | image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
71 | name: echo
72 | ports:
73 | - containerPort: 8080
74 | resources: {}
75 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/app_all.yaml:34-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
34 | apiVersion: apps/v1
35 | kind: Deployment
36 | metadata:
37 | labels:
38 | app: echo
39 | name: echo
40 | namespace: default
41 | spec:
42 | replicas: 1
43 | selector:
44 | matchLabels:
45 | app: echo
46 | strategy: {}
47 | template:
48 | metadata:
49 | labels:
50 | app: echo
51 | spec:
52 | containers:
53 | - env:
54 | - name: NODE_NAME
55 | valueFrom:
56 | fieldRef:
57 | fieldPath: spec.nodeName
58 | - name: POD_NAME
59 | valueFrom:
60 | fieldRef:
61 | fieldPath: metadata.name
62 | - name: POD_NAMESPACE
63 | valueFrom:
64 | fieldRef:
65 | fieldPath: metadata.namespace
66 | - name: POD_IP
67 | valueFrom:
68 | fieldRef:
69 | fieldPath: status.podIP
70 | image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
71 | name: echo
72 | ports:
73 | - containerPort: 8080
74 | resources: {}
75 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/app_all.yaml:34-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
34 | apiVersion: apps/v1
35 | kind: Deployment
36 | metadata:
37 | labels:
38 | app: echo
39 | name: echo
40 | namespace: default
41 | spec:
42 | replicas: 1
43 | selector:
44 | matchLabels:
45 | app: echo
46 | strategy: {}
47 | template:
48 | metadata:
49 | labels:
50 | app: echo
51 | spec:
52 | containers:
53 | - env:
54 | - name: NODE_NAME
55 | valueFrom:
56 | fieldRef:
57 | fieldPath: spec.nodeName
58 | - name: POD_NAME
59 | valueFrom:
60 | fieldRef:
61 | fieldPath: metadata.name
62 | - name: POD_NAMESPACE
63 | valueFrom:
64 | fieldRef:
65 | fieldPath: metadata.namespace
66 | - name: POD_IP
67 | valueFrom:
68 | fieldRef:
69 | fieldPath: status.podIP
70 | image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
71 | name: echo
72 | ports:
73 | - containerPort: 8080
74 | resources: {}
75 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/app_all.yaml:34-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
34 | apiVersion: apps/v1
35 | kind: Deployment
36 | metadata:
37 | labels:
38 | app: echo
39 | name: echo
40 | namespace: default
41 | spec:
42 | replicas: 1
43 | selector:
44 | matchLabels:
45 | app: echo
46 | strategy: {}
47 | template:
48 | metadata:
49 | labels:
50 | app: echo
51 | spec:
52 | containers:
53 | - env:
54 | - name: NODE_NAME
55 | valueFrom:
56 | fieldRef:
57 | fieldPath: spec.nodeName
58 | - name: POD_NAME
59 | valueFrom:
60 | fieldRef:
61 | fieldPath: metadata.name
62 | - name: POD_NAMESPACE
63 | valueFrom:
64 | fieldRef:
65 | fieldPath: metadata.namespace
66 | - name: POD_IP
67 | valueFrom:
68 | fieldRef:
69 | fieldPath: status.podIP
70 | image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
71 | name: echo
72 | ports:
73 | - containerPort: 8080
74 | resources: {}
75 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/app_all.yaml:34-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
34 | apiVersion: apps/v1
35 | kind: Deployment
36 | metadata:
37 | labels:
38 | app: echo
39 | name: echo
40 | namespace: default
41 | spec:
42 | replicas: 1
43 | selector:
44 | matchLabels:
45 | app: echo
46 | strategy: {}
47 | template:
48 | metadata:
49 | labels:
50 | app: echo
51 | spec:
52 | containers:
53 | - env:
54 | - name: NODE_NAME
55 | valueFrom:
56 | fieldRef:
57 | fieldPath: spec.nodeName
58 | - name: POD_NAME
59 | valueFrom:
60 | fieldRef:
61 | fieldPath: metadata.name
62 | - name: POD_NAMESPACE
63 | valueFrom:
64 | fieldRef:
65 | fieldPath: metadata.namespace
66 | - name: POD_IP
67 | valueFrom:
68 | fieldRef:
69 | fieldPath: status.podIP
70 | image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
71 | name: echo
72 | ports:
73 | - containerPort: 8080
74 | resources: {}
75 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/app_all.yaml:34-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
34 | apiVersion: apps/v1
35 | kind: Deployment
36 | metadata:
37 | labels:
38 | app: echo
39 | name: echo
40 | namespace: default
41 | spec:
42 | replicas: 1
43 | selector:
44 | matchLabels:
45 | app: echo
46 | strategy: {}
47 | template:
48 | metadata:
49 | labels:
50 | app: echo
51 | spec:
52 | containers:
53 | - env:
54 | - name: NODE_NAME
55 | valueFrom:
56 | fieldRef:
57 | fieldPath: spec.nodeName
58 | - name: POD_NAME
59 | valueFrom:
60 | fieldRef:
61 | fieldPath: metadata.name
62 | - name: POD_NAMESPACE
63 | valueFrom:
64 | fieldRef:
65 | fieldPath: metadata.namespace
66 | - name: POD_IP
67 | valueFrom:
68 | fieldRef:
69 | fieldPath: status.podIP
70 | image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
71 | name: echo
72 | ports:
73 | - containerPort: 8080
74 | resources: {}
75 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/app_all.yaml:34-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
34 | apiVersion: apps/v1
35 | kind: Deployment
36 | metadata:
37 | labels:
38 | app: echo
39 | name: echo
40 | namespace: default
41 | spec:
42 | replicas: 1
43 | selector:
44 | matchLabels:
45 | app: echo
46 | strategy: {}
47 | template:
48 | metadata:
49 | labels:
50 | app: echo
51 | spec:
52 | containers:
53 | - env:
54 | - name: NODE_NAME
55 | valueFrom:
56 | fieldRef:
57 | fieldPath: spec.nodeName
58 | - name: POD_NAME
59 | valueFrom:
60 | fieldRef:
61 | fieldPath: metadata.name
62 | - name: POD_NAMESPACE
63 | valueFrom:
64 | fieldRef:
65 | fieldPath: metadata.namespace
66 | - name: POD_IP
67 | valueFrom:
68 | fieldRef:
69 | fieldPath: status.podIP
70 | image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
71 | name: echo
72 | ports:
73 | - containerPort: 8080
74 | resources: {}
75 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/app_all.yaml:34-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
34 | apiVersion: apps/v1
35 | kind: Deployment
36 | metadata:
37 | labels:
38 | app: echo
39 | name: echo
40 | namespace: default
41 | spec:
42 | replicas: 1
43 | selector:
44 | matchLabels:
45 | app: echo
46 | strategy: {}
47 | template:
48 | metadata:
49 | labels:
50 | app: echo
51 | spec:
52 | containers:
53 | - env:
54 | - name: NODE_NAME
55 | valueFrom:
56 | fieldRef:
57 | fieldPath: spec.nodeName
58 | - name: POD_NAME
59 | valueFrom:
60 | fieldRef:
61 | fieldPath: metadata.name
62 | - name: POD_NAMESPACE
63 | valueFrom:
64 | fieldRef:
65 | fieldPath: metadata.namespace
66 | - name: POD_IP
67 | valueFrom:
68 | fieldRef:
69 | fieldPath: status.podIP
70 | image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
71 | name: echo
72 | ports:
73 | - containerPort: 8080
74 | resources: {}
75 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/app_all.yaml:34-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
34 | apiVersion: apps/v1
35 | kind: Deployment
36 | metadata:
37 | labels:
38 | app: echo
39 | name: echo
40 | namespace: default
41 | spec:
42 | replicas: 1
43 | selector:
44 | matchLabels:
45 | app: echo
46 | strategy: {}
47 | template:
48 | metadata:
49 | labels:
50 | app: echo
51 | spec:
52 | containers:
53 | - env:
54 | - name: NODE_NAME
55 | valueFrom:
56 | fieldRef:
57 | fieldPath: spec.nodeName
58 | - name: POD_NAME
59 | valueFrom:
60 | fieldRef:
61 | fieldPath: metadata.name
62 | - name: POD_NAMESPACE
63 | valueFrom:
64 | fieldRef:
65 | fieldPath: metadata.namespace
66 | - name: POD_IP
67 | valueFrom:
68 | fieldRef:
69 | fieldPath: status.podIP
70 | image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
71 | name: echo
72 | ports:
73 | - containerPort: 8080
74 | resources: {}
75 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/app_all.yaml:34-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
34 | apiVersion: apps/v1
35 | kind: Deployment
36 | metadata:
37 | labels:
38 | app: echo
39 | name: echo
40 | namespace: default
41 | spec:
42 | replicas: 1
43 | selector:
44 | matchLabels:
45 | app: echo
46 | strategy: {}
47 | template:
48 | metadata:
49 | labels:
50 | app: echo
51 | spec:
52 | containers:
53 | - env:
54 | - name: NODE_NAME
55 | valueFrom:
56 | fieldRef:
57 | fieldPath: spec.nodeName
58 | - name: POD_NAME
59 | valueFrom:
60 | fieldRef:
61 | fieldPath: metadata.name
62 | - name: POD_NAMESPACE
63 | valueFrom:
64 | fieldRef:
65 | fieldPath: metadata.namespace
66 | - name: POD_IP
67 | valueFrom:
68 | fieldRef:
69 | fieldPath: status.podIP
70 | image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
71 | name: echo
72 | ports:
73 | - containerPort: 8080
74 | resources: {}
75 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/app_all.yaml:76-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
76 | apiVersion: apps/v1
77 | kind: Deployment
78 | metadata:
79 | labels:
80 | app: whoami
81 | name: whoami
82 | namespace: default
83 | spec:
84 | replicas: 1
85 | selector:
86 | matchLabels:
87 | app: whoami
88 | template:
89 | metadata:
90 | labels:
91 | app: whoami
92 | spec:
93 | containers:
94 | - image: containous/whoami
95 | name: whoami
96 | ports:
97 | - containerPort: 80
98 | name: web
99 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/app_all.yaml:76-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
76 | apiVersion: apps/v1
77 | kind: Deployment
78 | metadata:
79 | labels:
80 | app: whoami
81 | name: whoami
82 | namespace: default
83 | spec:
84 | replicas: 1
85 | selector:
86 | matchLabels:
87 | app: whoami
88 | template:
89 | metadata:
90 | labels:
91 | app: whoami
92 | spec:
93 | containers:
94 | - image: containous/whoami
95 | name: whoami
96 | ports:
97 | - containerPort: 80
98 | name: web
99 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/app_all.yaml:76-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
76 | apiVersion: apps/v1
77 | kind: Deployment
78 | metadata:
79 | labels:
80 | app: whoami
81 | name: whoami
82 | namespace: default
83 | spec:
84 | replicas: 1
85 | selector:
86 | matchLabels:
87 | app: whoami
88 | template:
89 | metadata:
90 | labels:
91 | app: whoami
92 | spec:
93 | containers:
94 | - image: containous/whoami
95 | name: whoami
96 | ports:
97 | - containerPort: 80
98 | name: web
99 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/app_all.yaml:76-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
76 | apiVersion: apps/v1
77 | kind: Deployment
78 | metadata:
79 | labels:
80 | app: whoami
81 | name: whoami
82 | namespace: default
83 | spec:
84 | replicas: 1
85 | selector:
86 | matchLabels:
87 | app: whoami
88 | template:
89 | metadata:
90 | labels:
91 | app: whoami
92 | spec:
93 | containers:
94 | - image: containous/whoami
95 | name: whoami
96 | ports:
97 | - containerPort: 80
98 | name: web
99 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/app_all.yaml:76-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
76 | apiVersion: apps/v1
77 | kind: Deployment
78 | metadata:
79 | labels:
80 | app: whoami
81 | name: whoami
82 | namespace: default
83 | spec:
84 | replicas: 1
85 | selector:
86 | matchLabels:
87 | app: whoami
88 | template:
89 | metadata:
90 | labels:
91 | app: whoami
92 | spec:
93 | containers:
94 | - image: containous/whoami
95 | name: whoami
96 | ports:
97 | - containerPort: 80
98 | name: web
99 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/app_all.yaml:76-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
76 | apiVersion: apps/v1
77 | kind: Deployment
78 | metadata:
79 | labels:
80 | app: whoami
81 | name: whoami
82 | namespace: default
83 | spec:
84 | replicas: 1
85 | selector:
86 | matchLabels:
87 | app: whoami
88 | template:
89 | metadata:
90 | labels:
91 | app: whoami
92 | spec:
93 | containers:
94 | - image: containous/whoami
95 | name: whoami
96 | ports:
97 | - containerPort: 80
98 | name: web
99 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/app_all.yaml:76-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
76 | apiVersion: apps/v1
77 | kind: Deployment
78 | metadata:
79 | labels:
80 | app: whoami
81 | name: whoami
82 | namespace: default
83 | spec:
84 | replicas: 1
85 | selector:
86 | matchLabels:
87 | app: whoami
88 | template:
89 | metadata:
90 | labels:
91 | app: whoami
92 | spec:
93 | containers:
94 | - image: containous/whoami
95 | name: whoami
96 | ports:
97 | - containerPort: 80
98 | name: web
99 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/app_all.yaml:76-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
76 | apiVersion: apps/v1
77 | kind: Deployment
78 | metadata:
79 | labels:
80 | app: whoami
81 | name: whoami
82 | namespace: default
83 | spec:
84 | replicas: 1
85 | selector:
86 | matchLabels:
87 | app: whoami
88 | template:
89 | metadata:
90 | labels:
91 | app: whoami
92 | spec:
93 | containers:
94 | - image: containous/whoami
95 | name: whoami
96 | ports:
97 | - containerPort: 80
98 | name: web
99 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/app_all.yaml:76-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
76 | apiVersion: apps/v1
77 | kind: Deployment
78 | metadata:
79 | labels:
80 | app: whoami
81 | name: whoami
82 | namespace: default
83 | spec:
84 | replicas: 1
85 | selector:
86 | matchLabels:
87 | app: whoami
88 | template:
89 | metadata:
90 | labels:
91 | app: whoami
92 | spec:
93 | containers:
94 | - image: containous/whoami
95 | name: whoami
96 | ports:
97 | - containerPort: 80
98 | name: web
99 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/app_all.yaml:76-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
76 | apiVersion: apps/v1
77 | kind: Deployment
78 | metadata:
79 | labels:
80 | app: whoami
81 | name: whoami
82 | namespace: default
83 | spec:
84 | replicas: 1
85 | selector:
86 | matchLabels:
87 | app: whoami
88 | template:
89 | metadata:
90 | labels:
91 | app: whoami
92 | spec:
93 | containers:
94 | - image: containous/whoami
95 | name: whoami
96 | ports:
97 | - containerPort: 80
98 | name: web
99 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/app_all.yaml:76-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
76 | apiVersion: apps/v1
77 | kind: Deployment
78 | metadata:
79 | labels:
80 | app: whoami
81 | name: whoami
82 | namespace: default
83 | spec:
84 | replicas: 1
85 | selector:
86 | matchLabels:
87 | app: whoami
88 | template:
89 | metadata:
90 | labels:
91 | app: whoami
92 | spec:
93 | containers:
94 | - image: containous/whoami
95 | name: whoami
96 | ports:
97 | - containerPort: 80
98 | name: web
99 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/app_all.yaml:76-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
76 | apiVersion: apps/v1
77 | kind: Deployment
78 | metadata:
79 | labels:
80 | app: whoami
81 | name: whoami
82 | namespace: default
83 | spec:
84 | replicas: 1
85 | selector:
86 | matchLabels:
87 | app: whoami
88 | template:
89 | metadata:
90 | labels:
91 | app: whoami
92 | spec:
93 | containers:
94 | - image: containous/whoami
95 | name: whoami
96 | ports:
97 | - containerPort: 80
98 | name: web
99 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/app_all.yaml:76-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
76 | apiVersion: apps/v1
77 | kind: Deployment
78 | metadata:
79 | labels:
80 | app: whoami
81 | name: whoami
82 | namespace: default
83 | spec:
84 | replicas: 1
85 | selector:
86 | matchLabels:
87 | app: whoami
88 | template:
89 | metadata:
90 | labels:
91 | app: whoami
92 | spec:
93 | containers:
94 | - image: containous/whoami
95 | name: whoami
96 | ports:
97 | - containerPort: 80
98 | name: web
99 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/app_all.yaml:76-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
76 | apiVersion: apps/v1
77 | kind: Deployment
78 | metadata:
79 | labels:
80 | app: whoami
81 | name: whoami
82 | namespace: default
83 | spec:
84 | replicas: 1
85 | selector:
86 | matchLabels:
87 | app: whoami
88 | template:
89 | metadata:
90 | labels:
91 | app: whoami
92 | spec:
93 | containers:
94 | - image: containous/whoami
95 | name: whoami
96 | ports:
97 | - containerPort: 80
98 | name: web
99 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/app_all.yaml:76-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
76 | apiVersion: apps/v1
77 | kind: Deployment
78 | metadata:
79 | labels:
80 | app: whoami
81 | name: whoami
82 | namespace: default
83 | spec:
84 | replicas: 1
85 | selector:
86 | matchLabels:
87 | app: whoami
88 | template:
89 | metadata:
90 | labels:
91 | app: whoami
92 | spec:
93 | containers:
94 | - image: containous/whoami
95 | name: whoami
96 | ports:
97 | - containerPort: 80
98 | name: web
99 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/app_all.yaml:76-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
76 | apiVersion: apps/v1
77 | kind: Deployment
78 | metadata:
79 | labels:
80 | app: whoami
81 | name: whoami
82 | namespace: default
83 | spec:
84 | replicas: 1
85 | selector:
86 | matchLabels:
87 | app: whoami
88 | template:
89 | metadata:
90 | labels:
91 | app: whoami
92 | spec:
93 | containers:
94 | - image: containous/whoami
95 | name: whoami
96 | ports:
97 | - containerPort: 80
98 | name: web
99 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/app_all.yaml:76-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
76 | apiVersion: apps/v1
77 | kind: Deployment
78 | metadata:
79 | labels:
80 | app: whoami
81 | name: whoami
82 | namespace: default
83 | spec:
84 | replicas: 1
85 | selector:
86 | matchLabels:
87 | app: whoami
88 | template:
89 | metadata:
90 | labels:
91 | app: whoami
92 | spec:
93 | containers:
94 | - image: containous/whoami
95 | name: whoami
96 | ports:
97 | - containerPort: 80
98 | name: web
99 | ---
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/app_all.yaml:76-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
76 | apiVersion: apps/v1
77 | kind: Deployment
78 | metadata:
79 | labels:
80 | app: whoami
81 | name: whoami
82 | namespace: default
83 | spec:
84 | replicas: 1
85 | selector:
86 | matchLabels:
87 | app: whoami
88 | template:
89 | metadata:
90 | labels:
91 | app: whoami
92 | spec:
93 | containers:
94 | - image: containous/whoami
95 | name: whoami
96 | ports:
97 | - containerPort: 80
98 | name: web
99 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/app_all.yaml:76-99
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
76 | apiVersion: apps/v1
77 | kind: Deployment
78 | metadata:
79 | labels:
80 | app: whoami
81 | name: whoami
82 | namespace: default
83 | spec:
84 | replicas: 1
85 | selector:
86 | matchLabels:
87 | app: whoami
88 | template:
89 | metadata:
90 | labels:
91 | app: whoami
92 | spec:
93 | containers:
94 | - image: containous/whoami
95 | name: whoami
96 | ports:
97 | - containerPort: 80
98 | name: web
99 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.echo-ingress
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/app_all.yaml:100-124
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
100 | apiVersion: networking.k8s.io/v1
101 | kind: Ingress
102 | metadata:
103 | annotations:
104 | cert-manager.io/cluster-issuer: letsencrypt-prod
105 | name: echo-ingress
106 | namespace: default
107 | spec:
108 | ingressClassName: nginx
109 | rules:
110 | - host: echoservice.DOMAIN_NAME
111 | http:
112 | paths:
113 | - backend:
114 | service:
115 | name: echo
116 | port:
117 | number: 80
118 | path: /echo
119 | pathType: Prefix
120 | tls:
121 | - hosts:
122 | - echoservice.DOMAIN_NAME
123 | secretName: echo-service-tls
124 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.whoami-ingress
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/app_all.yaml:125-148
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
125 | apiVersion: networking.k8s.io/v1
126 | kind: Ingress
127 | metadata:
128 | annotations:
129 | cert-manager.io/cluster-issuer: letsencrypt-prod
130 | name: whoami-ingress
131 | namespace: default
132 | spec:
133 | ingressClassName: nginx
134 | rules:
135 | - host: whoamiservice.DOMAIN_NAME
136 | http:
137 | paths:
138 | - backend:
139 | service:
140 | name: whoami-service
141 | port:
142 | number: 80
143 | path: /whoami
144 | pathType: Prefix
145 | tls:
146 | - hosts:
147 | - whoamiservice.DOMAIN_NAME
148 | secretName: whoami-service-tls
Check: CKV_K8S_155: "Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations"
FAILED for resource: ClusterRole.default.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:4552-4583
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-control-over-validating-or-mutating-admission-webhook-configurations-are-minimized.html
4552 | apiVersion: rbac.authorization.k8s.io/v1
4553 | kind: ClusterRole
4554 | metadata:
4555 | name: cert-manager-cainjector
4556 | labels:
4557 | app: cainjector
4558 | app.kubernetes.io/name: cainjector
4559 | app.kubernetes.io/instance: cert-manager
4560 | app.kubernetes.io/component: "cainjector"
4561 | app.kubernetes.io/version: "v1.12.2"
4562 | app.kubernetes.io/managed-by: Helm
4563 | helm.sh/chart: cert-manager-v1.12.2
4564 | rules:
4565 | - apiGroups: ["cert-manager.io"]
4566 | resources: ["certificates"]
4567 | verbs: ["get", "list", "watch"]
4568 | - apiGroups: [""]
4569 | resources: ["secrets"]
4570 | verbs: ["get", "list", "watch"]
4571 | - apiGroups: [""]
4572 | resources: ["events"]
4573 | verbs: ["get", "create", "update", "patch"]
4574 | - apiGroups: ["admissionregistration.k8s.io"]
4575 | resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
4576 | verbs: ["get", "list", "watch", "update", "patch"]
4577 | - apiGroups: ["apiregistration.k8s.io"]
4578 | resources: ["apiservices"]
4579 | verbs: ["get", "list", "watch", "update", "patch"]
4580 | - apiGroups: ["apiextensions.k8s.io"]
4581 | resources: ["customresourcedefinitions"]
4582 | verbs: ["get", "list", "watch", "update", "patch"]
4583 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5364-5419
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5364-5419
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5364-5419
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5364-5419
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5364-5419
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5364-5419
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5364-5419
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5364-5419
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5364-5419
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5364-5419
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5364-5419
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5421-5492
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5421-5492
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5421-5492
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5421-5492
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5421-5492
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5421-5492
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5421-5492
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5421-5492
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5421-5492
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5421-5492
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5421-5492
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5494-5582
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5494-5582
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5494-5582
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5494-5582
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5494-5582
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5494-5582
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5494-5582
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5494-5582
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5494-5582
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Job.cert-manager.cert-manager-startupapicheck
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5750-5800
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Job.cert-manager.cert-manager-startupapicheck
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5750-5800
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Job.cert-manager.cert-manager-startupapicheck
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5750-5800
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Job.cert-manager.cert-manager-startupapicheck
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5750-5800
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Job.cert-manager.cert-manager-startupapicheck
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5750-5800
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Job.cert-manager.cert-manager-startupapicheck
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5750-5800
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Job.cert-manager.cert-manager-startupapicheck
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5750-5800
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Job.cert-manager.cert-manager-startupapicheck
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5750-5800
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Job.cert-manager.cert-manager-startupapicheck
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5750-5800
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/base/app/dep_whoami.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: whoami
12 | template:
13 | metadata:
14 | labels:
15 | app: whoami
16 | spec:
17 | containers:
18 | - name: whoami
19 | image: containous/whoami
20 | ports:
21 | - name: web
22 | containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/base/app/dep_whoami.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: whoami
12 | template:
13 | metadata:
14 | labels:
15 | app: whoami
16 | spec:
17 | containers:
18 | - name: whoami
19 | image: containous/whoami
20 | ports:
21 | - name: web
22 | containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/base/app/dep_whoami.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: whoami
12 | template:
13 | metadata:
14 | labels:
15 | app: whoami
16 | spec:
17 | containers:
18 | - name: whoami
19 | image: containous/whoami
20 | ports:
21 | - name: web
22 | containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/base/app/dep_whoami.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: whoami
12 | template:
13 | metadata:
14 | labels:
15 | app: whoami
16 | spec:
17 | containers:
18 | - name: whoami
19 | image: containous/whoami
20 | ports:
21 | - name: web
22 | containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/base/app/dep_whoami.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: whoami
12 | template:
13 | metadata:
14 | labels:
15 | app: whoami
16 | spec:
17 | containers:
18 | - name: whoami
19 | image: containous/whoami
20 | ports:
21 | - name: web
22 | containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/base/app/dep_whoami.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: whoami
12 | template:
13 | metadata:
14 | labels:
15 | app: whoami
16 | spec:
17 | containers:
18 | - name: whoami
19 | image: containous/whoami
20 | ports:
21 | - name: web
22 | containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/base/app/dep_whoami.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: whoami
12 | template:
13 | metadata:
14 | labels:
15 | app: whoami
16 | spec:
17 | containers:
18 | - name: whoami
19 | image: containous/whoami
20 | ports:
21 | - name: web
22 | containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/base/app/dep_whoami.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: whoami
12 | template:
13 | metadata:
14 | labels:
15 | app: whoami
16 | spec:
17 | containers:
18 | - name: whoami
19 | image: containous/whoami
20 | ports:
21 | - name: web
22 | containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/base/app/dep_whoami.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: whoami
12 | template:
13 | metadata:
14 | labels:
15 | app: whoami
16 | spec:
17 | containers:
18 | - name: whoami
19 | image: containous/whoami
20 | ports:
21 | - name: web
22 | containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/base/app/dep_whoami.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: whoami
12 | template:
13 | metadata:
14 | labels:
15 | app: whoami
16 | spec:
17 | containers:
18 | - name: whoami
19 | image: containous/whoami
20 | ports:
21 | - name: web
22 | containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/base/app/dep_whoami.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: whoami
12 | template:
13 | metadata:
14 | labels:
15 | app: whoami
16 | spec:
17 | containers:
18 | - name: whoami
19 | image: containous/whoami
20 | ports:
21 | - name: web
22 | containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/base/app/dep_whoami.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: whoami
12 | template:
13 | metadata:
14 | labels:
15 | app: whoami
16 | spec:
17 | containers:
18 | - name: whoami
19 | image: containous/whoami
20 | ports:
21 | - name: web
22 | containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/base/app/dep_whoami.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: whoami
12 | template:
13 | metadata:
14 | labels:
15 | app: whoami
16 | spec:
17 | containers:
18 | - name: whoami
19 | image: containous/whoami
20 | ports:
21 | - name: web
22 | containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/base/app/dep_whoami.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: whoami
12 | template:
13 | metadata:
14 | labels:
15 | app: whoami
16 | spec:
17 | containers:
18 | - name: whoami
19 | image: containous/whoami
20 | ports:
21 | - name: web
22 | containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/base/app/dep_whoami.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: whoami
12 | template:
13 | metadata:
14 | labels:
15 | app: whoami
16 | spec:
17 | containers:
18 | - name: whoami
19 | image: containous/whoami
20 | ports:
21 | - name: web
22 | containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/base/app/dep_whoami.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: whoami
12 | template:
13 | metadata:
14 | labels:
15 | app: whoami
16 | spec:
17 | containers:
18 | - name: whoami
19 | image: containous/whoami
20 | ports:
21 | - name: web
22 | containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/base/app/dep_whoami.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: whoami
12 | template:
13 | metadata:
14 | labels:
15 | app: whoami
16 | spec:
17 | containers:
18 | - name: whoami
19 | image: containous/whoami
20 | ports:
21 | - name: web
22 | containerPort: 80
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/base/app/dep_whoami.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: whoami
12 | template:
13 | metadata:
14 | labels:
15 | app: whoami
16 | spec:
17 | containers:
18 | - name: whoami
19 | image: containous/whoami
20 | ports:
21 | - name: web
22 | containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/base/app/dep_whoami.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: whoami
12 | template:
13 | metadata:
14 | labels:
15 | app: whoami
16 | spec:
17 | containers:
18 | - name: whoami
19 | image: containous/whoami
20 | ports:
21 | - name: web
22 | containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/base/app/svc_echo.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | ports:
9 | - port: 8080
10 | name: high
11 | protocol: TCP
12 | targetPort: 8080
13 | - port: 80
14 | name: low
15 | protocol: TCP
16 | targetPort: 8080
17 | selector:
18 | app: echo
19 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.whoami-ingress
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/base/app/ingress_whoami.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: networking.k8s.io/v1
2 | kind: Ingress
3 | metadata:
4 | name: whoami-ingress
5 | annotations:
6 | # kubernetes.io/ingress.class: "nginx" # Warning: annotation "kubernetes.io/ingress.class" is deprecated, please use 'spec.ingressClassName' instead
7 | cert-manager.io/cluster-issuer: "letsencrypt-prod"
8 | spec:
9 | ingressClassName: "nginx"
10 | tls:
11 | - hosts:
12 | - whoamiservice.DOMAIN_NAME # replace with your domain
13 | secretName: whoami-service-tls # This is the secret that will hold the SSL certificate
14 | rules:
15 | - host: whoamiservice.DOMAIN_NAME # replace with your domain
16 | http:
17 | paths:
18 | - pathType: Prefix
19 | path: "/whoami"
20 | backend:
21 | service:
22 | name: whoami-service
23 | port:
24 | number: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.echo-ingress
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/base/app/ingress_echo.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: networking.k8s.io/v1
2 | kind: Ingress
3 | metadata:
4 | name: echo-ingress
5 | annotations:
6 | # kubernetes.io/ingress.class: "nginx" # Warning: annotation "kubernetes.io/ingress.class" is deprecated, please use 'spec.ingressClassName' instead
7 | cert-manager.io/cluster-issuer: "letsencrypt-prod"
8 | spec:
9 | ingressClassName: "nginx"
10 | tls:
11 | - hosts:
12 | - echoservice.DOMAIN_NAME # replace with your domain
13 | secretName: echo-service-tls # This is the secret that will hold the SSL certificate
14 | rules:
15 | - host: echoservice.DOMAIN_NAME # replace with your domain
16 | http:
17 | paths:
18 | - pathType: Prefix
19 | path: "/echo"
20 | backend:
21 | service:
22 | name: echo
23 | port:
24 | number: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/base/app/dep_echo.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | labels:
16 | app: echo
17 | spec:
18 | containers:
19 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
20 | name: echo
21 | ports:
22 | - containerPort: 8080
23 | env:
24 | - name: NODE_NAME
25 | valueFrom:
26 | fieldRef:
27 | fieldPath: spec.nodeName
28 | - name: POD_NAME
29 | valueFrom:
30 | fieldRef:
31 | fieldPath: metadata.name
32 | - name: POD_NAMESPACE
33 | valueFrom:
34 | fieldRef:
35 | fieldPath: metadata.namespace
36 | - name: POD_IP
37 | valueFrom:
38 | fieldRef:
39 | fieldPath: status.podIP
40 | resources: {}
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/base/app/dep_echo.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | labels:
16 | app: echo
17 | spec:
18 | containers:
19 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
20 | name: echo
21 | ports:
22 | - containerPort: 8080
23 | env:
24 | - name: NODE_NAME
25 | valueFrom:
26 | fieldRef:
27 | fieldPath: spec.nodeName
28 | - name: POD_NAME
29 | valueFrom:
30 | fieldRef:
31 | fieldPath: metadata.name
32 | - name: POD_NAMESPACE
33 | valueFrom:
34 | fieldRef:
35 | fieldPath: metadata.namespace
36 | - name: POD_IP
37 | valueFrom:
38 | fieldRef:
39 | fieldPath: status.podIP
40 | resources: {}
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/base/app/dep_echo.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | labels:
16 | app: echo
17 | spec:
18 | containers:
19 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
20 | name: echo
21 | ports:
22 | - containerPort: 8080
23 | env:
24 | - name: NODE_NAME
25 | valueFrom:
26 | fieldRef:
27 | fieldPath: spec.nodeName
28 | - name: POD_NAME
29 | valueFrom:
30 | fieldRef:
31 | fieldPath: metadata.name
32 | - name: POD_NAMESPACE
33 | valueFrom:
34 | fieldRef:
35 | fieldPath: metadata.namespace
36 | - name: POD_IP
37 | valueFrom:
38 | fieldRef:
39 | fieldPath: status.podIP
40 | resources: {}
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/base/app/dep_echo.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | labels:
16 | app: echo
17 | spec:
18 | containers:
19 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
20 | name: echo
21 | ports:
22 | - containerPort: 8080
23 | env:
24 | - name: NODE_NAME
25 | valueFrom:
26 | fieldRef:
27 | fieldPath: spec.nodeName
28 | - name: POD_NAME
29 | valueFrom:
30 | fieldRef:
31 | fieldPath: metadata.name
32 | - name: POD_NAMESPACE
33 | valueFrom:
34 | fieldRef:
35 | fieldPath: metadata.namespace
36 | - name: POD_IP
37 | valueFrom:
38 | fieldRef:
39 | fieldPath: status.podIP
40 | resources: {}
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/base/app/dep_echo.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | labels:
16 | app: echo
17 | spec:
18 | containers:
19 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
20 | name: echo
21 | ports:
22 | - containerPort: 8080
23 | env:
24 | - name: NODE_NAME
25 | valueFrom:
26 | fieldRef:
27 | fieldPath: spec.nodeName
28 | - name: POD_NAME
29 | valueFrom:
30 | fieldRef:
31 | fieldPath: metadata.name
32 | - name: POD_NAMESPACE
33 | valueFrom:
34 | fieldRef:
35 | fieldPath: metadata.namespace
36 | - name: POD_IP
37 | valueFrom:
38 | fieldRef:
39 | fieldPath: status.podIP
40 | resources: {}
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/base/app/dep_echo.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | labels:
16 | app: echo
17 | spec:
18 | containers:
19 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
20 | name: echo
21 | ports:
22 | - containerPort: 8080
23 | env:
24 | - name: NODE_NAME
25 | valueFrom:
26 | fieldRef:
27 | fieldPath: spec.nodeName
28 | - name: POD_NAME
29 | valueFrom:
30 | fieldRef:
31 | fieldPath: metadata.name
32 | - name: POD_NAMESPACE
33 | valueFrom:
34 | fieldRef:
35 | fieldPath: metadata.namespace
36 | - name: POD_IP
37 | valueFrom:
38 | fieldRef:
39 | fieldPath: status.podIP
40 | resources: {}
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/base/app/dep_echo.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | labels:
16 | app: echo
17 | spec:
18 | containers:
19 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
20 | name: echo
21 | ports:
22 | - containerPort: 8080
23 | env:
24 | - name: NODE_NAME
25 | valueFrom:
26 | fieldRef:
27 | fieldPath: spec.nodeName
28 | - name: POD_NAME
29 | valueFrom:
30 | fieldRef:
31 | fieldPath: metadata.name
32 | - name: POD_NAMESPACE
33 | valueFrom:
34 | fieldRef:
35 | fieldPath: metadata.namespace
36 | - name: POD_IP
37 | valueFrom:
38 | fieldRef:
39 | fieldPath: status.podIP
40 | resources: {}
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/base/app/dep_echo.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | labels:
16 | app: echo
17 | spec:
18 | containers:
19 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
20 | name: echo
21 | ports:
22 | - containerPort: 8080
23 | env:
24 | - name: NODE_NAME
25 | valueFrom:
26 | fieldRef:
27 | fieldPath: spec.nodeName
28 | - name: POD_NAME
29 | valueFrom:
30 | fieldRef:
31 | fieldPath: metadata.name
32 | - name: POD_NAMESPACE
33 | valueFrom:
34 | fieldRef:
35 | fieldPath: metadata.namespace
36 | - name: POD_IP
37 | valueFrom:
38 | fieldRef:
39 | fieldPath: status.podIP
40 | resources: {}
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/base/app/dep_echo.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | labels:
16 | app: echo
17 | spec:
18 | containers:
19 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
20 | name: echo
21 | ports:
22 | - containerPort: 8080
23 | env:
24 | - name: NODE_NAME
25 | valueFrom:
26 | fieldRef:
27 | fieldPath: spec.nodeName
28 | - name: POD_NAME
29 | valueFrom:
30 | fieldRef:
31 | fieldPath: metadata.name
32 | - name: POD_NAMESPACE
33 | valueFrom:
34 | fieldRef:
35 | fieldPath: metadata.namespace
36 | - name: POD_IP
37 | valueFrom:
38 | fieldRef:
39 | fieldPath: status.podIP
40 | resources: {}
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/base/app/dep_echo.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | labels:
16 | app: echo
17 | spec:
18 | containers:
19 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
20 | name: echo
21 | ports:
22 | - containerPort: 8080
23 | env:
24 | - name: NODE_NAME
25 | valueFrom:
26 | fieldRef:
27 | fieldPath: spec.nodeName
28 | - name: POD_NAME
29 | valueFrom:
30 | fieldRef:
31 | fieldPath: metadata.name
32 | - name: POD_NAMESPACE
33 | valueFrom:
34 | fieldRef:
35 | fieldPath: metadata.namespace
36 | - name: POD_IP
37 | valueFrom:
38 | fieldRef:
39 | fieldPath: status.podIP
40 | resources: {}
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/base/app/dep_echo.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | labels:
16 | app: echo
17 | spec:
18 | containers:
19 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
20 | name: echo
21 | ports:
22 | - containerPort: 8080
23 | env:
24 | - name: NODE_NAME
25 | valueFrom:
26 | fieldRef:
27 | fieldPath: spec.nodeName
28 | - name: POD_NAME
29 | valueFrom:
30 | fieldRef:
31 | fieldPath: metadata.name
32 | - name: POD_NAMESPACE
33 | valueFrom:
34 | fieldRef:
35 | fieldPath: metadata.namespace
36 | - name: POD_IP
37 | valueFrom:
38 | fieldRef:
39 | fieldPath: status.podIP
40 | resources: {}
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/base/app/dep_echo.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | labels:
16 | app: echo
17 | spec:
18 | containers:
19 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
20 | name: echo
21 | ports:
22 | - containerPort: 8080
23 | env:
24 | - name: NODE_NAME
25 | valueFrom:
26 | fieldRef:
27 | fieldPath: spec.nodeName
28 | - name: POD_NAME
29 | valueFrom:
30 | fieldRef:
31 | fieldPath: metadata.name
32 | - name: POD_NAMESPACE
33 | valueFrom:
34 | fieldRef:
35 | fieldPath: metadata.namespace
36 | - name: POD_IP
37 | valueFrom:
38 | fieldRef:
39 | fieldPath: status.podIP
40 | resources: {}
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/base/app/dep_echo.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | labels:
16 | app: echo
17 | spec:
18 | containers:
19 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
20 | name: echo
21 | ports:
22 | - containerPort: 8080
23 | env:
24 | - name: NODE_NAME
25 | valueFrom:
26 | fieldRef:
27 | fieldPath: spec.nodeName
28 | - name: POD_NAME
29 | valueFrom:
30 | fieldRef:
31 | fieldPath: metadata.name
32 | - name: POD_NAMESPACE
33 | valueFrom:
34 | fieldRef:
35 | fieldPath: metadata.namespace
36 | - name: POD_IP
37 | valueFrom:
38 | fieldRef:
39 | fieldPath: status.podIP
40 | resources: {}
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/base/app/dep_echo.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | labels:
16 | app: echo
17 | spec:
18 | containers:
19 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
20 | name: echo
21 | ports:
22 | - containerPort: 8080
23 | env:
24 | - name: NODE_NAME
25 | valueFrom:
26 | fieldRef:
27 | fieldPath: spec.nodeName
28 | - name: POD_NAME
29 | valueFrom:
30 | fieldRef:
31 | fieldPath: metadata.name
32 | - name: POD_NAMESPACE
33 | valueFrom:
34 | fieldRef:
35 | fieldPath: metadata.namespace
36 | - name: POD_IP
37 | valueFrom:
38 | fieldRef:
39 | fieldPath: status.podIP
40 | resources: {}
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/base/app/dep_echo.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | labels:
16 | app: echo
17 | spec:
18 | containers:
19 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
20 | name: echo
21 | ports:
22 | - containerPort: 8080
23 | env:
24 | - name: NODE_NAME
25 | valueFrom:
26 | fieldRef:
27 | fieldPath: spec.nodeName
28 | - name: POD_NAME
29 | valueFrom:
30 | fieldRef:
31 | fieldPath: metadata.name
32 | - name: POD_NAMESPACE
33 | valueFrom:
34 | fieldRef:
35 | fieldPath: metadata.namespace
36 | - name: POD_IP
37 | valueFrom:
38 | fieldRef:
39 | fieldPath: status.podIP
40 | resources: {}
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/base/app/dep_echo.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | labels:
16 | app: echo
17 | spec:
18 | containers:
19 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
20 | name: echo
21 | ports:
22 | - containerPort: 8080
23 | env:
24 | - name: NODE_NAME
25 | valueFrom:
26 | fieldRef:
27 | fieldPath: spec.nodeName
28 | - name: POD_NAME
29 | valueFrom:
30 | fieldRef:
31 | fieldPath: metadata.name
32 | - name: POD_NAMESPACE
33 | valueFrom:
34 | fieldRef:
35 | fieldPath: metadata.namespace
36 | - name: POD_IP
37 | valueFrom:
38 | fieldRef:
39 | fieldPath: status.podIP
40 | resources: {}
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/base/app/dep_echo.yaml:1-40
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | labels:
16 | app: echo
17 | spec:
18 | containers:
19 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
20 | name: echo
21 | ports:
22 | - containerPort: 8080
23 | env:
24 | - name: NODE_NAME
25 | valueFrom:
26 | fieldRef:
27 | fieldPath: spec.nodeName
28 | - name: POD_NAME
29 | valueFrom:
30 | fieldRef:
31 | fieldPath: metadata.name
32 | - name: POD_NAMESPACE
33 | valueFrom:
34 | fieldRef:
35 | fieldPath: metadata.namespace
36 | - name: POD_IP
37 | valueFrom:
38 | fieldRef:
39 | fieldPath: status.podIP
40 | resources: {}
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.whoami-service
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/base/app/svc_whoami.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: whoami-service
5 | spec:
6 | selector:
7 | app: whoami
8 | ports:
9 | - protocol: TCP
10 | port: 80
11 | targetPort: 80
Check: CKV_K8S_6: "Do not admit root containers"
FAILED for resource: PodSecurityPolicy.default.example
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_030__gcp__PodSecurityPolicy/example-psp.yaml:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-5.html
1 | apiVersion: policy/v1beta1
2 | kind: PodSecurityPolicy
3 | metadata:
4 | name: example
5 | spec:
6 | privileged: false # Don't allow privileged pods!
7 | # The rest fills in some required fields.
8 | seLinux:
9 | rule: RunAsAny
10 | supplementalGroups:
11 | rule: RunAsAny
12 | runAsUser:
13 | rule: RunAsAny
14 | fsGroup:
15 | rule: RunAsAny
16 | volumes:
17 | - '*'
Check: CKV_K8S_7: "Do not admit containers with the NET_RAW capability"
FAILED for resource: PodSecurityPolicy.default.example
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_030__gcp__PodSecurityPolicy/example-psp.yaml:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-6.html
1 | apiVersion: policy/v1beta1
2 | kind: PodSecurityPolicy
3 | metadata:
4 | name: example
5 | spec:
6 | privileged: false # Don't allow privileged pods!
7 | # The rest fills in some required fields.
8 | seLinux:
9 | rule: RunAsAny
10 | supplementalGroups:
11 | rule: RunAsAny
12 | runAsUser:
13 | rule: RunAsAny
14 | fsGroup:
15 | rule: RunAsAny
16 | volumes:
17 | - '*'
Check: CKV_K8S_36: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: PodSecurityPolicy.default.example
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_030__gcp__PodSecurityPolicy/example-psp.yaml:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/minimize-the-admission-of-containers-with-capabilities-assigned.html
1 | apiVersion: policy/v1beta1
2 | kind: PodSecurityPolicy
3 | metadata:
4 | name: example
5 | spec:
6 | privileged: false # Don't allow privileged pods!
7 | # The rest fills in some required fields.
8 | seLinux:
9 | rule: RunAsAny
10 | supplementalGroups:
11 | rule: RunAsAny
12 | runAsUser:
13 | rule: RunAsAny
14 | fsGroup:
15 | rule: RunAsAny
16 | volumes:
17 | - '*'
Check: CKV_K8S_32: "Ensure default seccomp profile set to docker/default or runtime/default"
FAILED for resource: PodSecurityPolicy.default.example
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_030__gcp__PodSecurityPolicy/example-psp.yaml:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-30.html
1 | apiVersion: policy/v1beta1
2 | kind: PodSecurityPolicy
3 | metadata:
4 | name: example
5 | spec:
6 | privileged: false # Don't allow privileged pods!
7 | # The rest fills in some required fields.
8 | seLinux:
9 | rule: RunAsAny
10 | supplementalGroups:
11 | rule: RunAsAny
12 | runAsUser:
13 | rule: RunAsAny
14 | fsGroup:
15 | rule: RunAsAny
16 | volumes:
17 | - '*'
Check: CKV_K8S_5: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: PodSecurityPolicy.default.example
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_030__gcp__PodSecurityPolicy/example-psp.yaml:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-containers-do-not-run-with-allowprivilegeescalation.html
1 | apiVersion: policy/v1beta1
2 | kind: PodSecurityPolicy
3 | metadata:
4 | name: example
5 | spec:
6 | privileged: false # Don't allow privileged pods!
7 | # The rest fills in some required fields.
8 | seLinux:
9 | rule: RunAsAny
10 | supplementalGroups:
11 | rule: RunAsAny
12 | runAsUser:
13 | rule: RunAsAny
14 | fsGroup:
15 | rule: RunAsAny
16 | volumes:
17 | - '*'
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.foo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_046__local__kind__nodeport_with_port_mapping/svc.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: foo
5 | spec:
6 | type: NodePort
7 | ports:
8 | - name: http
9 | nodePort: 30951
10 | port: 80
11 | selector:
12 | app: foo
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.default.foo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_046__local__kind__nodeport_with_port_mapping/pod.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo
5 | labels:
6 | app: foo
7 | spec:
8 | containers:
9 | - name: foo
10 | image: nginx:latest
11 | ports:
12 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.default.foo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_046__local__kind__nodeport_with_port_mapping/pod.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo
5 | labels:
6 | app: foo
7 | spec:
8 | containers:
9 | - name: foo
10 | image: nginx:latest
11 | ports:
12 | - containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Pod.default.foo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_046__local__kind__nodeport_with_port_mapping/pod.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo
5 | labels:
6 | app: foo
7 | spec:
8 | containers:
9 | - name: foo
10 | image: nginx:latest
11 | ports:
12 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Pod.default.foo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_046__local__kind__nodeport_with_port_mapping/pod.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo
5 | labels:
6 | app: foo
7 | spec:
8 | containers:
9 | - name: foo
10 | image: nginx:latest
11 | ports:
12 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.default.foo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_046__local__kind__nodeport_with_port_mapping/pod.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo
5 | labels:
6 | app: foo
7 | spec:
8 | containers:
9 | - name: foo
10 | image: nginx:latest
11 | ports:
12 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.default.foo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_046__local__kind__nodeport_with_port_mapping/pod.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo
5 | labels:
6 | app: foo
7 | spec:
8 | containers:
9 | - name: foo
10 | image: nginx:latest
11 | ports:
12 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.default.foo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_046__local__kind__nodeport_with_port_mapping/pod.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo
5 | labels:
6 | app: foo
7 | spec:
8 | containers:
9 | - name: foo
10 | image: nginx:latest
11 | ports:
12 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.default.foo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_046__local__kind__nodeport_with_port_mapping/pod.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo
5 | labels:
6 | app: foo
7 | spec:
8 | containers:
9 | - name: foo
10 | image: nginx:latest
11 | ports:
12 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.default.foo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_046__local__kind__nodeport_with_port_mapping/pod.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo
5 | labels:
6 | app: foo
7 | spec:
8 | containers:
9 | - name: foo
10 | image: nginx:latest
11 | ports:
12 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.default.foo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_046__local__kind__nodeport_with_port_mapping/pod.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo
5 | labels:
6 | app: foo
7 | spec:
8 | containers:
9 | - name: foo
10 | image: nginx:latest
11 | ports:
12 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.default.foo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_046__local__kind__nodeport_with_port_mapping/pod.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo
5 | labels:
6 | app: foo
7 | spec:
8 | containers:
9 | - name: foo
10 | image: nginx:latest
11 | ports:
12 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.default.foo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_046__local__kind__nodeport_with_port_mapping/pod.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo
5 | labels:
6 | app: foo
7 | spec:
8 | containers:
9 | - name: foo
10 | image: nginx:latest
11 | ports:
12 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.default.foo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_046__local__kind__nodeport_with_port_mapping/pod.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo
5 | labels:
6 | app: foo
7 | spec:
8 | containers:
9 | - name: foo
10 | image: nginx:latest
11 | ports:
12 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.default.foo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_046__local__kind__nodeport_with_port_mapping/pod.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo
5 | labels:
6 | app: foo
7 | spec:
8 | containers:
9 | - name: foo
10 | image: nginx:latest
11 | ports:
12 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.default.foo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_046__local__kind__nodeport_with_port_mapping/pod.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo
5 | labels:
6 | app: foo
7 | spec:
8 | containers:
9 | - name: foo
10 | image: nginx:latest
11 | ports:
12 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.default.foo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_046__local__kind__nodeport_with_port_mapping/pod.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo
5 | labels:
6 | app: foo
7 | spec:
8 | containers:
9 | - name: foo
10 | image: nginx:latest
11 | ports:
12 | - containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Pod.default.foo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_046__local__kind__nodeport_with_port_mapping/pod.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo
5 | labels:
6 | app: foo
7 | spec:
8 | containers:
9 | - name: foo
10 | image: nginx:latest
11 | ports:
12 | - containerPort: 80
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.default.foo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_046__local__kind__nodeport_with_port_mapping/pod.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo
5 | labels:
6 | app: foo
7 | spec:
8 | containers:
9 | - name: foo
10 | image: nginx:latest
11 | ports:
12 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.default.foo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_046__local__kind__nodeport_with_port_mapping/pod.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo
5 | labels:
6 | app: foo
7 | spec:
8 | containers:
9 | - name: foo
10 | image: nginx:latest
11 | ports:
12 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.httpbin
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/httpbin-app/svc.yaml:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: httpbin
5 | labels:
6 | app: httpbin
7 | spec:
8 | ports:
9 | - name: http
10 | port: 80
11 | targetPort: 80
12 | selector:
13 | app: httpbin
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.httpbin
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/httpbin-app/dep.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: httpbin
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: httpbin
10 | template:
11 | metadata:
12 | labels:
13 | app: httpbin
14 | spec:
15 | containers:
16 | - image: docker.io/kennethreitz/httpbin
17 | name: httpbin
18 | ports:
19 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.httpbin
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/httpbin-app/dep.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: httpbin
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: httpbin
10 | template:
11 | metadata:
12 | labels:
13 | app: httpbin
14 | spec:
15 | containers:
16 | - image: docker.io/kennethreitz/httpbin
17 | name: httpbin
18 | ports:
19 | - containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.httpbin
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/httpbin-app/dep.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: httpbin
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: httpbin
10 | template:
11 | metadata:
12 | labels:
13 | app: httpbin
14 | spec:
15 | containers:
16 | - image: docker.io/kennethreitz/httpbin
17 | name: httpbin
18 | ports:
19 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.httpbin
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/httpbin-app/dep.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: httpbin
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: httpbin
10 | template:
11 | metadata:
12 | labels:
13 | app: httpbin
14 | spec:
15 | containers:
16 | - image: docker.io/kennethreitz/httpbin
17 | name: httpbin
18 | ports:
19 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.httpbin
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/httpbin-app/dep.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: httpbin
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: httpbin
10 | template:
11 | metadata:
12 | labels:
13 | app: httpbin
14 | spec:
15 | containers:
16 | - image: docker.io/kennethreitz/httpbin
17 | name: httpbin
18 | ports:
19 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.httpbin
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/httpbin-app/dep.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: httpbin
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: httpbin
10 | template:
11 | metadata:
12 | labels:
13 | app: httpbin
14 | spec:
15 | containers:
16 | - image: docker.io/kennethreitz/httpbin
17 | name: httpbin
18 | ports:
19 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.httpbin
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/httpbin-app/dep.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: httpbin
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: httpbin
10 | template:
11 | metadata:
12 | labels:
13 | app: httpbin
14 | spec:
15 | containers:
16 | - image: docker.io/kennethreitz/httpbin
17 | name: httpbin
18 | ports:
19 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.httpbin
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/httpbin-app/dep.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: httpbin
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: httpbin
10 | template:
11 | metadata:
12 | labels:
13 | app: httpbin
14 | spec:
15 | containers:
16 | - image: docker.io/kennethreitz/httpbin
17 | name: httpbin
18 | ports:
19 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.httpbin
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/httpbin-app/dep.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: httpbin
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: httpbin
10 | template:
11 | metadata:
12 | labels:
13 | app: httpbin
14 | spec:
15 | containers:
16 | - image: docker.io/kennethreitz/httpbin
17 | name: httpbin
18 | ports:
19 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.httpbin
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/httpbin-app/dep.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: httpbin
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: httpbin
10 | template:
11 | metadata:
12 | labels:
13 | app: httpbin
14 | spec:
15 | containers:
16 | - image: docker.io/kennethreitz/httpbin
17 | name: httpbin
18 | ports:
19 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.httpbin
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/httpbin-app/dep.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: httpbin
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: httpbin
10 | template:
11 | metadata:
12 | labels:
13 | app: httpbin
14 | spec:
15 | containers:
16 | - image: docker.io/kennethreitz/httpbin
17 | name: httpbin
18 | ports:
19 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.httpbin
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/httpbin-app/dep.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: httpbin
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: httpbin
10 | template:
11 | metadata:
12 | labels:
13 | app: httpbin
14 | spec:
15 | containers:
16 | - image: docker.io/kennethreitz/httpbin
17 | name: httpbin
18 | ports:
19 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.httpbin
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/httpbin-app/dep.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: httpbin
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: httpbin
10 | template:
11 | metadata:
12 | labels:
13 | app: httpbin
14 | spec:
15 | containers:
16 | - image: docker.io/kennethreitz/httpbin
17 | name: httpbin
18 | ports:
19 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.httpbin
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/httpbin-app/dep.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: httpbin
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: httpbin
10 | template:
11 | metadata:
12 | labels:
13 | app: httpbin
14 | spec:
15 | containers:
16 | - image: docker.io/kennethreitz/httpbin
17 | name: httpbin
18 | ports:
19 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.httpbin
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/httpbin-app/dep.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: httpbin
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: httpbin
10 | template:
11 | metadata:
12 | labels:
13 | app: httpbin
14 | spec:
15 | containers:
16 | - image: docker.io/kennethreitz/httpbin
17 | name: httpbin
18 | ports:
19 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.httpbin
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/httpbin-app/dep.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: httpbin
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: httpbin
10 | template:
11 | metadata:
12 | labels:
13 | app: httpbin
14 | spec:
15 | containers:
16 | - image: docker.io/kennethreitz/httpbin
17 | name: httpbin
18 | ports:
19 | - containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.httpbin
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/httpbin-app/dep.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: httpbin
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: httpbin
10 | template:
11 | metadata:
12 | labels:
13 | app: httpbin
14 | spec:
15 | containers:
16 | - image: docker.io/kennethreitz/httpbin
17 | name: httpbin
18 | ports:
19 | - containerPort: 80
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.httpbin
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/httpbin-app/dep.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: httpbin
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: httpbin
10 | template:
11 | metadata:
12 | labels:
13 | app: httpbin
14 | spec:
15 | containers:
16 | - image: docker.io/kennethreitz/httpbin
17 | name: httpbin
18 | ports:
19 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.httpbin
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/httpbin-app/dep.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: httpbin
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: httpbin
10 | template:
11 | metadata:
12 | labels:
13 | app: httpbin
14 | spec:
15 | containers:
16 | - image: docker.io/kennethreitz/httpbin
17 | name: httpbin
18 | ports:
19 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ServiceAccount.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/traefik-helm-chart/traefik-manifests.yaml:3-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
3 | kind: ServiceAccount
4 | apiVersion: v1
5 | metadata:
6 | name: traefik
7 | labels:
8 | app.kubernetes.io/name: traefik
9 | helm.sh/chart: traefik-10.3.6
10 | app.kubernetes.io/managed-by: Helm
11 | app.kubernetes.io/instance: traefik
12 | annotations:
13 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/traefik-helm-chart/traefik-manifests.yaml:89-199
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/traefik-helm-chart/traefik-manifests.yaml:89-199
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/traefik-helm-chart/traefik-manifests.yaml:89-199
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/traefik-helm-chart/traefik-manifests.yaml:89-199
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/traefik-helm-chart/traefik-manifests.yaml:89-199
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/traefik-helm-chart/traefik-manifests.yaml:89-199
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/traefik-helm-chart/traefik-manifests.yaml:89-199
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/traefik-helm-chart/traefik-manifests.yaml:89-199
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/traefik-helm-chart/traefik-manifests.yaml:89-199
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/traefik-helm-chart/traefik-manifests.yaml:206-230
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
206 | - apiVersion: v1
207 | kind: Service
208 | metadata:
209 | name: traefik
210 | labels:
211 | app.kubernetes.io/name: traefik
212 | helm.sh/chart: traefik-10.3.6
213 | app.kubernetes.io/managed-by: Helm
214 | app.kubernetes.io/instance: traefik
215 | annotations:
216 | spec:
217 | type: LoadBalancer
218 | selector:
219 | app.kubernetes.io/name: traefik
220 | app.kubernetes.io/instance: traefik
221 | ports:
222 | - port: 80
223 | name: web
224 | targetPort: "web"
225 | protocol: "TCP"
226 | - port: 443
227 | name: websecure
228 | targetPort: "websecure"
229 | protocol: "TCP"
230 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/echo-app/svc.yaml:1-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | ports:
9 | - port: 8080
10 | name: high
11 | protocol: TCP
12 | targetPort: 8080
13 | - port: 80
14 | name: low
15 | protocol: TCP
16 | targetPort: 8080
17 | selector:
18 | app: echo
19 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/echo-app/dep.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | creationTimestamp: null
16 | labels:
17 | app: echo
18 | spec:
19 | containers:
20 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
21 | name: echo
22 | ports:
23 | - containerPort: 8080
24 | env:
25 | - name: NODE_NAME
26 | valueFrom:
27 | fieldRef:
28 | fieldPath: spec.nodeName
29 | - name: POD_NAME
30 | valueFrom:
31 | fieldRef:
32 | fieldPath: metadata.name
33 | - name: POD_NAMESPACE
34 | valueFrom:
35 | fieldRef:
36 | fieldPath: metadata.namespace
37 | - name: POD_IP
38 | valueFrom:
39 | fieldRef:
40 | fieldPath: status.podIP
41 | resources: {}
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/echo-app/dep.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | creationTimestamp: null
16 | labels:
17 | app: echo
18 | spec:
19 | containers:
20 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
21 | name: echo
22 | ports:
23 | - containerPort: 8080
24 | env:
25 | - name: NODE_NAME
26 | valueFrom:
27 | fieldRef:
28 | fieldPath: spec.nodeName
29 | - name: POD_NAME
30 | valueFrom:
31 | fieldRef:
32 | fieldPath: metadata.name
33 | - name: POD_NAMESPACE
34 | valueFrom:
35 | fieldRef:
36 | fieldPath: metadata.namespace
37 | - name: POD_IP
38 | valueFrom:
39 | fieldRef:
40 | fieldPath: status.podIP
41 | resources: {}
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/echo-app/dep.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | creationTimestamp: null
16 | labels:
17 | app: echo
18 | spec:
19 | containers:
20 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
21 | name: echo
22 | ports:
23 | - containerPort: 8080
24 | env:
25 | - name: NODE_NAME
26 | valueFrom:
27 | fieldRef:
28 | fieldPath: spec.nodeName
29 | - name: POD_NAME
30 | valueFrom:
31 | fieldRef:
32 | fieldPath: metadata.name
33 | - name: POD_NAMESPACE
34 | valueFrom:
35 | fieldRef:
36 | fieldPath: metadata.namespace
37 | - name: POD_IP
38 | valueFrom:
39 | fieldRef:
40 | fieldPath: status.podIP
41 | resources: {}
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/echo-app/dep.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | creationTimestamp: null
16 | labels:
17 | app: echo
18 | spec:
19 | containers:
20 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
21 | name: echo
22 | ports:
23 | - containerPort: 8080
24 | env:
25 | - name: NODE_NAME
26 | valueFrom:
27 | fieldRef:
28 | fieldPath: spec.nodeName
29 | - name: POD_NAME
30 | valueFrom:
31 | fieldRef:
32 | fieldPath: metadata.name
33 | - name: POD_NAMESPACE
34 | valueFrom:
35 | fieldRef:
36 | fieldPath: metadata.namespace
37 | - name: POD_IP
38 | valueFrom:
39 | fieldRef:
40 | fieldPath: status.podIP
41 | resources: {}
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/echo-app/dep.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | creationTimestamp: null
16 | labels:
17 | app: echo
18 | spec:
19 | containers:
20 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
21 | name: echo
22 | ports:
23 | - containerPort: 8080
24 | env:
25 | - name: NODE_NAME
26 | valueFrom:
27 | fieldRef:
28 | fieldPath: spec.nodeName
29 | - name: POD_NAME
30 | valueFrom:
31 | fieldRef:
32 | fieldPath: metadata.name
33 | - name: POD_NAMESPACE
34 | valueFrom:
35 | fieldRef:
36 | fieldPath: metadata.namespace
37 | - name: POD_IP
38 | valueFrom:
39 | fieldRef:
40 | fieldPath: status.podIP
41 | resources: {}
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/echo-app/dep.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | creationTimestamp: null
16 | labels:
17 | app: echo
18 | spec:
19 | containers:
20 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
21 | name: echo
22 | ports:
23 | - containerPort: 8080
24 | env:
25 | - name: NODE_NAME
26 | valueFrom:
27 | fieldRef:
28 | fieldPath: spec.nodeName
29 | - name: POD_NAME
30 | valueFrom:
31 | fieldRef:
32 | fieldPath: metadata.name
33 | - name: POD_NAMESPACE
34 | valueFrom:
35 | fieldRef:
36 | fieldPath: metadata.namespace
37 | - name: POD_IP
38 | valueFrom:
39 | fieldRef:
40 | fieldPath: status.podIP
41 | resources: {}
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/echo-app/dep.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | creationTimestamp: null
16 | labels:
17 | app: echo
18 | spec:
19 | containers:
20 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
21 | name: echo
22 | ports:
23 | - containerPort: 8080
24 | env:
25 | - name: NODE_NAME
26 | valueFrom:
27 | fieldRef:
28 | fieldPath: spec.nodeName
29 | - name: POD_NAME
30 | valueFrom:
31 | fieldRef:
32 | fieldPath: metadata.name
33 | - name: POD_NAMESPACE
34 | valueFrom:
35 | fieldRef:
36 | fieldPath: metadata.namespace
37 | - name: POD_IP
38 | valueFrom:
39 | fieldRef:
40 | fieldPath: status.podIP
41 | resources: {}
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/echo-app/dep.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | creationTimestamp: null
16 | labels:
17 | app: echo
18 | spec:
19 | containers:
20 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
21 | name: echo
22 | ports:
23 | - containerPort: 8080
24 | env:
25 | - name: NODE_NAME
26 | valueFrom:
27 | fieldRef:
28 | fieldPath: spec.nodeName
29 | - name: POD_NAME
30 | valueFrom:
31 | fieldRef:
32 | fieldPath: metadata.name
33 | - name: POD_NAMESPACE
34 | valueFrom:
35 | fieldRef:
36 | fieldPath: metadata.namespace
37 | - name: POD_IP
38 | valueFrom:
39 | fieldRef:
40 | fieldPath: status.podIP
41 | resources: {}
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/echo-app/dep.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | creationTimestamp: null
16 | labels:
17 | app: echo
18 | spec:
19 | containers:
20 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
21 | name: echo
22 | ports:
23 | - containerPort: 8080
24 | env:
25 | - name: NODE_NAME
26 | valueFrom:
27 | fieldRef:
28 | fieldPath: spec.nodeName
29 | - name: POD_NAME
30 | valueFrom:
31 | fieldRef:
32 | fieldPath: metadata.name
33 | - name: POD_NAMESPACE
34 | valueFrom:
35 | fieldRef:
36 | fieldPath: metadata.namespace
37 | - name: POD_IP
38 | valueFrom:
39 | fieldRef:
40 | fieldPath: status.podIP
41 | resources: {}
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/echo-app/dep.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | creationTimestamp: null
16 | labels:
17 | app: echo
18 | spec:
19 | containers:
20 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
21 | name: echo
22 | ports:
23 | - containerPort: 8080
24 | env:
25 | - name: NODE_NAME
26 | valueFrom:
27 | fieldRef:
28 | fieldPath: spec.nodeName
29 | - name: POD_NAME
30 | valueFrom:
31 | fieldRef:
32 | fieldPath: metadata.name
33 | - name: POD_NAMESPACE
34 | valueFrom:
35 | fieldRef:
36 | fieldPath: metadata.namespace
37 | - name: POD_IP
38 | valueFrom:
39 | fieldRef:
40 | fieldPath: status.podIP
41 | resources: {}
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/echo-app/dep.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | creationTimestamp: null
16 | labels:
17 | app: echo
18 | spec:
19 | containers:
20 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
21 | name: echo
22 | ports:
23 | - containerPort: 8080
24 | env:
25 | - name: NODE_NAME
26 | valueFrom:
27 | fieldRef:
28 | fieldPath: spec.nodeName
29 | - name: POD_NAME
30 | valueFrom:
31 | fieldRef:
32 | fieldPath: metadata.name
33 | - name: POD_NAMESPACE
34 | valueFrom:
35 | fieldRef:
36 | fieldPath: metadata.namespace
37 | - name: POD_IP
38 | valueFrom:
39 | fieldRef:
40 | fieldPath: status.podIP
41 | resources: {}
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/echo-app/dep.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | creationTimestamp: null
16 | labels:
17 | app: echo
18 | spec:
19 | containers:
20 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
21 | name: echo
22 | ports:
23 | - containerPort: 8080
24 | env:
25 | - name: NODE_NAME
26 | valueFrom:
27 | fieldRef:
28 | fieldPath: spec.nodeName
29 | - name: POD_NAME
30 | valueFrom:
31 | fieldRef:
32 | fieldPath: metadata.name
33 | - name: POD_NAMESPACE
34 | valueFrom:
35 | fieldRef:
36 | fieldPath: metadata.namespace
37 | - name: POD_IP
38 | valueFrom:
39 | fieldRef:
40 | fieldPath: status.podIP
41 | resources: {}
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/echo-app/dep.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | creationTimestamp: null
16 | labels:
17 | app: echo
18 | spec:
19 | containers:
20 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
21 | name: echo
22 | ports:
23 | - containerPort: 8080
24 | env:
25 | - name: NODE_NAME
26 | valueFrom:
27 | fieldRef:
28 | fieldPath: spec.nodeName
29 | - name: POD_NAME
30 | valueFrom:
31 | fieldRef:
32 | fieldPath: metadata.name
33 | - name: POD_NAMESPACE
34 | valueFrom:
35 | fieldRef:
36 | fieldPath: metadata.namespace
37 | - name: POD_IP
38 | valueFrom:
39 | fieldRef:
40 | fieldPath: status.podIP
41 | resources: {}
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/echo-app/dep.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | creationTimestamp: null
16 | labels:
17 | app: echo
18 | spec:
19 | containers:
20 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
21 | name: echo
22 | ports:
23 | - containerPort: 8080
24 | env:
25 | - name: NODE_NAME
26 | valueFrom:
27 | fieldRef:
28 | fieldPath: spec.nodeName
29 | - name: POD_NAME
30 | valueFrom:
31 | fieldRef:
32 | fieldPath: metadata.name
33 | - name: POD_NAMESPACE
34 | valueFrom:
35 | fieldRef:
36 | fieldPath: metadata.namespace
37 | - name: POD_IP
38 | valueFrom:
39 | fieldRef:
40 | fieldPath: status.podIP
41 | resources: {}
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/echo-app/dep.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | creationTimestamp: null
16 | labels:
17 | app: echo
18 | spec:
19 | containers:
20 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
21 | name: echo
22 | ports:
23 | - containerPort: 8080
24 | env:
25 | - name: NODE_NAME
26 | valueFrom:
27 | fieldRef:
28 | fieldPath: spec.nodeName
29 | - name: POD_NAME
30 | valueFrom:
31 | fieldRef:
32 | fieldPath: metadata.name
33 | - name: POD_NAMESPACE
34 | valueFrom:
35 | fieldRef:
36 | fieldPath: metadata.namespace
37 | - name: POD_IP
38 | valueFrom:
39 | fieldRef:
40 | fieldPath: status.podIP
41 | resources: {}
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/echo-app/dep.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | creationTimestamp: null
16 | labels:
17 | app: echo
18 | spec:
19 | containers:
20 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
21 | name: echo
22 | ports:
23 | - containerPort: 8080
24 | env:
25 | - name: NODE_NAME
26 | valueFrom:
27 | fieldRef:
28 | fieldPath: spec.nodeName
29 | - name: POD_NAME
30 | valueFrom:
31 | fieldRef:
32 | fieldPath: metadata.name
33 | - name: POD_NAMESPACE
34 | valueFrom:
35 | fieldRef:
36 | fieldPath: metadata.namespace
37 | - name: POD_IP
38 | valueFrom:
39 | fieldRef:
40 | fieldPath: status.podIP
41 | resources: {}
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/echo-app/dep.yaml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | creationTimestamp: null
16 | labels:
17 | app: echo
18 | spec:
19 | containers:
20 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
21 | name: echo
22 | ports:
23 | - containerPort: 8080
24 | env:
25 | - name: NODE_NAME
26 | valueFrom:
27 | fieldRef:
28 | fieldPath: spec.nodeName
29 | - name: POD_NAME
30 | valueFrom:
31 | fieldRef:
32 | fieldPath: metadata.name
33 | - name: POD_NAMESPACE
34 | valueFrom:
35 | fieldRef:
36 | fieldPath: metadata.namespace
37 | - name: POD_IP
38 | valueFrom:
39 | fieldRef:
40 | fieldPath: status.podIP
41 | resources: {}
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/dep-whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 |
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: traefik/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/dep-whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 |
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: traefik/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/dep-whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 |
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: traefik/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/dep-whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 |
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: traefik/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/dep-whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 |
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: traefik/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/dep-whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 |
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: traefik/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/dep-whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 |
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: traefik/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/dep-whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 |
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: traefik/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/dep-whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 |
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: traefik/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/dep-whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 |
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: traefik/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/dep-whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 |
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: traefik/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/dep-whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 |
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: traefik/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/dep-whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 |
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: traefik/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/dep-whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 |
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: traefik/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/dep-whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 |
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: traefik/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/dep-whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 |
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: traefik/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/dep-whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 |
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: traefik/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/dep-whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 |
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: traefik/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/dep-whoami.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 |
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: traefik/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV_K8S_155: "Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations"
FAILED for resource: ClusterRole.default.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/cert-manager.yaml:4477-4506
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-control-over-validating-or-mutating-admission-webhook-configurations-are-minimized.html
4477 | apiVersion: rbac.authorization.k8s.io/v1
4478 | kind: ClusterRole
4479 | metadata:
4480 | name: cert-manager-cainjector
4481 | labels:
4482 | app: cainjector
4483 | app.kubernetes.io/name: cainjector
4484 | app.kubernetes.io/instance: cert-manager
4485 | app.kubernetes.io/component: "cainjector"
4486 | app.kubernetes.io/version: "v1.10.0"
4487 | rules:
4488 | - apiGroups: ["cert-manager.io"]
4489 | resources: ["certificates"]
4490 | verbs: ["get", "list", "watch"]
4491 | - apiGroups: [""]
4492 | resources: ["secrets"]
4493 | verbs: ["get", "list", "watch"]
4494 | - apiGroups: [""]
4495 | resources: ["events"]
4496 | verbs: ["get", "create", "update", "patch"]
4497 | - apiGroups: ["admissionregistration.k8s.io"]
4498 | resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
4499 | verbs: ["get", "list", "watch", "update"]
4500 | - apiGroups: ["apiregistration.k8s.io"]
4501 | resources: ["apiservices"]
4502 | verbs: ["get", "list", "watch", "update"]
4503 | - apiGroups: ["apiextensions.k8s.io"]
4504 | resources: ["customresourcedefinitions"]
4505 | verbs: ["get", "list", "watch", "update"]
4506 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5229-5280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5229-5280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5229-5280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5229-5280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5229-5280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5229-5280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5229-5280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5229-5280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5229-5280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5229-5280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.cert-manager.cert-manager-cainjector
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5229-5280
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5282-5342
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5282-5342
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5282-5342
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5282-5342
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5282-5342
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5282-5342
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5282-5342
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5282-5342
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5282-5342
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5282-5342
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.cert-manager.cert-manager
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5282-5342
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5344-5428
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5344-5428
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5344-5428
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5344-5428
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5344-5428
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5344-5428
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5344-5428
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5344-5428
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.cert-manager.cert-manager-webhook
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5344-5428
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.example-service
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/service.yaml:1-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: example-service
5 | labels:
6 | app: example-app
7 | spec:
8 | externalTrafficPolicy: Cluster
9 | type: LoadBalancer
10 | selector:
11 | app: example-app
12 | ports:
13 | - protocol: TCP
14 | name: http
15 | port: 80
16 | targetPort: 5000
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.whoami-ingress
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/ingress.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: networking.k8s.io/v1
3 | kind: Ingress
4 | metadata:
5 | annotations:
6 | kubernetes.io/ingress.class: "nginx"
7 | nginx.ingress.kubernetes.io/ssl-redirect: "false"
8 | name: whoami-ingress
9 | spec:
10 | tls:
11 | - hosts:
12 | - testcertmanager.ankitrathi.info
13 | secretName: tls-secret
14 | rules:
15 | - host: testcertmanager.ankitrathi.info
16 | http:
17 | paths:
18 | - path: /test
19 | pathType: Prefix
20 | backend:
21 | service:
22 | name: whoami
23 | port:
24 | number: 80
25 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.kube-system.metricbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_034__gcp__metricbeat/24-deployment.yaml:2-69
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.kube-system.metricbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_034__gcp__metricbeat/24-deployment.yaml:2-69
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.kube-system.metricbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_034__gcp__metricbeat/24-deployment.yaml:2-69
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.kube-system.metricbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_034__gcp__metricbeat/24-deployment.yaml:2-69
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_19: "Containers should not share the host network namespace"
FAILED for resource: Deployment.kube-system.metricbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_034__gcp__metricbeat/24-deployment.yaml:2-69
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-18.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.kube-system.metricbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_034__gcp__metricbeat/24-deployment.yaml:2-69
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.kube-system.metricbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_034__gcp__metricbeat/24-deployment.yaml:2-69
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.kube-system.metricbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_034__gcp__metricbeat/24-deployment.yaml:2-69
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.kube-system.metricbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_034__gcp__metricbeat/24-deployment.yaml:2-69
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.kube-system.metricbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_034__gcp__metricbeat/24-deployment.yaml:2-69
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.kube-system.metricbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_034__gcp__metricbeat/24-deployment.yaml:2-69
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.kube-system.metricbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_034__gcp__metricbeat/24-deployment.yaml:2-69
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.kube-system.metricbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_034__gcp__metricbeat/24-deployment.yaml:2-69
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.kube-system.metricbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_034__gcp__metricbeat/24-deployment.yaml:2-69
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.kube-system.metricbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_034__gcp__metricbeat/24-deployment.yaml:2-69
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: DaemonSet.kube-system.metricbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_034__gcp__metricbeat/20-daemonset.yaml:2-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: DaemonSet.kube-system.metricbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_034__gcp__metricbeat/20-daemonset.yaml:2-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: DaemonSet.kube-system.metricbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_034__gcp__metricbeat/20-daemonset.yaml:2-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: DaemonSet.kube-system.metricbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_034__gcp__metricbeat/20-daemonset.yaml:2-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_27: "Do not expose the docker daemon socket to containers"
FAILED for resource: DaemonSet.kube-system.metricbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_034__gcp__metricbeat/20-daemonset.yaml:2-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-26.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_19: "Containers should not share the host network namespace"
FAILED for resource: DaemonSet.kube-system.metricbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_034__gcp__metricbeat/20-daemonset.yaml:2-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-18.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: DaemonSet.kube-system.metricbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_034__gcp__metricbeat/20-daemonset.yaml:2-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: DaemonSet.kube-system.metricbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_034__gcp__metricbeat/20-daemonset.yaml:2-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: DaemonSet.kube-system.metricbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_034__gcp__metricbeat/20-daemonset.yaml:2-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: DaemonSet.kube-system.metricbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_034__gcp__metricbeat/20-daemonset.yaml:2-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: DaemonSet.kube-system.metricbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_034__gcp__metricbeat/20-daemonset.yaml:2-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: DaemonSet.kube-system.metricbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_034__gcp__metricbeat/20-daemonset.yaml:2-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: DaemonSet.kube-system.metricbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_034__gcp__metricbeat/20-daemonset.yaml:2-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: DaemonSet.kube-system.metricbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_034__gcp__metricbeat/20-daemonset.yaml:2-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: DaemonSet.kube-system.metricbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_034__gcp__metricbeat/20-daemonset.yaml:2-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: DaemonSet.kube-system.metricbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_034__gcp__metricbeat/20-daemonset.yaml:2-96
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/20-traefik-service.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: Service
4 | metadata:
5 | name: traefik
6 | spec:
7 | type: LoadBalancer
8 | selector:
9 | app: traefik
10 | ports:
11 | - protocol: TCP
12 | port: 80
13 | name: web
14 | targetPort: 80
15 | - protocol: TCP
16 | port: 443
17 | name: websecure
18 | targetPort: 80
19 | - protocol: TCP
20 | port: 8080
21 | name: admin
22 | targetPort: 8080
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/25-whoami-deployment.yaml:1-24
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.traefik-config-map
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/24-traefik-configMap.yaml:1-29
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | kind: ConfigMap
2 | apiVersion: v1
3 | metadata:
4 | name: traefik-config-map
5 | data:
6 | traefik.toml: |-
7 | [global]
8 | checkNewVersion = false
9 | sendAnonymousUsage = false
10 | [retry]
11 | attempts = 3
12 | maxMem = 3
13 | [entryPoints]
14 | [entryPoints.web]
15 | address = ":80"
16 | [entryPoints.websecure]
17 | address = ":443"
18 | [log]
19 | level = "DEBUG"
20 | [accessLog]
21 | [api]
22 | insecure = true
23 | dashboard = true
24 | debug = true
25 | [providers]
26 | [providers.file]
27 | directory = "/var/tf"
28 | watch = true
29 | [providers.kubernetesCRD]
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ServiceAccount.default.traefik-ingress-controller
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/10-service-account.yaml:1-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: ServiceAccount
3 | metadata:
4 | name: traefik-ingress-controller
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/30-whoami-service.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: whoami
5 |
6 | spec:
7 | ports:
8 | - protocol: TCP
9 | name: web
10 | port: 80
11 | selector:
12 | app: whoami
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/15-traefik-deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | kind: Deployment
3 | apiVersion: extensions/v1beta1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | volumes:
21 | - name: config
22 | configMap:
23 | name: traefik-config-map
24 | containers:
25 | - name: traefik
26 | image: traefik:v2.1
27 | args:
28 | - --accesslog=true
29 | - --api
30 | - --api.insecure
31 | - --entrypoints.web.address=:80
32 | - --entrypoints.websecure.address=:443
33 | - --providers.kubernetescrd
34 | - --configfile=/config/traefik.toml
35 | ports:
36 | - name: web
37 | containerPort: 80
38 | - name: admin
39 | containerPort: 8080
40 | - name: websecure
41 | containerPort: 443
42 | volumeMounts:
43 | - mountPath: /etc/traefik/traefik.toml
44 | name: config
45 | subPath: traefik.toml
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/15-traefik-deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | kind: Deployment
3 | apiVersion: extensions/v1beta1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | volumes:
21 | - name: config
22 | configMap:
23 | name: traefik-config-map
24 | containers:
25 | - name: traefik
26 | image: traefik:v2.1
27 | args:
28 | - --accesslog=true
29 | - --api
30 | - --api.insecure
31 | - --entrypoints.web.address=:80
32 | - --entrypoints.websecure.address=:443
33 | - --providers.kubernetescrd
34 | - --configfile=/config/traefik.toml
35 | ports:
36 | - name: web
37 | containerPort: 80
38 | - name: admin
39 | containerPort: 8080
40 | - name: websecure
41 | containerPort: 443
42 | volumeMounts:
43 | - mountPath: /etc/traefik/traefik.toml
44 | name: config
45 | subPath: traefik.toml
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/15-traefik-deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | kind: Deployment
3 | apiVersion: extensions/v1beta1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | volumes:
21 | - name: config
22 | configMap:
23 | name: traefik-config-map
24 | containers:
25 | - name: traefik
26 | image: traefik:v2.1
27 | args:
28 | - --accesslog=true
29 | - --api
30 | - --api.insecure
31 | - --entrypoints.web.address=:80
32 | - --entrypoints.websecure.address=:443
33 | - --providers.kubernetescrd
34 | - --configfile=/config/traefik.toml
35 | ports:
36 | - name: web
37 | containerPort: 80
38 | - name: admin
39 | containerPort: 8080
40 | - name: websecure
41 | containerPort: 443
42 | volumeMounts:
43 | - mountPath: /etc/traefik/traefik.toml
44 | name: config
45 | subPath: traefik.toml
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/15-traefik-deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | kind: Deployment
3 | apiVersion: extensions/v1beta1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | volumes:
21 | - name: config
22 | configMap:
23 | name: traefik-config-map
24 | containers:
25 | - name: traefik
26 | image: traefik:v2.1
27 | args:
28 | - --accesslog=true
29 | - --api
30 | - --api.insecure
31 | - --entrypoints.web.address=:80
32 | - --entrypoints.websecure.address=:443
33 | - --providers.kubernetescrd
34 | - --configfile=/config/traefik.toml
35 | ports:
36 | - name: web
37 | containerPort: 80
38 | - name: admin
39 | containerPort: 8080
40 | - name: websecure
41 | containerPort: 443
42 | volumeMounts:
43 | - mountPath: /etc/traefik/traefik.toml
44 | name: config
45 | subPath: traefik.toml
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/15-traefik-deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | kind: Deployment
3 | apiVersion: extensions/v1beta1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | volumes:
21 | - name: config
22 | configMap:
23 | name: traefik-config-map
24 | containers:
25 | - name: traefik
26 | image: traefik:v2.1
27 | args:
28 | - --accesslog=true
29 | - --api
30 | - --api.insecure
31 | - --entrypoints.web.address=:80
32 | - --entrypoints.websecure.address=:443
33 | - --providers.kubernetescrd
34 | - --configfile=/config/traefik.toml
35 | ports:
36 | - name: web
37 | containerPort: 80
38 | - name: admin
39 | containerPort: 8080
40 | - name: websecure
41 | containerPort: 443
42 | volumeMounts:
43 | - mountPath: /etc/traefik/traefik.toml
44 | name: config
45 | subPath: traefik.toml
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/15-traefik-deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | kind: Deployment
3 | apiVersion: extensions/v1beta1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | volumes:
21 | - name: config
22 | configMap:
23 | name: traefik-config-map
24 | containers:
25 | - name: traefik
26 | image: traefik:v2.1
27 | args:
28 | - --accesslog=true
29 | - --api
30 | - --api.insecure
31 | - --entrypoints.web.address=:80
32 | - --entrypoints.websecure.address=:443
33 | - --providers.kubernetescrd
34 | - --configfile=/config/traefik.toml
35 | ports:
36 | - name: web
37 | containerPort: 80
38 | - name: admin
39 | containerPort: 8080
40 | - name: websecure
41 | containerPort: 443
42 | volumeMounts:
43 | - mountPath: /etc/traefik/traefik.toml
44 | name: config
45 | subPath: traefik.toml
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/15-traefik-deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | kind: Deployment
3 | apiVersion: extensions/v1beta1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | volumes:
21 | - name: config
22 | configMap:
23 | name: traefik-config-map
24 | containers:
25 | - name: traefik
26 | image: traefik:v2.1
27 | args:
28 | - --accesslog=true
29 | - --api
30 | - --api.insecure
31 | - --entrypoints.web.address=:80
32 | - --entrypoints.websecure.address=:443
33 | - --providers.kubernetescrd
34 | - --configfile=/config/traefik.toml
35 | ports:
36 | - name: web
37 | containerPort: 80
38 | - name: admin
39 | containerPort: 8080
40 | - name: websecure
41 | containerPort: 443
42 | volumeMounts:
43 | - mountPath: /etc/traefik/traefik.toml
44 | name: config
45 | subPath: traefik.toml
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/15-traefik-deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | kind: Deployment
3 | apiVersion: extensions/v1beta1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | volumes:
21 | - name: config
22 | configMap:
23 | name: traefik-config-map
24 | containers:
25 | - name: traefik
26 | image: traefik:v2.1
27 | args:
28 | - --accesslog=true
29 | - --api
30 | - --api.insecure
31 | - --entrypoints.web.address=:80
32 | - --entrypoints.websecure.address=:443
33 | - --providers.kubernetescrd
34 | - --configfile=/config/traefik.toml
35 | ports:
36 | - name: web
37 | containerPort: 80
38 | - name: admin
39 | containerPort: 8080
40 | - name: websecure
41 | containerPort: 443
42 | volumeMounts:
43 | - mountPath: /etc/traefik/traefik.toml
44 | name: config
45 | subPath: traefik.toml
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/15-traefik-deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | kind: Deployment
3 | apiVersion: extensions/v1beta1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | volumes:
21 | - name: config
22 | configMap:
23 | name: traefik-config-map
24 | containers:
25 | - name: traefik
26 | image: traefik:v2.1
27 | args:
28 | - --accesslog=true
29 | - --api
30 | - --api.insecure
31 | - --entrypoints.web.address=:80
32 | - --entrypoints.websecure.address=:443
33 | - --providers.kubernetescrd
34 | - --configfile=/config/traefik.toml
35 | ports:
36 | - name: web
37 | containerPort: 80
38 | - name: admin
39 | containerPort: 8080
40 | - name: websecure
41 | containerPort: 443
42 | volumeMounts:
43 | - mountPath: /etc/traefik/traefik.toml
44 | name: config
45 | subPath: traefik.toml
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/15-traefik-deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | kind: Deployment
3 | apiVersion: extensions/v1beta1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | volumes:
21 | - name: config
22 | configMap:
23 | name: traefik-config-map
24 | containers:
25 | - name: traefik
26 | image: traefik:v2.1
27 | args:
28 | - --accesslog=true
29 | - --api
30 | - --api.insecure
31 | - --entrypoints.web.address=:80
32 | - --entrypoints.websecure.address=:443
33 | - --providers.kubernetescrd
34 | - --configfile=/config/traefik.toml
35 | ports:
36 | - name: web
37 | containerPort: 80
38 | - name: admin
39 | containerPort: 8080
40 | - name: websecure
41 | containerPort: 443
42 | volumeMounts:
43 | - mountPath: /etc/traefik/traefik.toml
44 | name: config
45 | subPath: traefik.toml
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/15-traefik-deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | kind: Deployment
3 | apiVersion: extensions/v1beta1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | volumes:
21 | - name: config
22 | configMap:
23 | name: traefik-config-map
24 | containers:
25 | - name: traefik
26 | image: traefik:v2.1
27 | args:
28 | - --accesslog=true
29 | - --api
30 | - --api.insecure
31 | - --entrypoints.web.address=:80
32 | - --entrypoints.websecure.address=:443
33 | - --providers.kubernetescrd
34 | - --configfile=/config/traefik.toml
35 | ports:
36 | - name: web
37 | containerPort: 80
38 | - name: admin
39 | containerPort: 8080
40 | - name: websecure
41 | containerPort: 443
42 | volumeMounts:
43 | - mountPath: /etc/traefik/traefik.toml
44 | name: config
45 | subPath: traefik.toml
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/15-traefik-deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | kind: Deployment
3 | apiVersion: extensions/v1beta1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | volumes:
21 | - name: config
22 | configMap:
23 | name: traefik-config-map
24 | containers:
25 | - name: traefik
26 | image: traefik:v2.1
27 | args:
28 | - --accesslog=true
29 | - --api
30 | - --api.insecure
31 | - --entrypoints.web.address=:80
32 | - --entrypoints.websecure.address=:443
33 | - --providers.kubernetescrd
34 | - --configfile=/config/traefik.toml
35 | ports:
36 | - name: web
37 | containerPort: 80
38 | - name: admin
39 | containerPort: 8080
40 | - name: websecure
41 | containerPort: 443
42 | volumeMounts:
43 | - mountPath: /etc/traefik/traefik.toml
44 | name: config
45 | subPath: traefik.toml
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/15-traefik-deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | kind: Deployment
3 | apiVersion: extensions/v1beta1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | volumes:
21 | - name: config
22 | configMap:
23 | name: traefik-config-map
24 | containers:
25 | - name: traefik
26 | image: traefik:v2.1
27 | args:
28 | - --accesslog=true
29 | - --api
30 | - --api.insecure
31 | - --entrypoints.web.address=:80
32 | - --entrypoints.websecure.address=:443
33 | - --providers.kubernetescrd
34 | - --configfile=/config/traefik.toml
35 | ports:
36 | - name: web
37 | containerPort: 80
38 | - name: admin
39 | containerPort: 8080
40 | - name: websecure
41 | containerPort: 443
42 | volumeMounts:
43 | - mountPath: /etc/traefik/traefik.toml
44 | name: config
45 | subPath: traefik.toml
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/15-traefik-deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | kind: Deployment
3 | apiVersion: extensions/v1beta1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | volumes:
21 | - name: config
22 | configMap:
23 | name: traefik-config-map
24 | containers:
25 | - name: traefik
26 | image: traefik:v2.1
27 | args:
28 | - --accesslog=true
29 | - --api
30 | - --api.insecure
31 | - --entrypoints.web.address=:80
32 | - --entrypoints.websecure.address=:443
33 | - --providers.kubernetescrd
34 | - --configfile=/config/traefik.toml
35 | ports:
36 | - name: web
37 | containerPort: 80
38 | - name: admin
39 | containerPort: 8080
40 | - name: websecure
41 | containerPort: 443
42 | volumeMounts:
43 | - mountPath: /etc/traefik/traefik.toml
44 | name: config
45 | subPath: traefik.toml
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/15-traefik-deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | kind: Deployment
3 | apiVersion: extensions/v1beta1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | volumes:
21 | - name: config
22 | configMap:
23 | name: traefik-config-map
24 | containers:
25 | - name: traefik
26 | image: traefik:v2.1
27 | args:
28 | - --accesslog=true
29 | - --api
30 | - --api.insecure
31 | - --entrypoints.web.address=:80
32 | - --entrypoints.websecure.address=:443
33 | - --providers.kubernetescrd
34 | - --configfile=/config/traefik.toml
35 | ports:
36 | - name: web
37 | containerPort: 80
38 | - name: admin
39 | containerPort: 8080
40 | - name: websecure
41 | containerPort: 443
42 | volumeMounts:
43 | - mountPath: /etc/traefik/traefik.toml
44 | name: config
45 | subPath: traefik.toml
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/15-traefik-deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | kind: Deployment
3 | apiVersion: extensions/v1beta1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | volumes:
21 | - name: config
22 | configMap:
23 | name: traefik-config-map
24 | containers:
25 | - name: traefik
26 | image: traefik:v2.1
27 | args:
28 | - --accesslog=true
29 | - --api
30 | - --api.insecure
31 | - --entrypoints.web.address=:80
32 | - --entrypoints.websecure.address=:443
33 | - --providers.kubernetescrd
34 | - --configfile=/config/traefik.toml
35 | ports:
36 | - name: web
37 | containerPort: 80
38 | - name: admin
39 | containerPort: 8080
40 | - name: websecure
41 | containerPort: 443
42 | volumeMounts:
43 | - mountPath: /etc/traefik/traefik.toml
44 | name: config
45 | subPath: traefik.toml
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/15-traefik-deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | kind: Deployment
3 | apiVersion: extensions/v1beta1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | volumes:
21 | - name: config
22 | configMap:
23 | name: traefik-config-map
24 | containers:
25 | - name: traefik
26 | image: traefik:v2.1
27 | args:
28 | - --accesslog=true
29 | - --api
30 | - --api.insecure
31 | - --entrypoints.web.address=:80
32 | - --entrypoints.websecure.address=:443
33 | - --providers.kubernetescrd
34 | - --configfile=/config/traefik.toml
35 | ports:
36 | - name: web
37 | containerPort: 80
38 | - name: admin
39 | containerPort: 8080
40 | - name: websecure
41 | containerPort: 443
42 | volumeMounts:
43 | - mountPath: /etc/traefik/traefik.toml
44 | name: config
45 | subPath: traefik.toml
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/15-traefik-deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
2 | kind: Deployment
3 | apiVersion: extensions/v1beta1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | volumes:
21 | - name: config
22 | configMap:
23 | name: traefik-config-map
24 | containers:
25 | - name: traefik
26 | image: traefik:v2.1
27 | args:
28 | - --accesslog=true
29 | - --api
30 | - --api.insecure
31 | - --entrypoints.web.address=:80
32 | - --entrypoints.websecure.address=:443
33 | - --providers.kubernetescrd
34 | - --configfile=/config/traefik.toml
35 | ports:
36 | - name: web
37 | containerPort: 80
38 | - name: admin
39 | containerPort: 8080
40 | - name: websecure
41 | containerPort: 443
42 | volumeMounts:
43 | - mountPath: /etc/traefik/traefik.toml
44 | name: config
45 | subPath: traefik.toml
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/15-traefik-deployment.yaml:2-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | kind: Deployment
3 | apiVersion: extensions/v1beta1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | volumes:
21 | - name: config
22 | configMap:
23 | name: traefik-config-map
24 | containers:
25 | - name: traefik
26 | image: traefik:v2.1
27 | args:
28 | - --accesslog=true
29 | - --api
30 | - --api.insecure
31 | - --entrypoints.web.address=:80
32 | - --entrypoints.websecure.address=:443
33 | - --providers.kubernetescrd
34 | - --configfile=/config/traefik.toml
35 | ports:
36 | - name: web
37 | containerPort: 80
38 | - name: admin
39 | containerPort: 8080
40 | - name: websecure
41 | containerPort: 443
42 | volumeMounts:
43 | - mountPath: /etc/traefik/traefik.toml
44 | name: config
45 | subPath: traefik.toml
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: DeploymentConfig.default.qotd
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_049__openshift__deploy_sample_backend_app/k8s-qotd-python/deploymentconfig.yaml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps.openshift.io/v1
2 | kind: DeploymentConfig
3 | metadata:
4 | name: qotd
5 | labels:
6 | app: qotd
7 | spec:
8 | selector:
9 | app: qotd
10 | replicas: 1
11 | template:
12 | metadata:
13 | labels:
14 | app: qotd
15 | spec:
16 | containers:
17 | - name: qotd
18 | image: image-registry.openshift-image-registry.svc:5000/pipelines-tutorial/qotd:latest
19 | imagePullPolicy: Always
20 | ports:
21 | - containerPort: 10000
22 | protocol: TCP
23 | triggers:
24 | - type: ConfigChange
25 | - imageChangeParams:
26 | automatic: true
27 | containerNames:
28 | - qotd
29 | from:
30 | kind: ImageStreamTag
31 | name: qotd:latest
32 | type: ImageChange
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: DeploymentConfig.default.qotd
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_049__openshift__deploy_sample_backend_app/k8s-qotd-python/deploymentconfig.yaml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps.openshift.io/v1
2 | kind: DeploymentConfig
3 | metadata:
4 | name: qotd
5 | labels:
6 | app: qotd
7 | spec:
8 | selector:
9 | app: qotd
10 | replicas: 1
11 | template:
12 | metadata:
13 | labels:
14 | app: qotd
15 | spec:
16 | containers:
17 | - name: qotd
18 | image: image-registry.openshift-image-registry.svc:5000/pipelines-tutorial/qotd:latest
19 | imagePullPolicy: Always
20 | ports:
21 | - containerPort: 10000
22 | protocol: TCP
23 | triggers:
24 | - type: ConfigChange
25 | - imageChangeParams:
26 | automatic: true
27 | containerNames:
28 | - qotd
29 | from:
30 | kind: ImageStreamTag
31 | name: qotd:latest
32 | type: ImageChange
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: DeploymentConfig.default.qotd
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_049__openshift__deploy_sample_backend_app/k8s-qotd-python/deploymentconfig.yaml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps.openshift.io/v1
2 | kind: DeploymentConfig
3 | metadata:
4 | name: qotd
5 | labels:
6 | app: qotd
7 | spec:
8 | selector:
9 | app: qotd
10 | replicas: 1
11 | template:
12 | metadata:
13 | labels:
14 | app: qotd
15 | spec:
16 | containers:
17 | - name: qotd
18 | image: image-registry.openshift-image-registry.svc:5000/pipelines-tutorial/qotd:latest
19 | imagePullPolicy: Always
20 | ports:
21 | - containerPort: 10000
22 | protocol: TCP
23 | triggers:
24 | - type: ConfigChange
25 | - imageChangeParams:
26 | automatic: true
27 | containerNames:
28 | - qotd
29 | from:
30 | kind: ImageStreamTag
31 | name: qotd:latest
32 | type: ImageChange
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: DeploymentConfig.default.qotd
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_049__openshift__deploy_sample_backend_app/k8s-qotd-python/deploymentconfig.yaml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps.openshift.io/v1
2 | kind: DeploymentConfig
3 | metadata:
4 | name: qotd
5 | labels:
6 | app: qotd
7 | spec:
8 | selector:
9 | app: qotd
10 | replicas: 1
11 | template:
12 | metadata:
13 | labels:
14 | app: qotd
15 | spec:
16 | containers:
17 | - name: qotd
18 | image: image-registry.openshift-image-registry.svc:5000/pipelines-tutorial/qotd:latest
19 | imagePullPolicy: Always
20 | ports:
21 | - containerPort: 10000
22 | protocol: TCP
23 | triggers:
24 | - type: ConfigChange
25 | - imageChangeParams:
26 | automatic: true
27 | containerNames:
28 | - qotd
29 | from:
30 | kind: ImageStreamTag
31 | name: qotd:latest
32 | type: ImageChange
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: DeploymentConfig.default.qotd
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_049__openshift__deploy_sample_backend_app/k8s-qotd-python/deploymentconfig.yaml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps.openshift.io/v1
2 | kind: DeploymentConfig
3 | metadata:
4 | name: qotd
5 | labels:
6 | app: qotd
7 | spec:
8 | selector:
9 | app: qotd
10 | replicas: 1
11 | template:
12 | metadata:
13 | labels:
14 | app: qotd
15 | spec:
16 | containers:
17 | - name: qotd
18 | image: image-registry.openshift-image-registry.svc:5000/pipelines-tutorial/qotd:latest
19 | imagePullPolicy: Always
20 | ports:
21 | - containerPort: 10000
22 | protocol: TCP
23 | triggers:
24 | - type: ConfigChange
25 | - imageChangeParams:
26 | automatic: true
27 | containerNames:
28 | - qotd
29 | from:
30 | kind: ImageStreamTag
31 | name: qotd:latest
32 | type: ImageChange
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: DeploymentConfig.default.qotd
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_049__openshift__deploy_sample_backend_app/k8s-qotd-python/deploymentconfig.yaml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps.openshift.io/v1
2 | kind: DeploymentConfig
3 | metadata:
4 | name: qotd
5 | labels:
6 | app: qotd
7 | spec:
8 | selector:
9 | app: qotd
10 | replicas: 1
11 | template:
12 | metadata:
13 | labels:
14 | app: qotd
15 | spec:
16 | containers:
17 | - name: qotd
18 | image: image-registry.openshift-image-registry.svc:5000/pipelines-tutorial/qotd:latest
19 | imagePullPolicy: Always
20 | ports:
21 | - containerPort: 10000
22 | protocol: TCP
23 | triggers:
24 | - type: ConfigChange
25 | - imageChangeParams:
26 | automatic: true
27 | containerNames:
28 | - qotd
29 | from:
30 | kind: ImageStreamTag
31 | name: qotd:latest
32 | type: ImageChange
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: DeploymentConfig.default.qotd
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_049__openshift__deploy_sample_backend_app/k8s-qotd-python/deploymentconfig.yaml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps.openshift.io/v1
2 | kind: DeploymentConfig
3 | metadata:
4 | name: qotd
5 | labels:
6 | app: qotd
7 | spec:
8 | selector:
9 | app: qotd
10 | replicas: 1
11 | template:
12 | metadata:
13 | labels:
14 | app: qotd
15 | spec:
16 | containers:
17 | - name: qotd
18 | image: image-registry.openshift-image-registry.svc:5000/pipelines-tutorial/qotd:latest
19 | imagePullPolicy: Always
20 | ports:
21 | - containerPort: 10000
22 | protocol: TCP
23 | triggers:
24 | - type: ConfigChange
25 | - imageChangeParams:
26 | automatic: true
27 | containerNames:
28 | - qotd
29 | from:
30 | kind: ImageStreamTag
31 | name: qotd:latest
32 | type: ImageChange
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: DeploymentConfig.default.qotd
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_049__openshift__deploy_sample_backend_app/k8s-qotd-python/deploymentconfig.yaml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps.openshift.io/v1
2 | kind: DeploymentConfig
3 | metadata:
4 | name: qotd
5 | labels:
6 | app: qotd
7 | spec:
8 | selector:
9 | app: qotd
10 | replicas: 1
11 | template:
12 | metadata:
13 | labels:
14 | app: qotd
15 | spec:
16 | containers:
17 | - name: qotd
18 | image: image-registry.openshift-image-registry.svc:5000/pipelines-tutorial/qotd:latest
19 | imagePullPolicy: Always
20 | ports:
21 | - containerPort: 10000
22 | protocol: TCP
23 | triggers:
24 | - type: ConfigChange
25 | - imageChangeParams:
26 | automatic: true
27 | containerNames:
28 | - qotd
29 | from:
30 | kind: ImageStreamTag
31 | name: qotd:latest
32 | type: ImageChange
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: DeploymentConfig.default.qotd
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_049__openshift__deploy_sample_backend_app/k8s-qotd-python/deploymentconfig.yaml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps.openshift.io/v1
2 | kind: DeploymentConfig
3 | metadata:
4 | name: qotd
5 | labels:
6 | app: qotd
7 | spec:
8 | selector:
9 | app: qotd
10 | replicas: 1
11 | template:
12 | metadata:
13 | labels:
14 | app: qotd
15 | spec:
16 | containers:
17 | - name: qotd
18 | image: image-registry.openshift-image-registry.svc:5000/pipelines-tutorial/qotd:latest
19 | imagePullPolicy: Always
20 | ports:
21 | - containerPort: 10000
22 | protocol: TCP
23 | triggers:
24 | - type: ConfigChange
25 | - imageChangeParams:
26 | automatic: true
27 | containerNames:
28 | - qotd
29 | from:
30 | kind: ImageStreamTag
31 | name: qotd:latest
32 | type: ImageChange
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: DeploymentConfig.default.qotd
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_049__openshift__deploy_sample_backend_app/k8s-qotd-python/deploymentconfig.yaml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps.openshift.io/v1
2 | kind: DeploymentConfig
3 | metadata:
4 | name: qotd
5 | labels:
6 | app: qotd
7 | spec:
8 | selector:
9 | app: qotd
10 | replicas: 1
11 | template:
12 | metadata:
13 | labels:
14 | app: qotd
15 | spec:
16 | containers:
17 | - name: qotd
18 | image: image-registry.openshift-image-registry.svc:5000/pipelines-tutorial/qotd:latest
19 | imagePullPolicy: Always
20 | ports:
21 | - containerPort: 10000
22 | protocol: TCP
23 | triggers:
24 | - type: ConfigChange
25 | - imageChangeParams:
26 | automatic: true
27 | containerNames:
28 | - qotd
29 | from:
30 | kind: ImageStreamTag
31 | name: qotd:latest
32 | type: ImageChange
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: DeploymentConfig.default.qotd
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_049__openshift__deploy_sample_backend_app/k8s-qotd-python/deploymentconfig.yaml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps.openshift.io/v1
2 | kind: DeploymentConfig
3 | metadata:
4 | name: qotd
5 | labels:
6 | app: qotd
7 | spec:
8 | selector:
9 | app: qotd
10 | replicas: 1
11 | template:
12 | metadata:
13 | labels:
14 | app: qotd
15 | spec:
16 | containers:
17 | - name: qotd
18 | image: image-registry.openshift-image-registry.svc:5000/pipelines-tutorial/qotd:latest
19 | imagePullPolicy: Always
20 | ports:
21 | - containerPort: 10000
22 | protocol: TCP
23 | triggers:
24 | - type: ConfigChange
25 | - imageChangeParams:
26 | automatic: true
27 | containerNames:
28 | - qotd
29 | from:
30 | kind: ImageStreamTag
31 | name: qotd:latest
32 | type: ImageChange
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: DeploymentConfig.default.qotd
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_049__openshift__deploy_sample_backend_app/k8s-qotd-python/deploymentconfig.yaml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps.openshift.io/v1
2 | kind: DeploymentConfig
3 | metadata:
4 | name: qotd
5 | labels:
6 | app: qotd
7 | spec:
8 | selector:
9 | app: qotd
10 | replicas: 1
11 | template:
12 | metadata:
13 | labels:
14 | app: qotd
15 | spec:
16 | containers:
17 | - name: qotd
18 | image: image-registry.openshift-image-registry.svc:5000/pipelines-tutorial/qotd:latest
19 | imagePullPolicy: Always
20 | ports:
21 | - containerPort: 10000
22 | protocol: TCP
23 | triggers:
24 | - type: ConfigChange
25 | - imageChangeParams:
26 | automatic: true
27 | containerNames:
28 | - qotd
29 | from:
30 | kind: ImageStreamTag
31 | name: qotd:latest
32 | type: ImageChange
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: DeploymentConfig.default.qotd
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_049__openshift__deploy_sample_backend_app/k8s-qotd-python/deploymentconfig.yaml:1-32
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | apiVersion: apps.openshift.io/v1
2 | kind: DeploymentConfig
3 | metadata:
4 | name: qotd
5 | labels:
6 | app: qotd
7 | spec:
8 | selector:
9 | app: qotd
10 | replicas: 1
11 | template:
12 | metadata:
13 | labels:
14 | app: qotd
15 | spec:
16 | containers:
17 | - name: qotd
18 | image: image-registry.openshift-image-registry.svc:5000/pipelines-tutorial/qotd:latest
19 | imagePullPolicy: Always
20 | ports:
21 | - containerPort: 10000
22 | protocol: TCP
23 | triggers:
24 | - type: ConfigChange
25 | - imageChangeParams:
26 | automatic: true
27 | containerNames:
28 | - qotd
29 | from:
30 | kind: ImageStreamTag
31 | name: qotd:latest
32 | type: ImageChange
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.quotes
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_049__openshift__deploy_sample_backend_app/k8s-qotd-python/service.yaml:1-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | labels:
5 | app: quotes
6 | sandbox: learn-kubernetes
7 | learn-kubernetes: quotes
8 | name: quotes
9 | spec:
10 | ports:
11 | - name: 10000-tcp
12 | port: 10000
13 | protocol: TCP
14 | targetPort: 10000
15 | - name: 8443-tcp
16 | port: 8443
17 | protocol: TCP
18 | targetPort: 8443
19 | - name: 8778-tcp
20 | port: 8778
21 | protocol: TCP
22 | targetPort: 8778
23 | selector:
24 | app: quotes
25 | sessionAffinity: None
26 | type: ClusterIP
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.quotes-ingress
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_049__openshift__deploy_sample_backend_app/k8s-qotd-python/ingress.yaml:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: networking.k8s.io/v1
2 | kind: Ingress
3 | metadata:
4 | name: quotes-ingress
5 | annotations:
6 | nginx.ingress.kubernetes.io/rewrite-target: /
7 | spec:
8 | rules:
9 | - http:
10 | paths:
11 | - path: /quotespath
12 | pathType: Prefix
13 | backend:
14 | service:
15 | name: quotes
16 | port:
17 | number: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.quotes
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_049__openshift__deploy_sample_backend_app/k8s-qotd-python/quotes-deployment.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: quotes
5 | labels:
6 | app: quotes
7 | sandbox: learn-kubernetes
8 | learn-kubernetes: quotes
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: quotes
14 | template:
15 | metadata:
16 | labels:
17 | app: quotes
18 | spec:
19 | containers:
20 | - name: quotes
21 | image: quay.io/donschenck/quotes:v1
22 | imagePullPolicy: Always
23 | ports:
24 | - containerPort: 10000
25 | protocol: TCP
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.quotes
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_049__openshift__deploy_sample_backend_app/k8s-qotd-python/quotes-deployment.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: quotes
5 | labels:
6 | app: quotes
7 | sandbox: learn-kubernetes
8 | learn-kubernetes: quotes
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: quotes
14 | template:
15 | metadata:
16 | labels:
17 | app: quotes
18 | spec:
19 | containers:
20 | - name: quotes
21 | image: quay.io/donschenck/quotes:v1
22 | imagePullPolicy: Always
23 | ports:
24 | - containerPort: 10000
25 | protocol: TCP
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.quotes
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_049__openshift__deploy_sample_backend_app/k8s-qotd-python/quotes-deployment.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: quotes
5 | labels:
6 | app: quotes
7 | sandbox: learn-kubernetes
8 | learn-kubernetes: quotes
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: quotes
14 | template:
15 | metadata:
16 | labels:
17 | app: quotes
18 | spec:
19 | containers:
20 | - name: quotes
21 | image: quay.io/donschenck/quotes:v1
22 | imagePullPolicy: Always
23 | ports:
24 | - containerPort: 10000
25 | protocol: TCP
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.quotes
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_049__openshift__deploy_sample_backend_app/k8s-qotd-python/quotes-deployment.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: quotes
5 | labels:
6 | app: quotes
7 | sandbox: learn-kubernetes
8 | learn-kubernetes: quotes
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: quotes
14 | template:
15 | metadata:
16 | labels:
17 | app: quotes
18 | spec:
19 | containers:
20 | - name: quotes
21 | image: quay.io/donschenck/quotes:v1
22 | imagePullPolicy: Always
23 | ports:
24 | - containerPort: 10000
25 | protocol: TCP
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.quotes
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_049__openshift__deploy_sample_backend_app/k8s-qotd-python/quotes-deployment.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: quotes
5 | labels:
6 | app: quotes
7 | sandbox: learn-kubernetes
8 | learn-kubernetes: quotes
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: quotes
14 | template:
15 | metadata:
16 | labels:
17 | app: quotes
18 | spec:
19 | containers:
20 | - name: quotes
21 | image: quay.io/donschenck/quotes:v1
22 | imagePullPolicy: Always
23 | ports:
24 | - containerPort: 10000
25 | protocol: TCP
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.quotes
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_049__openshift__deploy_sample_backend_app/k8s-qotd-python/quotes-deployment.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: quotes
5 | labels:
6 | app: quotes
7 | sandbox: learn-kubernetes
8 | learn-kubernetes: quotes
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: quotes
14 | template:
15 | metadata:
16 | labels:
17 | app: quotes
18 | spec:
19 | containers:
20 | - name: quotes
21 | image: quay.io/donschenck/quotes:v1
22 | imagePullPolicy: Always
23 | ports:
24 | - containerPort: 10000
25 | protocol: TCP
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.quotes
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_049__openshift__deploy_sample_backend_app/k8s-qotd-python/quotes-deployment.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: quotes
5 | labels:
6 | app: quotes
7 | sandbox: learn-kubernetes
8 | learn-kubernetes: quotes
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: quotes
14 | template:
15 | metadata:
16 | labels:
17 | app: quotes
18 | spec:
19 | containers:
20 | - name: quotes
21 | image: quay.io/donschenck/quotes:v1
22 | imagePullPolicy: Always
23 | ports:
24 | - containerPort: 10000
25 | protocol: TCP
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.quotes
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_049__openshift__deploy_sample_backend_app/k8s-qotd-python/quotes-deployment.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: quotes
5 | labels:
6 | app: quotes
7 | sandbox: learn-kubernetes
8 | learn-kubernetes: quotes
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: quotes
14 | template:
15 | metadata:
16 | labels:
17 | app: quotes
18 | spec:
19 | containers:
20 | - name: quotes
21 | image: quay.io/donschenck/quotes:v1
22 | imagePullPolicy: Always
23 | ports:
24 | - containerPort: 10000
25 | protocol: TCP
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.quotes
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_049__openshift__deploy_sample_backend_app/k8s-qotd-python/quotes-deployment.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: quotes
5 | labels:
6 | app: quotes
7 | sandbox: learn-kubernetes
8 | learn-kubernetes: quotes
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: quotes
14 | template:
15 | metadata:
16 | labels:
17 | app: quotes
18 | spec:
19 | containers:
20 | - name: quotes
21 | image: quay.io/donschenck/quotes:v1
22 | imagePullPolicy: Always
23 | ports:
24 | - containerPort: 10000
25 | protocol: TCP
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.quotes
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_049__openshift__deploy_sample_backend_app/k8s-qotd-python/quotes-deployment.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: quotes
5 | labels:
6 | app: quotes
7 | sandbox: learn-kubernetes
8 | learn-kubernetes: quotes
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: quotes
14 | template:
15 | metadata:
16 | labels:
17 | app: quotes
18 | spec:
19 | containers:
20 | - name: quotes
21 | image: quay.io/donschenck/quotes:v1
22 | imagePullPolicy: Always
23 | ports:
24 | - containerPort: 10000
25 | protocol: TCP
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.quotes
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_049__openshift__deploy_sample_backend_app/k8s-qotd-python/quotes-deployment.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: quotes
5 | labels:
6 | app: quotes
7 | sandbox: learn-kubernetes
8 | learn-kubernetes: quotes
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: quotes
14 | template:
15 | metadata:
16 | labels:
17 | app: quotes
18 | spec:
19 | containers:
20 | - name: quotes
21 | image: quay.io/donschenck/quotes:v1
22 | imagePullPolicy: Always
23 | ports:
24 | - containerPort: 10000
25 | protocol: TCP
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.quotes
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_049__openshift__deploy_sample_backend_app/k8s-qotd-python/quotes-deployment.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: quotes
5 | labels:
6 | app: quotes
7 | sandbox: learn-kubernetes
8 | learn-kubernetes: quotes
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: quotes
14 | template:
15 | metadata:
16 | labels:
17 | app: quotes
18 | spec:
19 | containers:
20 | - name: quotes
21 | image: quay.io/donschenck/quotes:v1
22 | imagePullPolicy: Always
23 | ports:
24 | - containerPort: 10000
25 | protocol: TCP
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.quotes
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_049__openshift__deploy_sample_backend_app/k8s-qotd-python/quotes-deployment.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: quotes
5 | labels:
6 | app: quotes
7 | sandbox: learn-kubernetes
8 | learn-kubernetes: quotes
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: quotes
14 | template:
15 | metadata:
16 | labels:
17 | app: quotes
18 | spec:
19 | containers:
20 | - name: quotes
21 | image: quay.io/donschenck/quotes:v1
22 | imagePullPolicy: Always
23 | ports:
24 | - containerPort: 10000
25 | protocol: TCP
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.quotes
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_049__openshift__deploy_sample_backend_app/k8s-qotd-python/quotes-deployment.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: quotes
5 | labels:
6 | app: quotes
7 | sandbox: learn-kubernetes
8 | learn-kubernetes: quotes
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: quotes
14 | template:
15 | metadata:
16 | labels:
17 | app: quotes
18 | spec:
19 | containers:
20 | - name: quotes
21 | image: quay.io/donschenck/quotes:v1
22 | imagePullPolicy: Always
23 | ports:
24 | - containerPort: 10000
25 | protocol: TCP
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.quotes
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_049__openshift__deploy_sample_backend_app/k8s-qotd-python/quotes-deployment.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: quotes
5 | labels:
6 | app: quotes
7 | sandbox: learn-kubernetes
8 | learn-kubernetes: quotes
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: quotes
14 | template:
15 | metadata:
16 | labels:
17 | app: quotes
18 | spec:
19 | containers:
20 | - name: quotes
21 | image: quay.io/donschenck/quotes:v1
22 | imagePullPolicy: Always
23 | ports:
24 | - containerPort: 10000
25 | protocol: TCP
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.quotes
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_049__openshift__deploy_sample_backend_app/k8s-qotd-python/quotes-deployment.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: quotes
5 | labels:
6 | app: quotes
7 | sandbox: learn-kubernetes
8 | learn-kubernetes: quotes
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: quotes
14 | template:
15 | metadata:
16 | labels:
17 | app: quotes
18 | spec:
19 | containers:
20 | - name: quotes
21 | image: quay.io/donschenck/quotes:v1
22 | imagePullPolicy: Always
23 | ports:
24 | - containerPort: 10000
25 | protocol: TCP
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.quotes
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_049__openshift__deploy_sample_backend_app/k8s-qotd-python/quotes-deployment.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: quotes
5 | labels:
6 | app: quotes
7 | sandbox: learn-kubernetes
8 | learn-kubernetes: quotes
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: quotes
14 | template:
15 | metadata:
16 | labels:
17 | app: quotes
18 | spec:
19 | containers:
20 | - name: quotes
21 | image: quay.io/donschenck/quotes:v1
22 | imagePullPolicy: Always
23 | ports:
24 | - containerPort: 10000
25 | protocol: TCP
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.quotes
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_049__openshift__deploy_sample_backend_app/k8s-qotd-python/quotes-deployment.yaml:1-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: quotes
5 | labels:
6 | app: quotes
7 | sandbox: learn-kubernetes
8 | learn-kubernetes: quotes
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: quotes
14 | template:
15 | metadata:
16 | labels:
17 | app: quotes
18 | spec:
19 | containers:
20 | - name: quotes
21 | image: quay.io/donschenck/quotes:v1
22 | imagePullPolicy: Always
23 | ports:
24 | - containerPort: 10000
25 | protocol: TCP
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.default.pvc-demo-pod
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_022_configuring_persistent_storage_for_google_kubernetes_engine/pod-volume-demo.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: pvc-demo-pod
5 | spec:
6 | containers:
7 | - name: frontend
8 | image: nginx
9 | volumeMounts:
10 | - mountPath: "/var/www/html"
11 | name: pvc-demo-volume
12 | volumes:
13 | - name: pvc-demo-volume
14 | persistentVolumeClaim:
15 | claimName: hello-web-disk
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.default.pvc-demo-pod
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_022_configuring_persistent_storage_for_google_kubernetes_engine/pod-volume-demo.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: pvc-demo-pod
5 | spec:
6 | containers:
7 | - name: frontend
8 | image: nginx
9 | volumeMounts:
10 | - mountPath: "/var/www/html"
11 | name: pvc-demo-volume
12 | volumes:
13 | - name: pvc-demo-volume
14 | persistentVolumeClaim:
15 | claimName: hello-web-disk
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Pod.default.pvc-demo-pod
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_022_configuring_persistent_storage_for_google_kubernetes_engine/pod-volume-demo.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: pvc-demo-pod
5 | spec:
6 | containers:
7 | - name: frontend
8 | image: nginx
9 | volumeMounts:
10 | - mountPath: "/var/www/html"
11 | name: pvc-demo-volume
12 | volumes:
13 | - name: pvc-demo-volume
14 | persistentVolumeClaim:
15 | claimName: hello-web-disk
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Pod.default.pvc-demo-pod
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_022_configuring_persistent_storage_for_google_kubernetes_engine/pod-volume-demo.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: pvc-demo-pod
5 | spec:
6 | containers:
7 | - name: frontend
8 | image: nginx
9 | volumeMounts:
10 | - mountPath: "/var/www/html"
11 | name: pvc-demo-volume
12 | volumes:
13 | - name: pvc-demo-volume
14 | persistentVolumeClaim:
15 | claimName: hello-web-disk
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.default.pvc-demo-pod
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_022_configuring_persistent_storage_for_google_kubernetes_engine/pod-volume-demo.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: pvc-demo-pod
5 | spec:
6 | containers:
7 | - name: frontend
8 | image: nginx
9 | volumeMounts:
10 | - mountPath: "/var/www/html"
11 | name: pvc-demo-volume
12 | volumes:
13 | - name: pvc-demo-volume
14 | persistentVolumeClaim:
15 | claimName: hello-web-disk
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.default.pvc-demo-pod
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_022_configuring_persistent_storage_for_google_kubernetes_engine/pod-volume-demo.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: pvc-demo-pod
5 | spec:
6 | containers:
7 | - name: frontend
8 | image: nginx
9 | volumeMounts:
10 | - mountPath: "/var/www/html"
11 | name: pvc-demo-volume
12 | volumes:
13 | - name: pvc-demo-volume
14 | persistentVolumeClaim:
15 | claimName: hello-web-disk
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.default.pvc-demo-pod
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_022_configuring_persistent_storage_for_google_kubernetes_engine/pod-volume-demo.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: pvc-demo-pod
5 | spec:
6 | containers:
7 | - name: frontend
8 | image: nginx
9 | volumeMounts:
10 | - mountPath: "/var/www/html"
11 | name: pvc-demo-volume
12 | volumes:
13 | - name: pvc-demo-volume
14 | persistentVolumeClaim:
15 | claimName: hello-web-disk
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.default.pvc-demo-pod
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_022_configuring_persistent_storage_for_google_kubernetes_engine/pod-volume-demo.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: pvc-demo-pod
5 | spec:
6 | containers:
7 | - name: frontend
8 | image: nginx
9 | volumeMounts:
10 | - mountPath: "/var/www/html"
11 | name: pvc-demo-volume
12 | volumes:
13 | - name: pvc-demo-volume
14 | persistentVolumeClaim:
15 | claimName: hello-web-disk
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.default.pvc-demo-pod
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_022_configuring_persistent_storage_for_google_kubernetes_engine/pod-volume-demo.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: pvc-demo-pod
5 | spec:
6 | containers:
7 | - name: frontend
8 | image: nginx
9 | volumeMounts:
10 | - mountPath: "/var/www/html"
11 | name: pvc-demo-volume
12 | volumes:
13 | - name: pvc-demo-volume
14 | persistentVolumeClaim:
15 | claimName: hello-web-disk
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.default.pvc-demo-pod
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_022_configuring_persistent_storage_for_google_kubernetes_engine/pod-volume-demo.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: pvc-demo-pod
5 | spec:
6 | containers:
7 | - name: frontend
8 | image: nginx
9 | volumeMounts:
10 | - mountPath: "/var/www/html"
11 | name: pvc-demo-volume
12 | volumes:
13 | - name: pvc-demo-volume
14 | persistentVolumeClaim:
15 | claimName: hello-web-disk
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.default.pvc-demo-pod
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_022_configuring_persistent_storage_for_google_kubernetes_engine/pod-volume-demo.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: pvc-demo-pod
5 | spec:
6 | containers:
7 | - name: frontend
8 | image: nginx
9 | volumeMounts:
10 | - mountPath: "/var/www/html"
11 | name: pvc-demo-volume
12 | volumes:
13 | - name: pvc-demo-volume
14 | persistentVolumeClaim:
15 | claimName: hello-web-disk
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.default.pvc-demo-pod
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_022_configuring_persistent_storage_for_google_kubernetes_engine/pod-volume-demo.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: pvc-demo-pod
5 | spec:
6 | containers:
7 | - name: frontend
8 | image: nginx
9 | volumeMounts:
10 | - mountPath: "/var/www/html"
11 | name: pvc-demo-volume
12 | volumes:
13 | - name: pvc-demo-volume
14 | persistentVolumeClaim:
15 | claimName: hello-web-disk
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.default.pvc-demo-pod
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_022_configuring_persistent_storage_for_google_kubernetes_engine/pod-volume-demo.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: pvc-demo-pod
5 | spec:
6 | containers:
7 | - name: frontend
8 | image: nginx
9 | volumeMounts:
10 | - mountPath: "/var/www/html"
11 | name: pvc-demo-volume
12 | volumes:
13 | - name: pvc-demo-volume
14 | persistentVolumeClaim:
15 | claimName: hello-web-disk
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.default.pvc-demo-pod
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_022_configuring_persistent_storage_for_google_kubernetes_engine/pod-volume-demo.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: pvc-demo-pod
5 | spec:
6 | containers:
7 | - name: frontend
8 | image: nginx
9 | volumeMounts:
10 | - mountPath: "/var/www/html"
11 | name: pvc-demo-volume
12 | volumes:
13 | - name: pvc-demo-volume
14 | persistentVolumeClaim:
15 | claimName: hello-web-disk
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.default.pvc-demo-pod
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_022_configuring_persistent_storage_for_google_kubernetes_engine/pod-volume-demo.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: pvc-demo-pod
5 | spec:
6 | containers:
7 | - name: frontend
8 | image: nginx
9 | volumeMounts:
10 | - mountPath: "/var/www/html"
11 | name: pvc-demo-volume
12 | volumes:
13 | - name: pvc-demo-volume
14 | persistentVolumeClaim:
15 | claimName: hello-web-disk
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.default.pvc-demo-pod
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_022_configuring_persistent_storage_for_google_kubernetes_engine/pod-volume-demo.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: pvc-demo-pod
5 | spec:
6 | containers:
7 | - name: frontend
8 | image: nginx
9 | volumeMounts:
10 | - mountPath: "/var/www/html"
11 | name: pvc-demo-volume
12 | volumes:
13 | - name: pvc-demo-volume
14 | persistentVolumeClaim:
15 | claimName: hello-web-disk
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Pod.default.pvc-demo-pod
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_022_configuring_persistent_storage_for_google_kubernetes_engine/pod-volume-demo.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: pvc-demo-pod
5 | spec:
6 | containers:
7 | - name: frontend
8 | image: nginx
9 | volumeMounts:
10 | - mountPath: "/var/www/html"
11 | name: pvc-demo-volume
12 | volumes:
13 | - name: pvc-demo-volume
14 | persistentVolumeClaim:
15 | claimName: hello-web-disk
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.default.pvc-demo-pod
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_022_configuring_persistent_storage_for_google_kubernetes_engine/pod-volume-demo.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: pvc-demo-pod
5 | spec:
6 | containers:
7 | - name: frontend
8 | image: nginx
9 | volumeMounts:
10 | - mountPath: "/var/www/html"
11 | name: pvc-demo-volume
12 | volumes:
13 | - name: pvc-demo-volume
14 | persistentVolumeClaim:
15 | claimName: hello-web-disk
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.default.pvc-demo-pod
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_022_configuring_persistent_storage_for_google_kubernetes_engine/pod-volume-demo.yaml:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: pvc-demo-pod
5 | spec:
6 | containers:
7 | - name: frontend
8 | image: nginx
9 | volumeMounts:
10 | - mountPath: "/var/www/html"
11 | name: pvc-demo-volume
12 | volumes:
13 | - name: pvc-demo-volume
14 | persistentVolumeClaim:
15 | claimName: hello-web-disk
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.statefulset-demo-service
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_022_configuring_persistent_storage_for_google_kubernetes_engine/statefulset-demo.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | kind: Service
2 | apiVersion: v1
3 | metadata:
4 | name: statefulset-demo-service
5 | spec:
6 | ports:
7 | - protocol: TCP
8 | port: 80
9 | targetPort: 9376
10 | type: LoadBalancer
11 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: StatefulSet.default.statefulset-demo
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_022_configuring_persistent_storage_for_google_kubernetes_engine/statefulset-demo.yaml:12-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
12 | apiVersion: apps/v1
13 | kind: StatefulSet
14 | metadata:
15 | name: statefulset-demo
16 | spec:
17 | selector:
18 | matchLabels:
19 | app: MyApp
20 | serviceName: statefulset-demo-service
21 | replicas: 3
22 | updateStrategy:
23 | type: RollingUpdate
24 | template:
25 | metadata:
26 | labels:
27 | app: MyApp
28 | spec:
29 | containers:
30 | - name: stateful-set-container
31 | image: nginx
32 | ports:
33 | - containerPort: 80
34 | name: http
35 | volumeMounts:
36 | - name: hello-web-disk
37 | mountPath: "/var/www/html"
38 | volumeClaimTemplates:
39 | - metadata:
40 | name: hello-web-disk
41 | spec:
42 | accessModes: [ "ReadWriteOnce" ]
43 | resources:
44 | requests:
45 | storage: 30Gi
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: StatefulSet.default.statefulset-demo
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_022_configuring_persistent_storage_for_google_kubernetes_engine/statefulset-demo.yaml:12-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
12 | apiVersion: apps/v1
13 | kind: StatefulSet
14 | metadata:
15 | name: statefulset-demo
16 | spec:
17 | selector:
18 | matchLabels:
19 | app: MyApp
20 | serviceName: statefulset-demo-service
21 | replicas: 3
22 | updateStrategy:
23 | type: RollingUpdate
24 | template:
25 | metadata:
26 | labels:
27 | app: MyApp
28 | spec:
29 | containers:
30 | - name: stateful-set-container
31 | image: nginx
32 | ports:
33 | - containerPort: 80
34 | name: http
35 | volumeMounts:
36 | - name: hello-web-disk
37 | mountPath: "/var/www/html"
38 | volumeClaimTemplates:
39 | - metadata:
40 | name: hello-web-disk
41 | spec:
42 | accessModes: [ "ReadWriteOnce" ]
43 | resources:
44 | requests:
45 | storage: 30Gi
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: StatefulSet.default.statefulset-demo
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_022_configuring_persistent_storage_for_google_kubernetes_engine/statefulset-demo.yaml:12-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
12 | apiVersion: apps/v1
13 | kind: StatefulSet
14 | metadata:
15 | name: statefulset-demo
16 | spec:
17 | selector:
18 | matchLabels:
19 | app: MyApp
20 | serviceName: statefulset-demo-service
21 | replicas: 3
22 | updateStrategy:
23 | type: RollingUpdate
24 | template:
25 | metadata:
26 | labels:
27 | app: MyApp
28 | spec:
29 | containers:
30 | - name: stateful-set-container
31 | image: nginx
32 | ports:
33 | - containerPort: 80
34 | name: http
35 | volumeMounts:
36 | - name: hello-web-disk
37 | mountPath: "/var/www/html"
38 | volumeClaimTemplates:
39 | - metadata:
40 | name: hello-web-disk
41 | spec:
42 | accessModes: [ "ReadWriteOnce" ]
43 | resources:
44 | requests:
45 | storage: 30Gi
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: StatefulSet.default.statefulset-demo
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_022_configuring_persistent_storage_for_google_kubernetes_engine/statefulset-demo.yaml:12-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
12 | apiVersion: apps/v1
13 | kind: StatefulSet
14 | metadata:
15 | name: statefulset-demo
16 | spec:
17 | selector:
18 | matchLabels:
19 | app: MyApp
20 | serviceName: statefulset-demo-service
21 | replicas: 3
22 | updateStrategy:
23 | type: RollingUpdate
24 | template:
25 | metadata:
26 | labels:
27 | app: MyApp
28 | spec:
29 | containers:
30 | - name: stateful-set-container
31 | image: nginx
32 | ports:
33 | - containerPort: 80
34 | name: http
35 | volumeMounts:
36 | - name: hello-web-disk
37 | mountPath: "/var/www/html"
38 | volumeClaimTemplates:
39 | - metadata:
40 | name: hello-web-disk
41 | spec:
42 | accessModes: [ "ReadWriteOnce" ]
43 | resources:
44 | requests:
45 | storage: 30Gi
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: StatefulSet.default.statefulset-demo
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_022_configuring_persistent_storage_for_google_kubernetes_engine/statefulset-demo.yaml:12-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
12 | apiVersion: apps/v1
13 | kind: StatefulSet
14 | metadata:
15 | name: statefulset-demo
16 | spec:
17 | selector:
18 | matchLabels:
19 | app: MyApp
20 | serviceName: statefulset-demo-service
21 | replicas: 3
22 | updateStrategy:
23 | type: RollingUpdate
24 | template:
25 | metadata:
26 | labels:
27 | app: MyApp
28 | spec:
29 | containers:
30 | - name: stateful-set-container
31 | image: nginx
32 | ports:
33 | - containerPort: 80
34 | name: http
35 | volumeMounts:
36 | - name: hello-web-disk
37 | mountPath: "/var/www/html"
38 | volumeClaimTemplates:
39 | - metadata:
40 | name: hello-web-disk
41 | spec:
42 | accessModes: [ "ReadWriteOnce" ]
43 | resources:
44 | requests:
45 | storage: 30Gi
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: StatefulSet.default.statefulset-demo
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_022_configuring_persistent_storage_for_google_kubernetes_engine/statefulset-demo.yaml:12-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
12 | apiVersion: apps/v1
13 | kind: StatefulSet
14 | metadata:
15 | name: statefulset-demo
16 | spec:
17 | selector:
18 | matchLabels:
19 | app: MyApp
20 | serviceName: statefulset-demo-service
21 | replicas: 3
22 | updateStrategy:
23 | type: RollingUpdate
24 | template:
25 | metadata:
26 | labels:
27 | app: MyApp
28 | spec:
29 | containers:
30 | - name: stateful-set-container
31 | image: nginx
32 | ports:
33 | - containerPort: 80
34 | name: http
35 | volumeMounts:
36 | - name: hello-web-disk
37 | mountPath: "/var/www/html"
38 | volumeClaimTemplates:
39 | - metadata:
40 | name: hello-web-disk
41 | spec:
42 | accessModes: [ "ReadWriteOnce" ]
43 | resources:
44 | requests:
45 | storage: 30Gi
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: StatefulSet.default.statefulset-demo
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_022_configuring_persistent_storage_for_google_kubernetes_engine/statefulset-demo.yaml:12-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
12 | apiVersion: apps/v1
13 | kind: StatefulSet
14 | metadata:
15 | name: statefulset-demo
16 | spec:
17 | selector:
18 | matchLabels:
19 | app: MyApp
20 | serviceName: statefulset-demo-service
21 | replicas: 3
22 | updateStrategy:
23 | type: RollingUpdate
24 | template:
25 | metadata:
26 | labels:
27 | app: MyApp
28 | spec:
29 | containers:
30 | - name: stateful-set-container
31 | image: nginx
32 | ports:
33 | - containerPort: 80
34 | name: http
35 | volumeMounts:
36 | - name: hello-web-disk
37 | mountPath: "/var/www/html"
38 | volumeClaimTemplates:
39 | - metadata:
40 | name: hello-web-disk
41 | spec:
42 | accessModes: [ "ReadWriteOnce" ]
43 | resources:
44 | requests:
45 | storage: 30Gi
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: StatefulSet.default.statefulset-demo
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_022_configuring_persistent_storage_for_google_kubernetes_engine/statefulset-demo.yaml:12-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
12 | apiVersion: apps/v1
13 | kind: StatefulSet
14 | metadata:
15 | name: statefulset-demo
16 | spec:
17 | selector:
18 | matchLabels:
19 | app: MyApp
20 | serviceName: statefulset-demo-service
21 | replicas: 3
22 | updateStrategy:
23 | type: RollingUpdate
24 | template:
25 | metadata:
26 | labels:
27 | app: MyApp
28 | spec:
29 | containers:
30 | - name: stateful-set-container
31 | image: nginx
32 | ports:
33 | - containerPort: 80
34 | name: http
35 | volumeMounts:
36 | - name: hello-web-disk
37 | mountPath: "/var/www/html"
38 | volumeClaimTemplates:
39 | - metadata:
40 | name: hello-web-disk
41 | spec:
42 | accessModes: [ "ReadWriteOnce" ]
43 | resources:
44 | requests:
45 | storage: 30Gi
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: StatefulSet.default.statefulset-demo
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_022_configuring_persistent_storage_for_google_kubernetes_engine/statefulset-demo.yaml:12-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
12 | apiVersion: apps/v1
13 | kind: StatefulSet
14 | metadata:
15 | name: statefulset-demo
16 | spec:
17 | selector:
18 | matchLabels:
19 | app: MyApp
20 | serviceName: statefulset-demo-service
21 | replicas: 3
22 | updateStrategy:
23 | type: RollingUpdate
24 | template:
25 | metadata:
26 | labels:
27 | app: MyApp
28 | spec:
29 | containers:
30 | - name: stateful-set-container
31 | image: nginx
32 | ports:
33 | - containerPort: 80
34 | name: http
35 | volumeMounts:
36 | - name: hello-web-disk
37 | mountPath: "/var/www/html"
38 | volumeClaimTemplates:
39 | - metadata:
40 | name: hello-web-disk
41 | spec:
42 | accessModes: [ "ReadWriteOnce" ]
43 | resources:
44 | requests:
45 | storage: 30Gi
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: StatefulSet.default.statefulset-demo
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_022_configuring_persistent_storage_for_google_kubernetes_engine/statefulset-demo.yaml:12-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
12 | apiVersion: apps/v1
13 | kind: StatefulSet
14 | metadata:
15 | name: statefulset-demo
16 | spec:
17 | selector:
18 | matchLabels:
19 | app: MyApp
20 | serviceName: statefulset-demo-service
21 | replicas: 3
22 | updateStrategy:
23 | type: RollingUpdate
24 | template:
25 | metadata:
26 | labels:
27 | app: MyApp
28 | spec:
29 | containers:
30 | - name: stateful-set-container
31 | image: nginx
32 | ports:
33 | - containerPort: 80
34 | name: http
35 | volumeMounts:
36 | - name: hello-web-disk
37 | mountPath: "/var/www/html"
38 | volumeClaimTemplates:
39 | - metadata:
40 | name: hello-web-disk
41 | spec:
42 | accessModes: [ "ReadWriteOnce" ]
43 | resources:
44 | requests:
45 | storage: 30Gi
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: StatefulSet.default.statefulset-demo
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_022_configuring_persistent_storage_for_google_kubernetes_engine/statefulset-demo.yaml:12-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
12 | apiVersion: apps/v1
13 | kind: StatefulSet
14 | metadata:
15 | name: statefulset-demo
16 | spec:
17 | selector:
18 | matchLabels:
19 | app: MyApp
20 | serviceName: statefulset-demo-service
21 | replicas: 3
22 | updateStrategy:
23 | type: RollingUpdate
24 | template:
25 | metadata:
26 | labels:
27 | app: MyApp
28 | spec:
29 | containers:
30 | - name: stateful-set-container
31 | image: nginx
32 | ports:
33 | - containerPort: 80
34 | name: http
35 | volumeMounts:
36 | - name: hello-web-disk
37 | mountPath: "/var/www/html"
38 | volumeClaimTemplates:
39 | - metadata:
40 | name: hello-web-disk
41 | spec:
42 | accessModes: [ "ReadWriteOnce" ]
43 | resources:
44 | requests:
45 | storage: 30Gi
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: StatefulSet.default.statefulset-demo
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_022_configuring_persistent_storage_for_google_kubernetes_engine/statefulset-demo.yaml:12-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
12 | apiVersion: apps/v1
13 | kind: StatefulSet
14 | metadata:
15 | name: statefulset-demo
16 | spec:
17 | selector:
18 | matchLabels:
19 | app: MyApp
20 | serviceName: statefulset-demo-service
21 | replicas: 3
22 | updateStrategy:
23 | type: RollingUpdate
24 | template:
25 | metadata:
26 | labels:
27 | app: MyApp
28 | spec:
29 | containers:
30 | - name: stateful-set-container
31 | image: nginx
32 | ports:
33 | - containerPort: 80
34 | name: http
35 | volumeMounts:
36 | - name: hello-web-disk
37 | mountPath: "/var/www/html"
38 | volumeClaimTemplates:
39 | - metadata:
40 | name: hello-web-disk
41 | spec:
42 | accessModes: [ "ReadWriteOnce" ]
43 | resources:
44 | requests:
45 | storage: 30Gi
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: StatefulSet.default.statefulset-demo
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_022_configuring_persistent_storage_for_google_kubernetes_engine/statefulset-demo.yaml:12-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
12 | apiVersion: apps/v1
13 | kind: StatefulSet
14 | metadata:
15 | name: statefulset-demo
16 | spec:
17 | selector:
18 | matchLabels:
19 | app: MyApp
20 | serviceName: statefulset-demo-service
21 | replicas: 3
22 | updateStrategy:
23 | type: RollingUpdate
24 | template:
25 | metadata:
26 | labels:
27 | app: MyApp
28 | spec:
29 | containers:
30 | - name: stateful-set-container
31 | image: nginx
32 | ports:
33 | - containerPort: 80
34 | name: http
35 | volumeMounts:
36 | - name: hello-web-disk
37 | mountPath: "/var/www/html"
38 | volumeClaimTemplates:
39 | - metadata:
40 | name: hello-web-disk
41 | spec:
42 | accessModes: [ "ReadWriteOnce" ]
43 | resources:
44 | requests:
45 | storage: 30Gi
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: StatefulSet.default.statefulset-demo
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_022_configuring_persistent_storage_for_google_kubernetes_engine/statefulset-demo.yaml:12-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
12 | apiVersion: apps/v1
13 | kind: StatefulSet
14 | metadata:
15 | name: statefulset-demo
16 | spec:
17 | selector:
18 | matchLabels:
19 | app: MyApp
20 | serviceName: statefulset-demo-service
21 | replicas: 3
22 | updateStrategy:
23 | type: RollingUpdate
24 | template:
25 | metadata:
26 | labels:
27 | app: MyApp
28 | spec:
29 | containers:
30 | - name: stateful-set-container
31 | image: nginx
32 | ports:
33 | - containerPort: 80
34 | name: http
35 | volumeMounts:
36 | - name: hello-web-disk
37 | mountPath: "/var/www/html"
38 | volumeClaimTemplates:
39 | - metadata:
40 | name: hello-web-disk
41 | spec:
42 | accessModes: [ "ReadWriteOnce" ]
43 | resources:
44 | requests:
45 | storage: 30Gi
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: StatefulSet.default.statefulset-demo
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_022_configuring_persistent_storage_for_google_kubernetes_engine/statefulset-demo.yaml:12-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
12 | apiVersion: apps/v1
13 | kind: StatefulSet
14 | metadata:
15 | name: statefulset-demo
16 | spec:
17 | selector:
18 | matchLabels:
19 | app: MyApp
20 | serviceName: statefulset-demo-service
21 | replicas: 3
22 | updateStrategy:
23 | type: RollingUpdate
24 | template:
25 | metadata:
26 | labels:
27 | app: MyApp
28 | spec:
29 | containers:
30 | - name: stateful-set-container
31 | image: nginx
32 | ports:
33 | - containerPort: 80
34 | name: http
35 | volumeMounts:
36 | - name: hello-web-disk
37 | mountPath: "/var/www/html"
38 | volumeClaimTemplates:
39 | - metadata:
40 | name: hello-web-disk
41 | spec:
42 | accessModes: [ "ReadWriteOnce" ]
43 | resources:
44 | requests:
45 | storage: 30Gi
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: StatefulSet.default.statefulset-demo
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_022_configuring_persistent_storage_for_google_kubernetes_engine/statefulset-demo.yaml:12-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
12 | apiVersion: apps/v1
13 | kind: StatefulSet
14 | metadata:
15 | name: statefulset-demo
16 | spec:
17 | selector:
18 | matchLabels:
19 | app: MyApp
20 | serviceName: statefulset-demo-service
21 | replicas: 3
22 | updateStrategy:
23 | type: RollingUpdate
24 | template:
25 | metadata:
26 | labels:
27 | app: MyApp
28 | spec:
29 | containers:
30 | - name: stateful-set-container
31 | image: nginx
32 | ports:
33 | - containerPort: 80
34 | name: http
35 | volumeMounts:
36 | - name: hello-web-disk
37 | mountPath: "/var/www/html"
38 | volumeClaimTemplates:
39 | - metadata:
40 | name: hello-web-disk
41 | spec:
42 | accessModes: [ "ReadWriteOnce" ]
43 | resources:
44 | requests:
45 | storage: 30Gi
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: StatefulSet.default.statefulset-demo
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_022_configuring_persistent_storage_for_google_kubernetes_engine/statefulset-demo.yaml:12-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
12 | apiVersion: apps/v1
13 | kind: StatefulSet
14 | metadata:
15 | name: statefulset-demo
16 | spec:
17 | selector:
18 | matchLabels:
19 | app: MyApp
20 | serviceName: statefulset-demo-service
21 | replicas: 3
22 | updateStrategy:
23 | type: RollingUpdate
24 | template:
25 | metadata:
26 | labels:
27 | app: MyApp
28 | spec:
29 | containers:
30 | - name: stateful-set-container
31 | image: nginx
32 | ports:
33 | - containerPort: 80
34 | name: http
35 | volumeMounts:
36 | - name: hello-web-disk
37 | mountPath: "/var/www/html"
38 | volumeClaimTemplates:
39 | - metadata:
40 | name: hello-web-disk
41 | spec:
42 | accessModes: [ "ReadWriteOnce" ]
43 | resources:
44 | requests:
45 | storage: 30Gi
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: StatefulSet.default.statefulset-demo
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_022_configuring_persistent_storage_for_google_kubernetes_engine/statefulset-demo.yaml:12-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
12 | apiVersion: apps/v1
13 | kind: StatefulSet
14 | metadata:
15 | name: statefulset-demo
16 | spec:
17 | selector:
18 | matchLabels:
19 | app: MyApp
20 | serviceName: statefulset-demo-service
21 | replicas: 3
22 | updateStrategy:
23 | type: RollingUpdate
24 | template:
25 | metadata:
26 | labels:
27 | app: MyApp
28 | spec:
29 | containers:
30 | - name: stateful-set-container
31 | image: nginx
32 | ports:
33 | - containerPort: 80
34 | name: http
35 | volumeMounts:
36 | - name: hello-web-disk
37 | mountPath: "/var/www/html"
38 | volumeClaimTemplates:
39 | - metadata:
40 | name: hello-web-disk
41 | spec:
42 | accessModes: [ "ReadWriteOnce" ]
43 | resources:
44 | requests:
45 | storage: 30Gi
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: StatefulSet.default.statefulset-demo
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_022_configuring_persistent_storage_for_google_kubernetes_engine/statefulset-demo.yaml:12-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
12 | apiVersion: apps/v1
13 | kind: StatefulSet
14 | metadata:
15 | name: statefulset-demo
16 | spec:
17 | selector:
18 | matchLabels:
19 | app: MyApp
20 | serviceName: statefulset-demo-service
21 | replicas: 3
22 | updateStrategy:
23 | type: RollingUpdate
24 | template:
25 | metadata:
26 | labels:
27 | app: MyApp
28 | spec:
29 | containers:
30 | - name: stateful-set-container
31 | image: nginx
32 | ports:
33 | - containerPort: 80
34 | name: http
35 | volumeMounts:
36 | - name: hello-web-disk
37 | mountPath: "/var/www/html"
38 | volumeClaimTemplates:
39 | - metadata:
40 | name: hello-web-disk
41 | spec:
42 | accessModes: [ "ReadWriteOnce" ]
43 | resources:
44 | requests:
45 | storage: 30Gi
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_021_creating_google_kubernetes_engine_deployments/nginx-deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | labels:
6 | app: nginx
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.7.9
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_021_creating_google_kubernetes_engine_deployments/nginx-deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | labels:
6 | app: nginx
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.7.9
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_021_creating_google_kubernetes_engine_deployments/nginx-deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | labels:
6 | app: nginx
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.7.9
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_021_creating_google_kubernetes_engine_deployments/nginx-deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | labels:
6 | app: nginx
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.7.9
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_021_creating_google_kubernetes_engine_deployments/nginx-deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | labels:
6 | app: nginx
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.7.9
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_021_creating_google_kubernetes_engine_deployments/nginx-deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | labels:
6 | app: nginx
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.7.9
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_021_creating_google_kubernetes_engine_deployments/nginx-deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | labels:
6 | app: nginx
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.7.9
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_021_creating_google_kubernetes_engine_deployments/nginx-deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | labels:
6 | app: nginx
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.7.9
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_021_creating_google_kubernetes_engine_deployments/nginx-deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | labels:
6 | app: nginx
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.7.9
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_021_creating_google_kubernetes_engine_deployments/nginx-deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | labels:
6 | app: nginx
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.7.9
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_021_creating_google_kubernetes_engine_deployments/nginx-deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | labels:
6 | app: nginx
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.7.9
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_021_creating_google_kubernetes_engine_deployments/nginx-deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | labels:
6 | app: nginx
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.7.9
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_021_creating_google_kubernetes_engine_deployments/nginx-deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | labels:
6 | app: nginx
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.7.9
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_021_creating_google_kubernetes_engine_deployments/nginx-deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | labels:
6 | app: nginx
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.7.9
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_021_creating_google_kubernetes_engine_deployments/nginx-deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | labels:
6 | app: nginx
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.7.9
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_021_creating_google_kubernetes_engine_deployments/nginx-deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | labels:
6 | app: nginx
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.7.9
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.nginx-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_021_creating_google_kubernetes_engine_deployments/nginx-deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | labels:
6 | app: nginx
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.7.9
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.nginx-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_021_creating_google_kubernetes_engine_deployments/nginx-deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | labels:
6 | app: nginx
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.7.9
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_021_creating_google_kubernetes_engine_deployments/nginx-deployment.yaml:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | labels:
6 | app: nginx
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.7.9
20 | ports:
21 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.nginx
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_021_creating_google_kubernetes_engine_deployments/service-nginx.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: nginx
5 | spec:
6 | type: LoadBalancer
7 | selector:
8 | app: nginx
9 | ports:
10 | - protocol: TCP
11 | port: 60000
12 | targetPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.nginx
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_021_creating_google_kubernetes_engine_deployments/nginx-svc-session-affinity.yaml:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: nginx
5 | spec:
6 | type: LoadBalancer
7 | sessionAffinity: ClientIP
8 | selector:
9 | app: nginx
10 | ports:
11 | - protocol: TCP
12 | port: 60000
13 | targetPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nginx-canary
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_021_creating_google_kubernetes_engine_deployments/nginx-canary.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-canary
5 | labels:
6 | app: nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | track: canary
17 | Version: 1.9.1
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.9.1
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx-canary
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_021_creating_google_kubernetes_engine_deployments/nginx-canary.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-canary
5 | labels:
6 | app: nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | track: canary
17 | Version: 1.9.1
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.9.1
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.nginx-canary
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_021_creating_google_kubernetes_engine_deployments/nginx-canary.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-canary
5 | labels:
6 | app: nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | track: canary
17 | Version: 1.9.1
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.9.1
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx-canary
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_021_creating_google_kubernetes_engine_deployments/nginx-canary.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-canary
5 | labels:
6 | app: nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | track: canary
17 | Version: 1.9.1
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.9.1
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx-canary
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_021_creating_google_kubernetes_engine_deployments/nginx-canary.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-canary
5 | labels:
6 | app: nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | track: canary
17 | Version: 1.9.1
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.9.1
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx-canary
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_021_creating_google_kubernetes_engine_deployments/nginx-canary.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-canary
5 | labels:
6 | app: nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | track: canary
17 | Version: 1.9.1
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.9.1
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-canary
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_021_creating_google_kubernetes_engine_deployments/nginx-canary.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-canary
5 | labels:
6 | app: nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | track: canary
17 | Version: 1.9.1
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.9.1
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx-canary
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_021_creating_google_kubernetes_engine_deployments/nginx-canary.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-canary
5 | labels:
6 | app: nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | track: canary
17 | Version: 1.9.1
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.9.1
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx-canary
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_021_creating_google_kubernetes_engine_deployments/nginx-canary.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-canary
5 | labels:
6 | app: nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | track: canary
17 | Version: 1.9.1
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.9.1
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx-canary
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_021_creating_google_kubernetes_engine_deployments/nginx-canary.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-canary
5 | labels:
6 | app: nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | track: canary
17 | Version: 1.9.1
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.9.1
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx-canary
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_021_creating_google_kubernetes_engine_deployments/nginx-canary.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-canary
5 | labels:
6 | app: nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | track: canary
17 | Version: 1.9.1
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.9.1
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx-canary
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_021_creating_google_kubernetes_engine_deployments/nginx-canary.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-canary
5 | labels:
6 | app: nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | track: canary
17 | Version: 1.9.1
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.9.1
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nginx-canary
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_021_creating_google_kubernetes_engine_deployments/nginx-canary.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-canary
5 | labels:
6 | app: nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | track: canary
17 | Version: 1.9.1
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.9.1
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx-canary
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_021_creating_google_kubernetes_engine_deployments/nginx-canary.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-canary
5 | labels:
6 | app: nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | track: canary
17 | Version: 1.9.1
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.9.1
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx-canary
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_021_creating_google_kubernetes_engine_deployments/nginx-canary.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-canary
5 | labels:
6 | app: nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | track: canary
17 | Version: 1.9.1
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.9.1
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx-canary
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_021_creating_google_kubernetes_engine_deployments/nginx-canary.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-canary
5 | labels:
6 | app: nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | track: canary
17 | Version: 1.9.1
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.9.1
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.nginx-canary
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_021_creating_google_kubernetes_engine_deployments/nginx-canary.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-canary
5 | labels:
6 | app: nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | track: canary
17 | Version: 1.9.1
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.9.1
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.nginx-canary
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_021_creating_google_kubernetes_engine_deployments/nginx-canary.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-canary
5 | labels:
6 | app: nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | track: canary
17 | Version: 1.9.1
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.9.1
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx-canary
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_021_creating_google_kubernetes_engine_deployments/nginx-canary.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-canary
5 | labels:
6 | app: nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | track: canary
17 | Version: 1.9.1
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.9.1
22 | ports:
23 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.auth
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/services/auth.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | kind: Service
2 | apiVersion: v1
3 | metadata:
4 | name: "auth"
5 | spec:
6 | selector:
7 | app: "auth"
8 | ports:
9 | - protocol: "TCP"
10 | port: 80
11 | targetPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.hello
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/services/hello-green.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | kind: Service
2 | apiVersion: v1
3 | metadata:
4 | name: hello
5 | spec:
6 | selector:
7 | app: hello
8 | version: 2.0.0
9 | ports:
10 | - protocol: TCP
11 | port: 80
12 | targetPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/services/monolith.yaml:1-14
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | kind: Service
2 | apiVersion: v1
3 | metadata:
4 | name: "monolith"
5 | spec:
6 | selector:
7 | app: "monolith"
8 | secure: "enabled"
9 | ports:
10 | - protocol: "TCP"
11 | port: 443
12 | targetPort: 443
13 | nodePort: 31000
14 | type: NodePort
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.hello
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/services/hello-blue.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | kind: Service
2 | apiVersion: v1
3 | metadata:
4 | name: "hello"
5 | spec:
6 | selector:
7 | app: "hello"
8 | version: 1.0.0
9 | ports:
10 | - protocol: "TCP"
11 | port: 80
12 | targetPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.frontend
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/services/frontend.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | kind: Service
2 | apiVersion: v1
3 | metadata:
4 | name: "frontend"
5 | spec:
6 | selector:
7 | app: "frontend"
8 | ports:
9 | - protocol: "TCP"
10 | port: 443
11 | targetPort: 443
12 | type: LoadBalancer
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.hello
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/services/hello.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | kind: Service
2 | apiVersion: v1
3 | metadata:
4 | name: "hello"
5 | spec:
6 | selector:
7 | app: "hello"
8 | ports:
9 | - protocol: "TCP"
10 | port: 80
11 | targetPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.default.secure-monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/secure-monolith.yaml:1-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.default.secure-monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/secure-monolith.yaml:1-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Pod.default.secure-monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/secure-monolith.yaml:1-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Pod.default.secure-monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/secure-monolith.yaml:1-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.default.secure-monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/secure-monolith.yaml:1-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.default.secure-monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/secure-monolith.yaml:1-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.default.secure-monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/secure-monolith.yaml:1-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.default.secure-monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/secure-monolith.yaml:1-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.default.secure-monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/secure-monolith.yaml:1-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.default.secure-monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/secure-monolith.yaml:1-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.default.secure-monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/secure-monolith.yaml:1-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.default.secure-monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/secure-monolith.yaml:1-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.default.secure-monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/secure-monolith.yaml:1-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.default.secure-monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/secure-monolith.yaml:1-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.default.secure-monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/secure-monolith.yaml:1-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.default.secure-monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/secure-monolith.yaml:1-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Pod.default.secure-monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/secure-monolith.yaml:1-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Pod.default.secure-monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/secure-monolith.yaml:1-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.default.secure-monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/secure-monolith.yaml:1-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.default.monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/monolith.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: monolith
5 | labels:
6 | app: monolith
7 | spec:
8 | containers:
9 | - name: monolith
10 | image: kelseyhightower/monolith:1.0.0
11 | args:
12 | - "-http=0.0.0.0:80"
13 | - "-health=0.0.0.0:81"
14 | - "-secret=secret"
15 | ports:
16 | - name: http
17 | containerPort: 80
18 | - name: health
19 | containerPort: 81
20 | resources:
21 | limits:
22 | cpu: 0.2
23 | memory: "10Mi"
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Pod.default.monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/monolith.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: monolith
5 | labels:
6 | app: monolith
7 | spec:
8 | containers:
9 | - name: monolith
10 | image: kelseyhightower/monolith:1.0.0
11 | args:
12 | - "-http=0.0.0.0:80"
13 | - "-health=0.0.0.0:81"
14 | - "-secret=secret"
15 | ports:
16 | - name: http
17 | containerPort: 80
18 | - name: health
19 | containerPort: 81
20 | resources:
21 | limits:
22 | cpu: 0.2
23 | memory: "10Mi"
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.default.monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/monolith.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: monolith
5 | labels:
6 | app: monolith
7 | spec:
8 | containers:
9 | - name: monolith
10 | image: kelseyhightower/monolith:1.0.0
11 | args:
12 | - "-http=0.0.0.0:80"
13 | - "-health=0.0.0.0:81"
14 | - "-secret=secret"
15 | ports:
16 | - name: http
17 | containerPort: 80
18 | - name: health
19 | containerPort: 81
20 | resources:
21 | limits:
22 | cpu: 0.2
23 | memory: "10Mi"
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.default.monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/monolith.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: monolith
5 | labels:
6 | app: monolith
7 | spec:
8 | containers:
9 | - name: monolith
10 | image: kelseyhightower/monolith:1.0.0
11 | args:
12 | - "-http=0.0.0.0:80"
13 | - "-health=0.0.0.0:81"
14 | - "-secret=secret"
15 | ports:
16 | - name: http
17 | containerPort: 80
18 | - name: health
19 | containerPort: 81
20 | resources:
21 | limits:
22 | cpu: 0.2
23 | memory: "10Mi"
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.default.monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/monolith.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: monolith
5 | labels:
6 | app: monolith
7 | spec:
8 | containers:
9 | - name: monolith
10 | image: kelseyhightower/monolith:1.0.0
11 | args:
12 | - "-http=0.0.0.0:80"
13 | - "-health=0.0.0.0:81"
14 | - "-secret=secret"
15 | ports:
16 | - name: http
17 | containerPort: 80
18 | - name: health
19 | containerPort: 81
20 | resources:
21 | limits:
22 | cpu: 0.2
23 | memory: "10Mi"
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.default.monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/monolith.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: monolith
5 | labels:
6 | app: monolith
7 | spec:
8 | containers:
9 | - name: monolith
10 | image: kelseyhightower/monolith:1.0.0
11 | args:
12 | - "-http=0.0.0.0:80"
13 | - "-health=0.0.0.0:81"
14 | - "-secret=secret"
15 | ports:
16 | - name: http
17 | containerPort: 80
18 | - name: health
19 | containerPort: 81
20 | resources:
21 | limits:
22 | cpu: 0.2
23 | memory: "10Mi"
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.default.monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/monolith.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: monolith
5 | labels:
6 | app: monolith
7 | spec:
8 | containers:
9 | - name: monolith
10 | image: kelseyhightower/monolith:1.0.0
11 | args:
12 | - "-http=0.0.0.0:80"
13 | - "-health=0.0.0.0:81"
14 | - "-secret=secret"
15 | ports:
16 | - name: http
17 | containerPort: 80
18 | - name: health
19 | containerPort: 81
20 | resources:
21 | limits:
22 | cpu: 0.2
23 | memory: "10Mi"
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.default.monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/monolith.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: monolith
5 | labels:
6 | app: monolith
7 | spec:
8 | containers:
9 | - name: monolith
10 | image: kelseyhightower/monolith:1.0.0
11 | args:
12 | - "-http=0.0.0.0:80"
13 | - "-health=0.0.0.0:81"
14 | - "-secret=secret"
15 | ports:
16 | - name: http
17 | containerPort: 80
18 | - name: health
19 | containerPort: 81
20 | resources:
21 | limits:
22 | cpu: 0.2
23 | memory: "10Mi"
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.default.monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/monolith.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: monolith
5 | labels:
6 | app: monolith
7 | spec:
8 | containers:
9 | - name: monolith
10 | image: kelseyhightower/monolith:1.0.0
11 | args:
12 | - "-http=0.0.0.0:80"
13 | - "-health=0.0.0.0:81"
14 | - "-secret=secret"
15 | ports:
16 | - name: http
17 | containerPort: 80
18 | - name: health
19 | containerPort: 81
20 | resources:
21 | limits:
22 | cpu: 0.2
23 | memory: "10Mi"
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.default.monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/monolith.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: monolith
5 | labels:
6 | app: monolith
7 | spec:
8 | containers:
9 | - name: monolith
10 | image: kelseyhightower/monolith:1.0.0
11 | args:
12 | - "-http=0.0.0.0:80"
13 | - "-health=0.0.0.0:81"
14 | - "-secret=secret"
15 | ports:
16 | - name: http
17 | containerPort: 80
18 | - name: health
19 | containerPort: 81
20 | resources:
21 | limits:
22 | cpu: 0.2
23 | memory: "10Mi"
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.default.monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/monolith.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: monolith
5 | labels:
6 | app: monolith
7 | spec:
8 | containers:
9 | - name: monolith
10 | image: kelseyhightower/monolith:1.0.0
11 | args:
12 | - "-http=0.0.0.0:80"
13 | - "-health=0.0.0.0:81"
14 | - "-secret=secret"
15 | ports:
16 | - name: http
17 | containerPort: 80
18 | - name: health
19 | containerPort: 81
20 | resources:
21 | limits:
22 | cpu: 0.2
23 | memory: "10Mi"
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.default.monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/monolith.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: monolith
5 | labels:
6 | app: monolith
7 | spec:
8 | containers:
9 | - name: monolith
10 | image: kelseyhightower/monolith:1.0.0
11 | args:
12 | - "-http=0.0.0.0:80"
13 | - "-health=0.0.0.0:81"
14 | - "-secret=secret"
15 | ports:
16 | - name: http
17 | containerPort: 80
18 | - name: health
19 | containerPort: 81
20 | resources:
21 | limits:
22 | cpu: 0.2
23 | memory: "10Mi"
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.default.monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/monolith.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: monolith
5 | labels:
6 | app: monolith
7 | spec:
8 | containers:
9 | - name: monolith
10 | image: kelseyhightower/monolith:1.0.0
11 | args:
12 | - "-http=0.0.0.0:80"
13 | - "-health=0.0.0.0:81"
14 | - "-secret=secret"
15 | ports:
16 | - name: http
17 | containerPort: 80
18 | - name: health
19 | containerPort: 81
20 | resources:
21 | limits:
22 | cpu: 0.2
23 | memory: "10Mi"
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Pod.default.monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/monolith.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: monolith
5 | labels:
6 | app: monolith
7 | spec:
8 | containers:
9 | - name: monolith
10 | image: kelseyhightower/monolith:1.0.0
11 | args:
12 | - "-http=0.0.0.0:80"
13 | - "-health=0.0.0.0:81"
14 | - "-secret=secret"
15 | ports:
16 | - name: http
17 | containerPort: 80
18 | - name: health
19 | containerPort: 81
20 | resources:
21 | limits:
22 | cpu: 0.2
23 | memory: "10Mi"
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.default.monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/monolith.yaml:1-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: monolith
5 | labels:
6 | app: monolith
7 | spec:
8 | containers:
9 | - name: monolith
10 | image: kelseyhightower/monolith:1.0.0
11 | args:
12 | - "-http=0.0.0.0:80"
13 | - "-health=0.0.0.0:81"
14 | - "-secret=secret"
15 | ports:
16 | - name: http
17 | containerPort: 80
18 | - name: health
19 | containerPort: 81
20 | resources:
21 | limits:
22 | cpu: 0.2
23 | memory: "10Mi"
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.default.healthy-monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/healthy-monolith.yaml:1-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: "healthy-monolith"
5 | labels:
6 | app: monolith
7 | spec:
8 | containers:
9 | - name: monolith
10 | image: kelseyhightower/monolith:1.0.0
11 | ports:
12 | - name: http
13 | containerPort: 80
14 | - name: health
15 | containerPort: 81
16 | resources:
17 | limits:
18 | cpu: 0.2
19 | memory: "10Mi"
20 | livenessProbe:
21 | httpGet:
22 | path: /healthz
23 | port: 81
24 | scheme: HTTP
25 | initialDelaySeconds: 5
26 | periodSeconds: 15
27 | timeoutSeconds: 5
28 | readinessProbe:
29 | httpGet:
30 | path: /readiness
31 | port: 81
32 | scheme: HTTP
33 | initialDelaySeconds: 5
34 | timeoutSeconds: 1
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Pod.default.healthy-monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/healthy-monolith.yaml:1-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: "healthy-monolith"
5 | labels:
6 | app: monolith
7 | spec:
8 | containers:
9 | - name: monolith
10 | image: kelseyhightower/monolith:1.0.0
11 | ports:
12 | - name: http
13 | containerPort: 80
14 | - name: health
15 | containerPort: 81
16 | resources:
17 | limits:
18 | cpu: 0.2
19 | memory: "10Mi"
20 | livenessProbe:
21 | httpGet:
22 | path: /healthz
23 | port: 81
24 | scheme: HTTP
25 | initialDelaySeconds: 5
26 | periodSeconds: 15
27 | timeoutSeconds: 5
28 | readinessProbe:
29 | httpGet:
30 | path: /readiness
31 | port: 81
32 | scheme: HTTP
33 | initialDelaySeconds: 5
34 | timeoutSeconds: 1
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.default.healthy-monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/healthy-monolith.yaml:1-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: "healthy-monolith"
5 | labels:
6 | app: monolith
7 | spec:
8 | containers:
9 | - name: monolith
10 | image: kelseyhightower/monolith:1.0.0
11 | ports:
12 | - name: http
13 | containerPort: 80
14 | - name: health
15 | containerPort: 81
16 | resources:
17 | limits:
18 | cpu: 0.2
19 | memory: "10Mi"
20 | livenessProbe:
21 | httpGet:
22 | path: /healthz
23 | port: 81
24 | scheme: HTTP
25 | initialDelaySeconds: 5
26 | periodSeconds: 15
27 | timeoutSeconds: 5
28 | readinessProbe:
29 | httpGet:
30 | path: /readiness
31 | port: 81
32 | scheme: HTTP
33 | initialDelaySeconds: 5
34 | timeoutSeconds: 1
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.default.healthy-monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/healthy-monolith.yaml:1-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: "healthy-monolith"
5 | labels:
6 | app: monolith
7 | spec:
8 | containers:
9 | - name: monolith
10 | image: kelseyhightower/monolith:1.0.0
11 | ports:
12 | - name: http
13 | containerPort: 80
14 | - name: health
15 | containerPort: 81
16 | resources:
17 | limits:
18 | cpu: 0.2
19 | memory: "10Mi"
20 | livenessProbe:
21 | httpGet:
22 | path: /healthz
23 | port: 81
24 | scheme: HTTP
25 | initialDelaySeconds: 5
26 | periodSeconds: 15
27 | timeoutSeconds: 5
28 | readinessProbe:
29 | httpGet:
30 | path: /readiness
31 | port: 81
32 | scheme: HTTP
33 | initialDelaySeconds: 5
34 | timeoutSeconds: 1
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.default.healthy-monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/healthy-monolith.yaml:1-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: "healthy-monolith"
5 | labels:
6 | app: monolith
7 | spec:
8 | containers:
9 | - name: monolith
10 | image: kelseyhightower/monolith:1.0.0
11 | ports:
12 | - name: http
13 | containerPort: 80
14 | - name: health
15 | containerPort: 81
16 | resources:
17 | limits:
18 | cpu: 0.2
19 | memory: "10Mi"
20 | livenessProbe:
21 | httpGet:
22 | path: /healthz
23 | port: 81
24 | scheme: HTTP
25 | initialDelaySeconds: 5
26 | periodSeconds: 15
27 | timeoutSeconds: 5
28 | readinessProbe:
29 | httpGet:
30 | path: /readiness
31 | port: 81
32 | scheme: HTTP
33 | initialDelaySeconds: 5
34 | timeoutSeconds: 1
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.default.healthy-monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/healthy-monolith.yaml:1-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: "healthy-monolith"
5 | labels:
6 | app: monolith
7 | spec:
8 | containers:
9 | - name: monolith
10 | image: kelseyhightower/monolith:1.0.0
11 | ports:
12 | - name: http
13 | containerPort: 80
14 | - name: health
15 | containerPort: 81
16 | resources:
17 | limits:
18 | cpu: 0.2
19 | memory: "10Mi"
20 | livenessProbe:
21 | httpGet:
22 | path: /healthz
23 | port: 81
24 | scheme: HTTP
25 | initialDelaySeconds: 5
26 | periodSeconds: 15
27 | timeoutSeconds: 5
28 | readinessProbe:
29 | httpGet:
30 | path: /readiness
31 | port: 81
32 | scheme: HTTP
33 | initialDelaySeconds: 5
34 | timeoutSeconds: 1
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.default.healthy-monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/healthy-monolith.yaml:1-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: "healthy-monolith"
5 | labels:
6 | app: monolith
7 | spec:
8 | containers:
9 | - name: monolith
10 | image: kelseyhightower/monolith:1.0.0
11 | ports:
12 | - name: http
13 | containerPort: 80
14 | - name: health
15 | containerPort: 81
16 | resources:
17 | limits:
18 | cpu: 0.2
19 | memory: "10Mi"
20 | livenessProbe:
21 | httpGet:
22 | path: /healthz
23 | port: 81
24 | scheme: HTTP
25 | initialDelaySeconds: 5
26 | periodSeconds: 15
27 | timeoutSeconds: 5
28 | readinessProbe:
29 | httpGet:
30 | path: /readiness
31 | port: 81
32 | scheme: HTTP
33 | initialDelaySeconds: 5
34 | timeoutSeconds: 1
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.default.healthy-monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/healthy-monolith.yaml:1-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: "healthy-monolith"
5 | labels:
6 | app: monolith
7 | spec:
8 | containers:
9 | - name: monolith
10 | image: kelseyhightower/monolith:1.0.0
11 | ports:
12 | - name: http
13 | containerPort: 80
14 | - name: health
15 | containerPort: 81
16 | resources:
17 | limits:
18 | cpu: 0.2
19 | memory: "10Mi"
20 | livenessProbe:
21 | httpGet:
22 | path: /healthz
23 | port: 81
24 | scheme: HTTP
25 | initialDelaySeconds: 5
26 | periodSeconds: 15
27 | timeoutSeconds: 5
28 | readinessProbe:
29 | httpGet:
30 | path: /readiness
31 | port: 81
32 | scheme: HTTP
33 | initialDelaySeconds: 5
34 | timeoutSeconds: 1
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.default.healthy-monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/healthy-monolith.yaml:1-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: "healthy-monolith"
5 | labels:
6 | app: monolith
7 | spec:
8 | containers:
9 | - name: monolith
10 | image: kelseyhightower/monolith:1.0.0
11 | ports:
12 | - name: http
13 | containerPort: 80
14 | - name: health
15 | containerPort: 81
16 | resources:
17 | limits:
18 | cpu: 0.2
19 | memory: "10Mi"
20 | livenessProbe:
21 | httpGet:
22 | path: /healthz
23 | port: 81
24 | scheme: HTTP
25 | initialDelaySeconds: 5
26 | periodSeconds: 15
27 | timeoutSeconds: 5
28 | readinessProbe:
29 | httpGet:
30 | path: /readiness
31 | port: 81
32 | scheme: HTTP
33 | initialDelaySeconds: 5
34 | timeoutSeconds: 1
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.default.healthy-monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/healthy-monolith.yaml:1-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: "healthy-monolith"
5 | labels:
6 | app: monolith
7 | spec:
8 | containers:
9 | - name: monolith
10 | image: kelseyhightower/monolith:1.0.0
11 | ports:
12 | - name: http
13 | containerPort: 80
14 | - name: health
15 | containerPort: 81
16 | resources:
17 | limits:
18 | cpu: 0.2
19 | memory: "10Mi"
20 | livenessProbe:
21 | httpGet:
22 | path: /healthz
23 | port: 81
24 | scheme: HTTP
25 | initialDelaySeconds: 5
26 | periodSeconds: 15
27 | timeoutSeconds: 5
28 | readinessProbe:
29 | httpGet:
30 | path: /readiness
31 | port: 81
32 | scheme: HTTP
33 | initialDelaySeconds: 5
34 | timeoutSeconds: 1
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.default.healthy-monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/healthy-monolith.yaml:1-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: "healthy-monolith"
5 | labels:
6 | app: monolith
7 | spec:
8 | containers:
9 | - name: monolith
10 | image: kelseyhightower/monolith:1.0.0
11 | ports:
12 | - name: http
13 | containerPort: 80
14 | - name: health
15 | containerPort: 81
16 | resources:
17 | limits:
18 | cpu: 0.2
19 | memory: "10Mi"
20 | livenessProbe:
21 | httpGet:
22 | path: /healthz
23 | port: 81
24 | scheme: HTTP
25 | initialDelaySeconds: 5
26 | periodSeconds: 15
27 | timeoutSeconds: 5
28 | readinessProbe:
29 | httpGet:
30 | path: /readiness
31 | port: 81
32 | scheme: HTTP
33 | initialDelaySeconds: 5
34 | timeoutSeconds: 1
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Pod.default.healthy-monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/healthy-monolith.yaml:1-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: "healthy-monolith"
5 | labels:
6 | app: monolith
7 | spec:
8 | containers:
9 | - name: monolith
10 | image: kelseyhightower/monolith:1.0.0
11 | ports:
12 | - name: http
13 | containerPort: 80
14 | - name: health
15 | containerPort: 81
16 | resources:
17 | limits:
18 | cpu: 0.2
19 | memory: "10Mi"
20 | livenessProbe:
21 | httpGet:
22 | path: /healthz
23 | port: 81
24 | scheme: HTTP
25 | initialDelaySeconds: 5
26 | periodSeconds: 15
27 | timeoutSeconds: 5
28 | readinessProbe:
29 | httpGet:
30 | path: /readiness
31 | port: 81
32 | scheme: HTTP
33 | initialDelaySeconds: 5
34 | timeoutSeconds: 1
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.default.healthy-monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/healthy-monolith.yaml:1-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: "healthy-monolith"
5 | labels:
6 | app: monolith
7 | spec:
8 | containers:
9 | - name: monolith
10 | image: kelseyhightower/monolith:1.0.0
11 | ports:
12 | - name: http
13 | containerPort: 80
14 | - name: health
15 | containerPort: 81
16 | resources:
17 | limits:
18 | cpu: 0.2
19 | memory: "10Mi"
20 | livenessProbe:
21 | httpGet:
22 | path: /healthz
23 | port: 81
24 | scheme: HTTP
25 | initialDelaySeconds: 5
26 | periodSeconds: 15
27 | timeoutSeconds: 5
28 | readinessProbe:
29 | httpGet:
30 | path: /readiness
31 | port: 81
32 | scheme: HTTP
33 | initialDelaySeconds: 5
34 | timeoutSeconds: 1
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.auth
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/auth.yaml:1-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: auth
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: auth
10 | template:
11 | metadata:
12 | labels:
13 | app: auth
14 | track: stable
15 | spec:
16 | containers:
17 | - name: auth
18 | image: "kelseyhightower/auth:2.0.0"
19 | ports:
20 | - name: http
21 | containerPort: 80
22 | - name: health
23 | containerPort: 81
24 | resources:
25 | limits:
26 | cpu: 0.2
27 | memory: "10Mi"
28 | livenessProbe:
29 | httpGet:
30 | path: /healthz
31 | port: 81
32 | scheme: HTTP
33 | initialDelaySeconds: 5
34 | periodSeconds: 15
35 | timeoutSeconds: 5
36 | readinessProbe:
37 | httpGet:
38 | path: /readiness
39 | port: 81
40 | scheme: HTTP
41 | initialDelaySeconds: 5
42 | timeoutSeconds: 1
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.auth
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/auth.yaml:1-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: auth
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: auth
10 | template:
11 | metadata:
12 | labels:
13 | app: auth
14 | track: stable
15 | spec:
16 | containers:
17 | - name: auth
18 | image: "kelseyhightower/auth:2.0.0"
19 | ports:
20 | - name: http
21 | containerPort: 80
22 | - name: health
23 | containerPort: 81
24 | resources:
25 | limits:
26 | cpu: 0.2
27 | memory: "10Mi"
28 | livenessProbe:
29 | httpGet:
30 | path: /healthz
31 | port: 81
32 | scheme: HTTP
33 | initialDelaySeconds: 5
34 | periodSeconds: 15
35 | timeoutSeconds: 5
36 | readinessProbe:
37 | httpGet:
38 | path: /readiness
39 | port: 81
40 | scheme: HTTP
41 | initialDelaySeconds: 5
42 | timeoutSeconds: 1
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.auth
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/auth.yaml:1-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: auth
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: auth
10 | template:
11 | metadata:
12 | labels:
13 | app: auth
14 | track: stable
15 | spec:
16 | containers:
17 | - name: auth
18 | image: "kelseyhightower/auth:2.0.0"
19 | ports:
20 | - name: http
21 | containerPort: 80
22 | - name: health
23 | containerPort: 81
24 | resources:
25 | limits:
26 | cpu: 0.2
27 | memory: "10Mi"
28 | livenessProbe:
29 | httpGet:
30 | path: /healthz
31 | port: 81
32 | scheme: HTTP
33 | initialDelaySeconds: 5
34 | periodSeconds: 15
35 | timeoutSeconds: 5
36 | readinessProbe:
37 | httpGet:
38 | path: /readiness
39 | port: 81
40 | scheme: HTTP
41 | initialDelaySeconds: 5
42 | timeoutSeconds: 1
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.auth
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/auth.yaml:1-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: auth
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: auth
10 | template:
11 | metadata:
12 | labels:
13 | app: auth
14 | track: stable
15 | spec:
16 | containers:
17 | - name: auth
18 | image: "kelseyhightower/auth:2.0.0"
19 | ports:
20 | - name: http
21 | containerPort: 80
22 | - name: health
23 | containerPort: 81
24 | resources:
25 | limits:
26 | cpu: 0.2
27 | memory: "10Mi"
28 | livenessProbe:
29 | httpGet:
30 | path: /healthz
31 | port: 81
32 | scheme: HTTP
33 | initialDelaySeconds: 5
34 | periodSeconds: 15
35 | timeoutSeconds: 5
36 | readinessProbe:
37 | httpGet:
38 | path: /readiness
39 | port: 81
40 | scheme: HTTP
41 | initialDelaySeconds: 5
42 | timeoutSeconds: 1
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.auth
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/auth.yaml:1-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: auth
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: auth
10 | template:
11 | metadata:
12 | labels:
13 | app: auth
14 | track: stable
15 | spec:
16 | containers:
17 | - name: auth
18 | image: "kelseyhightower/auth:2.0.0"
19 | ports:
20 | - name: http
21 | containerPort: 80
22 | - name: health
23 | containerPort: 81
24 | resources:
25 | limits:
26 | cpu: 0.2
27 | memory: "10Mi"
28 | livenessProbe:
29 | httpGet:
30 | path: /healthz
31 | port: 81
32 | scheme: HTTP
33 | initialDelaySeconds: 5
34 | periodSeconds: 15
35 | timeoutSeconds: 5
36 | readinessProbe:
37 | httpGet:
38 | path: /readiness
39 | port: 81
40 | scheme: HTTP
41 | initialDelaySeconds: 5
42 | timeoutSeconds: 1
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.auth
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/auth.yaml:1-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: auth
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: auth
10 | template:
11 | metadata:
12 | labels:
13 | app: auth
14 | track: stable
15 | spec:
16 | containers:
17 | - name: auth
18 | image: "kelseyhightower/auth:2.0.0"
19 | ports:
20 | - name: http
21 | containerPort: 80
22 | - name: health
23 | containerPort: 81
24 | resources:
25 | limits:
26 | cpu: 0.2
27 | memory: "10Mi"
28 | livenessProbe:
29 | httpGet:
30 | path: /healthz
31 | port: 81
32 | scheme: HTTP
33 | initialDelaySeconds: 5
34 | periodSeconds: 15
35 | timeoutSeconds: 5
36 | readinessProbe:
37 | httpGet:
38 | path: /readiness
39 | port: 81
40 | scheme: HTTP
41 | initialDelaySeconds: 5
42 | timeoutSeconds: 1
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.auth
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/auth.yaml:1-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: auth
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: auth
10 | template:
11 | metadata:
12 | labels:
13 | app: auth
14 | track: stable
15 | spec:
16 | containers:
17 | - name: auth
18 | image: "kelseyhightower/auth:2.0.0"
19 | ports:
20 | - name: http
21 | containerPort: 80
22 | - name: health
23 | containerPort: 81
24 | resources:
25 | limits:
26 | cpu: 0.2
27 | memory: "10Mi"
28 | livenessProbe:
29 | httpGet:
30 | path: /healthz
31 | port: 81
32 | scheme: HTTP
33 | initialDelaySeconds: 5
34 | periodSeconds: 15
35 | timeoutSeconds: 5
36 | readinessProbe:
37 | httpGet:
38 | path: /readiness
39 | port: 81
40 | scheme: HTTP
41 | initialDelaySeconds: 5
42 | timeoutSeconds: 1
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.auth
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/auth.yaml:1-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: auth
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: auth
10 | template:
11 | metadata:
12 | labels:
13 | app: auth
14 | track: stable
15 | spec:
16 | containers:
17 | - name: auth
18 | image: "kelseyhightower/auth:2.0.0"
19 | ports:
20 | - name: http
21 | containerPort: 80
22 | - name: health
23 | containerPort: 81
24 | resources:
25 | limits:
26 | cpu: 0.2
27 | memory: "10Mi"
28 | livenessProbe:
29 | httpGet:
30 | path: /healthz
31 | port: 81
32 | scheme: HTTP
33 | initialDelaySeconds: 5
34 | periodSeconds: 15
35 | timeoutSeconds: 5
36 | readinessProbe:
37 | httpGet:
38 | path: /readiness
39 | port: 81
40 | scheme: HTTP
41 | initialDelaySeconds: 5
42 | timeoutSeconds: 1
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.auth
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/auth.yaml:1-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: auth
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: auth
10 | template:
11 | metadata:
12 | labels:
13 | app: auth
14 | track: stable
15 | spec:
16 | containers:
17 | - name: auth
18 | image: "kelseyhightower/auth:2.0.0"
19 | ports:
20 | - name: http
21 | containerPort: 80
22 | - name: health
23 | containerPort: 81
24 | resources:
25 | limits:
26 | cpu: 0.2
27 | memory: "10Mi"
28 | livenessProbe:
29 | httpGet:
30 | path: /healthz
31 | port: 81
32 | scheme: HTTP
33 | initialDelaySeconds: 5
34 | periodSeconds: 15
35 | timeoutSeconds: 5
36 | readinessProbe:
37 | httpGet:
38 | path: /readiness
39 | port: 81
40 | scheme: HTTP
41 | initialDelaySeconds: 5
42 | timeoutSeconds: 1
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.auth
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/auth.yaml:1-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: auth
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: auth
10 | template:
11 | metadata:
12 | labels:
13 | app: auth
14 | track: stable
15 | spec:
16 | containers:
17 | - name: auth
18 | image: "kelseyhightower/auth:2.0.0"
19 | ports:
20 | - name: http
21 | containerPort: 80
22 | - name: health
23 | containerPort: 81
24 | resources:
25 | limits:
26 | cpu: 0.2
27 | memory: "10Mi"
28 | livenessProbe:
29 | httpGet:
30 | path: /healthz
31 | port: 81
32 | scheme: HTTP
33 | initialDelaySeconds: 5
34 | periodSeconds: 15
35 | timeoutSeconds: 5
36 | readinessProbe:
37 | httpGet:
38 | path: /readiness
39 | port: 81
40 | scheme: HTTP
41 | initialDelaySeconds: 5
42 | timeoutSeconds: 1
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.auth
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/auth.yaml:1-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: auth
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: auth
10 | template:
11 | metadata:
12 | labels:
13 | app: auth
14 | track: stable
15 | spec:
16 | containers:
17 | - name: auth
18 | image: "kelseyhightower/auth:2.0.0"
19 | ports:
20 | - name: http
21 | containerPort: 80
22 | - name: health
23 | containerPort: 81
24 | resources:
25 | limits:
26 | cpu: 0.2
27 | memory: "10Mi"
28 | livenessProbe:
29 | httpGet:
30 | path: /healthz
31 | port: 81
32 | scheme: HTTP
33 | initialDelaySeconds: 5
34 | periodSeconds: 15
35 | timeoutSeconds: 5
36 | readinessProbe:
37 | httpGet:
38 | path: /readiness
39 | port: 81
40 | scheme: HTTP
41 | initialDelaySeconds: 5
42 | timeoutSeconds: 1
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.auth
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/auth.yaml:1-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: auth
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: auth
10 | template:
11 | metadata:
12 | labels:
13 | app: auth
14 | track: stable
15 | spec:
16 | containers:
17 | - name: auth
18 | image: "kelseyhightower/auth:2.0.0"
19 | ports:
20 | - name: http
21 | containerPort: 80
22 | - name: health
23 | containerPort: 81
24 | resources:
25 | limits:
26 | cpu: 0.2
27 | memory: "10Mi"
28 | livenessProbe:
29 | httpGet:
30 | path: /healthz
31 | port: 81
32 | scheme: HTTP
33 | initialDelaySeconds: 5
34 | periodSeconds: 15
35 | timeoutSeconds: 5
36 | readinessProbe:
37 | httpGet:
38 | path: /readiness
39 | port: 81
40 | scheme: HTTP
41 | initialDelaySeconds: 5
42 | timeoutSeconds: 1
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.auth
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/auth.yaml:1-42
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: auth
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: auth
10 | template:
11 | metadata:
12 | labels:
13 | app: auth
14 | track: stable
15 | spec:
16 | containers:
17 | - name: auth
18 | image: "kelseyhightower/auth:2.0.0"
19 | ports:
20 | - name: http
21 | containerPort: 80
22 | - name: health
23 | containerPort: 81
24 | resources:
25 | limits:
26 | cpu: 0.2
27 | memory: "10Mi"
28 | livenessProbe:
29 | httpGet:
30 | path: /healthz
31 | port: 81
32 | scheme: HTTP
33 | initialDelaySeconds: 5
34 | periodSeconds: 15
35 | timeoutSeconds: 5
36 | readinessProbe:
37 | httpGet:
38 | path: /readiness
39 | port: 81
40 | scheme: HTTP
41 | initialDelaySeconds: 5
42 | timeoutSeconds: 1
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.hello-green
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/hello-green.yaml:1-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hello-green
5 | spec:
6 | replicas: 3
7 | selector:
8 | matchLabels:
9 | app: hello
10 | template:
11 | metadata:
12 | labels:
13 | app: hello
14 | track: stable
15 | version: 2.0.0
16 | spec:
17 | containers:
18 | - name: hello
19 | image: kelseyhightower/hello:2.0.0
20 | ports:
21 | - name: http
22 | containerPort: 80
23 | - name: health
24 | containerPort: 81
25 | resources:
26 | limits:
27 | cpu: 0.2
28 | memory: 10Mi
29 | livenessProbe:
30 | httpGet:
31 | path: /healthz
32 | port: 81
33 | scheme: HTTP
34 | initialDelaySeconds: 5
35 | periodSeconds: 15
36 | timeoutSeconds: 5
37 | readinessProbe:
38 | httpGet:
39 | path: /readiness
40 | port: 81
41 | scheme: HTTP
42 | initialDelaySeconds: 5
43 | timeoutSeconds: 1
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.hello-green
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/hello-green.yaml:1-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hello-green
5 | spec:
6 | replicas: 3
7 | selector:
8 | matchLabels:
9 | app: hello
10 | template:
11 | metadata:
12 | labels:
13 | app: hello
14 | track: stable
15 | version: 2.0.0
16 | spec:
17 | containers:
18 | - name: hello
19 | image: kelseyhightower/hello:2.0.0
20 | ports:
21 | - name: http
22 | containerPort: 80
23 | - name: health
24 | containerPort: 81
25 | resources:
26 | limits:
27 | cpu: 0.2
28 | memory: 10Mi
29 | livenessProbe:
30 | httpGet:
31 | path: /healthz
32 | port: 81
33 | scheme: HTTP
34 | initialDelaySeconds: 5
35 | periodSeconds: 15
36 | timeoutSeconds: 5
37 | readinessProbe:
38 | httpGet:
39 | path: /readiness
40 | port: 81
41 | scheme: HTTP
42 | initialDelaySeconds: 5
43 | timeoutSeconds: 1
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.hello-green
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/hello-green.yaml:1-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hello-green
5 | spec:
6 | replicas: 3
7 | selector:
8 | matchLabels:
9 | app: hello
10 | template:
11 | metadata:
12 | labels:
13 | app: hello
14 | track: stable
15 | version: 2.0.0
16 | spec:
17 | containers:
18 | - name: hello
19 | image: kelseyhightower/hello:2.0.0
20 | ports:
21 | - name: http
22 | containerPort: 80
23 | - name: health
24 | containerPort: 81
25 | resources:
26 | limits:
27 | cpu: 0.2
28 | memory: 10Mi
29 | livenessProbe:
30 | httpGet:
31 | path: /healthz
32 | port: 81
33 | scheme: HTTP
34 | initialDelaySeconds: 5
35 | periodSeconds: 15
36 | timeoutSeconds: 5
37 | readinessProbe:
38 | httpGet:
39 | path: /readiness
40 | port: 81
41 | scheme: HTTP
42 | initialDelaySeconds: 5
43 | timeoutSeconds: 1
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.hello-green
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/hello-green.yaml:1-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hello-green
5 | spec:
6 | replicas: 3
7 | selector:
8 | matchLabels:
9 | app: hello
10 | template:
11 | metadata:
12 | labels:
13 | app: hello
14 | track: stable
15 | version: 2.0.0
16 | spec:
17 | containers:
18 | - name: hello
19 | image: kelseyhightower/hello:2.0.0
20 | ports:
21 | - name: http
22 | containerPort: 80
23 | - name: health
24 | containerPort: 81
25 | resources:
26 | limits:
27 | cpu: 0.2
28 | memory: 10Mi
29 | livenessProbe:
30 | httpGet:
31 | path: /healthz
32 | port: 81
33 | scheme: HTTP
34 | initialDelaySeconds: 5
35 | periodSeconds: 15
36 | timeoutSeconds: 5
37 | readinessProbe:
38 | httpGet:
39 | path: /readiness
40 | port: 81
41 | scheme: HTTP
42 | initialDelaySeconds: 5
43 | timeoutSeconds: 1
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.hello-green
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/hello-green.yaml:1-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hello-green
5 | spec:
6 | replicas: 3
7 | selector:
8 | matchLabels:
9 | app: hello
10 | template:
11 | metadata:
12 | labels:
13 | app: hello
14 | track: stable
15 | version: 2.0.0
16 | spec:
17 | containers:
18 | - name: hello
19 | image: kelseyhightower/hello:2.0.0
20 | ports:
21 | - name: http
22 | containerPort: 80
23 | - name: health
24 | containerPort: 81
25 | resources:
26 | limits:
27 | cpu: 0.2
28 | memory: 10Mi
29 | livenessProbe:
30 | httpGet:
31 | path: /healthz
32 | port: 81
33 | scheme: HTTP
34 | initialDelaySeconds: 5
35 | periodSeconds: 15
36 | timeoutSeconds: 5
37 | readinessProbe:
38 | httpGet:
39 | path: /readiness
40 | port: 81
41 | scheme: HTTP
42 | initialDelaySeconds: 5
43 | timeoutSeconds: 1
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.hello-green
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/hello-green.yaml:1-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hello-green
5 | spec:
6 | replicas: 3
7 | selector:
8 | matchLabels:
9 | app: hello
10 | template:
11 | metadata:
12 | labels:
13 | app: hello
14 | track: stable
15 | version: 2.0.0
16 | spec:
17 | containers:
18 | - name: hello
19 | image: kelseyhightower/hello:2.0.0
20 | ports:
21 | - name: http
22 | containerPort: 80
23 | - name: health
24 | containerPort: 81
25 | resources:
26 | limits:
27 | cpu: 0.2
28 | memory: 10Mi
29 | livenessProbe:
30 | httpGet:
31 | path: /healthz
32 | port: 81
33 | scheme: HTTP
34 | initialDelaySeconds: 5
35 | periodSeconds: 15
36 | timeoutSeconds: 5
37 | readinessProbe:
38 | httpGet:
39 | path: /readiness
40 | port: 81
41 | scheme: HTTP
42 | initialDelaySeconds: 5
43 | timeoutSeconds: 1
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.hello-green
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/hello-green.yaml:1-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hello-green
5 | spec:
6 | replicas: 3
7 | selector:
8 | matchLabels:
9 | app: hello
10 | template:
11 | metadata:
12 | labels:
13 | app: hello
14 | track: stable
15 | version: 2.0.0
16 | spec:
17 | containers:
18 | - name: hello
19 | image: kelseyhightower/hello:2.0.0
20 | ports:
21 | - name: http
22 | containerPort: 80
23 | - name: health
24 | containerPort: 81
25 | resources:
26 | limits:
27 | cpu: 0.2
28 | memory: 10Mi
29 | livenessProbe:
30 | httpGet:
31 | path: /healthz
32 | port: 81
33 | scheme: HTTP
34 | initialDelaySeconds: 5
35 | periodSeconds: 15
36 | timeoutSeconds: 5
37 | readinessProbe:
38 | httpGet:
39 | path: /readiness
40 | port: 81
41 | scheme: HTTP
42 | initialDelaySeconds: 5
43 | timeoutSeconds: 1
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.hello-green
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/hello-green.yaml:1-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hello-green
5 | spec:
6 | replicas: 3
7 | selector:
8 | matchLabels:
9 | app: hello
10 | template:
11 | metadata:
12 | labels:
13 | app: hello
14 | track: stable
15 | version: 2.0.0
16 | spec:
17 | containers:
18 | - name: hello
19 | image: kelseyhightower/hello:2.0.0
20 | ports:
21 | - name: http
22 | containerPort: 80
23 | - name: health
24 | containerPort: 81
25 | resources:
26 | limits:
27 | cpu: 0.2
28 | memory: 10Mi
29 | livenessProbe:
30 | httpGet:
31 | path: /healthz
32 | port: 81
33 | scheme: HTTP
34 | initialDelaySeconds: 5
35 | periodSeconds: 15
36 | timeoutSeconds: 5
37 | readinessProbe:
38 | httpGet:
39 | path: /readiness
40 | port: 81
41 | scheme: HTTP
42 | initialDelaySeconds: 5
43 | timeoutSeconds: 1
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.hello-green
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/hello-green.yaml:1-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hello-green
5 | spec:
6 | replicas: 3
7 | selector:
8 | matchLabels:
9 | app: hello
10 | template:
11 | metadata:
12 | labels:
13 | app: hello
14 | track: stable
15 | version: 2.0.0
16 | spec:
17 | containers:
18 | - name: hello
19 | image: kelseyhightower/hello:2.0.0
20 | ports:
21 | - name: http
22 | containerPort: 80
23 | - name: health
24 | containerPort: 81
25 | resources:
26 | limits:
27 | cpu: 0.2
28 | memory: 10Mi
29 | livenessProbe:
30 | httpGet:
31 | path: /healthz
32 | port: 81
33 | scheme: HTTP
34 | initialDelaySeconds: 5
35 | periodSeconds: 15
36 | timeoutSeconds: 5
37 | readinessProbe:
38 | httpGet:
39 | path: /readiness
40 | port: 81
41 | scheme: HTTP
42 | initialDelaySeconds: 5
43 | timeoutSeconds: 1
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.hello-green
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/hello-green.yaml:1-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hello-green
5 | spec:
6 | replicas: 3
7 | selector:
8 | matchLabels:
9 | app: hello
10 | template:
11 | metadata:
12 | labels:
13 | app: hello
14 | track: stable
15 | version: 2.0.0
16 | spec:
17 | containers:
18 | - name: hello
19 | image: kelseyhightower/hello:2.0.0
20 | ports:
21 | - name: http
22 | containerPort: 80
23 | - name: health
24 | containerPort: 81
25 | resources:
26 | limits:
27 | cpu: 0.2
28 | memory: 10Mi
29 | livenessProbe:
30 | httpGet:
31 | path: /healthz
32 | port: 81
33 | scheme: HTTP
34 | initialDelaySeconds: 5
35 | periodSeconds: 15
36 | timeoutSeconds: 5
37 | readinessProbe:
38 | httpGet:
39 | path: /readiness
40 | port: 81
41 | scheme: HTTP
42 | initialDelaySeconds: 5
43 | timeoutSeconds: 1
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.hello-green
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/hello-green.yaml:1-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hello-green
5 | spec:
6 | replicas: 3
7 | selector:
8 | matchLabels:
9 | app: hello
10 | template:
11 | metadata:
12 | labels:
13 | app: hello
14 | track: stable
15 | version: 2.0.0
16 | spec:
17 | containers:
18 | - name: hello
19 | image: kelseyhightower/hello:2.0.0
20 | ports:
21 | - name: http
22 | containerPort: 80
23 | - name: health
24 | containerPort: 81
25 | resources:
26 | limits:
27 | cpu: 0.2
28 | memory: 10Mi
29 | livenessProbe:
30 | httpGet:
31 | path: /healthz
32 | port: 81
33 | scheme: HTTP
34 | initialDelaySeconds: 5
35 | periodSeconds: 15
36 | timeoutSeconds: 5
37 | readinessProbe:
38 | httpGet:
39 | path: /readiness
40 | port: 81
41 | scheme: HTTP
42 | initialDelaySeconds: 5
43 | timeoutSeconds: 1
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.hello-green
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/hello-green.yaml:1-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hello-green
5 | spec:
6 | replicas: 3
7 | selector:
8 | matchLabels:
9 | app: hello
10 | template:
11 | metadata:
12 | labels:
13 | app: hello
14 | track: stable
15 | version: 2.0.0
16 | spec:
17 | containers:
18 | - name: hello
19 | image: kelseyhightower/hello:2.0.0
20 | ports:
21 | - name: http
22 | containerPort: 80
23 | - name: health
24 | containerPort: 81
25 | resources:
26 | limits:
27 | cpu: 0.2
28 | memory: 10Mi
29 | livenessProbe:
30 | httpGet:
31 | path: /healthz
32 | port: 81
33 | scheme: HTTP
34 | initialDelaySeconds: 5
35 | periodSeconds: 15
36 | timeoutSeconds: 5
37 | readinessProbe:
38 | httpGet:
39 | path: /readiness
40 | port: 81
41 | scheme: HTTP
42 | initialDelaySeconds: 5
43 | timeoutSeconds: 1
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.hello-green
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/hello-green.yaml:1-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hello-green
5 | spec:
6 | replicas: 3
7 | selector:
8 | matchLabels:
9 | app: hello
10 | template:
11 | metadata:
12 | labels:
13 | app: hello
14 | track: stable
15 | version: 2.0.0
16 | spec:
17 | containers:
18 | - name: hello
19 | image: kelseyhightower/hello:2.0.0
20 | ports:
21 | - name: http
22 | containerPort: 80
23 | - name: health
24 | containerPort: 81
25 | resources:
26 | limits:
27 | cpu: 0.2
28 | memory: 10Mi
29 | livenessProbe:
30 | httpGet:
31 | path: /healthz
32 | port: 81
33 | scheme: HTTP
34 | initialDelaySeconds: 5
35 | periodSeconds: 15
36 | timeoutSeconds: 5
37 | readinessProbe:
38 | httpGet:
39 | path: /readiness
40 | port: 81
41 | scheme: HTTP
42 | initialDelaySeconds: 5
43 | timeoutSeconds: 1
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.frontend
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/frontend.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: frontend
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: frontend
10 | template:
11 | metadata:
12 | labels:
13 | app: frontend
14 | track: stable
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: "nginx:1.9.14"
19 | lifecycle:
20 | preStop:
21 | exec:
22 | command: ["/usr/sbin/nginx","-s","quit"]
23 | volumeMounts:
24 | - name: "nginx-frontend-conf"
25 | mountPath: "/etc/nginx/conf.d"
26 | - name: "tls-certs"
27 | mountPath: "/etc/tls"
28 | volumes:
29 | - name: "tls-certs"
30 | secret:
31 | secretName: "tls-certs"
32 | - name: "nginx-frontend-conf"
33 | configMap:
34 | name: "nginx-frontend-conf"
35 | items:
36 | - key: "frontend.conf"
37 | path: "frontend.conf"
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.frontend
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/frontend.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: frontend
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: frontend
10 | template:
11 | metadata:
12 | labels:
13 | app: frontend
14 | track: stable
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: "nginx:1.9.14"
19 | lifecycle:
20 | preStop:
21 | exec:
22 | command: ["/usr/sbin/nginx","-s","quit"]
23 | volumeMounts:
24 | - name: "nginx-frontend-conf"
25 | mountPath: "/etc/nginx/conf.d"
26 | - name: "tls-certs"
27 | mountPath: "/etc/tls"
28 | volumes:
29 | - name: "tls-certs"
30 | secret:
31 | secretName: "tls-certs"
32 | - name: "nginx-frontend-conf"
33 | configMap:
34 | name: "nginx-frontend-conf"
35 | items:
36 | - key: "frontend.conf"
37 | path: "frontend.conf"
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.frontend
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/frontend.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: frontend
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: frontend
10 | template:
11 | metadata:
12 | labels:
13 | app: frontend
14 | track: stable
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: "nginx:1.9.14"
19 | lifecycle:
20 | preStop:
21 | exec:
22 | command: ["/usr/sbin/nginx","-s","quit"]
23 | volumeMounts:
24 | - name: "nginx-frontend-conf"
25 | mountPath: "/etc/nginx/conf.d"
26 | - name: "tls-certs"
27 | mountPath: "/etc/tls"
28 | volumes:
29 | - name: "tls-certs"
30 | secret:
31 | secretName: "tls-certs"
32 | - name: "nginx-frontend-conf"
33 | configMap:
34 | name: "nginx-frontend-conf"
35 | items:
36 | - key: "frontend.conf"
37 | path: "frontend.conf"
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.frontend
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/frontend.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: frontend
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: frontend
10 | template:
11 | metadata:
12 | labels:
13 | app: frontend
14 | track: stable
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: "nginx:1.9.14"
19 | lifecycle:
20 | preStop:
21 | exec:
22 | command: ["/usr/sbin/nginx","-s","quit"]
23 | volumeMounts:
24 | - name: "nginx-frontend-conf"
25 | mountPath: "/etc/nginx/conf.d"
26 | - name: "tls-certs"
27 | mountPath: "/etc/tls"
28 | volumes:
29 | - name: "tls-certs"
30 | secret:
31 | secretName: "tls-certs"
32 | - name: "nginx-frontend-conf"
33 | configMap:
34 | name: "nginx-frontend-conf"
35 | items:
36 | - key: "frontend.conf"
37 | path: "frontend.conf"
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.frontend
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/frontend.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: frontend
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: frontend
10 | template:
11 | metadata:
12 | labels:
13 | app: frontend
14 | track: stable
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: "nginx:1.9.14"
19 | lifecycle:
20 | preStop:
21 | exec:
22 | command: ["/usr/sbin/nginx","-s","quit"]
23 | volumeMounts:
24 | - name: "nginx-frontend-conf"
25 | mountPath: "/etc/nginx/conf.d"
26 | - name: "tls-certs"
27 | mountPath: "/etc/tls"
28 | volumes:
29 | - name: "tls-certs"
30 | secret:
31 | secretName: "tls-certs"
32 | - name: "nginx-frontend-conf"
33 | configMap:
34 | name: "nginx-frontend-conf"
35 | items:
36 | - key: "frontend.conf"
37 | path: "frontend.conf"
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.frontend
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/frontend.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: frontend
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: frontend
10 | template:
11 | metadata:
12 | labels:
13 | app: frontend
14 | track: stable
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: "nginx:1.9.14"
19 | lifecycle:
20 | preStop:
21 | exec:
22 | command: ["/usr/sbin/nginx","-s","quit"]
23 | volumeMounts:
24 | - name: "nginx-frontend-conf"
25 | mountPath: "/etc/nginx/conf.d"
26 | - name: "tls-certs"
27 | mountPath: "/etc/tls"
28 | volumes:
29 | - name: "tls-certs"
30 | secret:
31 | secretName: "tls-certs"
32 | - name: "nginx-frontend-conf"
33 | configMap:
34 | name: "nginx-frontend-conf"
35 | items:
36 | - key: "frontend.conf"
37 | path: "frontend.conf"
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.frontend
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/frontend.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: frontend
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: frontend
10 | template:
11 | metadata:
12 | labels:
13 | app: frontend
14 | track: stable
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: "nginx:1.9.14"
19 | lifecycle:
20 | preStop:
21 | exec:
22 | command: ["/usr/sbin/nginx","-s","quit"]
23 | volumeMounts:
24 | - name: "nginx-frontend-conf"
25 | mountPath: "/etc/nginx/conf.d"
26 | - name: "tls-certs"
27 | mountPath: "/etc/tls"
28 | volumes:
29 | - name: "tls-certs"
30 | secret:
31 | secretName: "tls-certs"
32 | - name: "nginx-frontend-conf"
33 | configMap:
34 | name: "nginx-frontend-conf"
35 | items:
36 | - key: "frontend.conf"
37 | path: "frontend.conf"
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.frontend
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/frontend.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: frontend
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: frontend
10 | template:
11 | metadata:
12 | labels:
13 | app: frontend
14 | track: stable
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: "nginx:1.9.14"
19 | lifecycle:
20 | preStop:
21 | exec:
22 | command: ["/usr/sbin/nginx","-s","quit"]
23 | volumeMounts:
24 | - name: "nginx-frontend-conf"
25 | mountPath: "/etc/nginx/conf.d"
26 | - name: "tls-certs"
27 | mountPath: "/etc/tls"
28 | volumes:
29 | - name: "tls-certs"
30 | secret:
31 | secretName: "tls-certs"
32 | - name: "nginx-frontend-conf"
33 | configMap:
34 | name: "nginx-frontend-conf"
35 | items:
36 | - key: "frontend.conf"
37 | path: "frontend.conf"
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.frontend
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/frontend.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: frontend
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: frontend
10 | template:
11 | metadata:
12 | labels:
13 | app: frontend
14 | track: stable
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: "nginx:1.9.14"
19 | lifecycle:
20 | preStop:
21 | exec:
22 | command: ["/usr/sbin/nginx","-s","quit"]
23 | volumeMounts:
24 | - name: "nginx-frontend-conf"
25 | mountPath: "/etc/nginx/conf.d"
26 | - name: "tls-certs"
27 | mountPath: "/etc/tls"
28 | volumes:
29 | - name: "tls-certs"
30 | secret:
31 | secretName: "tls-certs"
32 | - name: "nginx-frontend-conf"
33 | configMap:
34 | name: "nginx-frontend-conf"
35 | items:
36 | - key: "frontend.conf"
37 | path: "frontend.conf"
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.frontend
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/frontend.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: frontend
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: frontend
10 | template:
11 | metadata:
12 | labels:
13 | app: frontend
14 | track: stable
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: "nginx:1.9.14"
19 | lifecycle:
20 | preStop:
21 | exec:
22 | command: ["/usr/sbin/nginx","-s","quit"]
23 | volumeMounts:
24 | - name: "nginx-frontend-conf"
25 | mountPath: "/etc/nginx/conf.d"
26 | - name: "tls-certs"
27 | mountPath: "/etc/tls"
28 | volumes:
29 | - name: "tls-certs"
30 | secret:
31 | secretName: "tls-certs"
32 | - name: "nginx-frontend-conf"
33 | configMap:
34 | name: "nginx-frontend-conf"
35 | items:
36 | - key: "frontend.conf"
37 | path: "frontend.conf"
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.frontend
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/frontend.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: frontend
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: frontend
10 | template:
11 | metadata:
12 | labels:
13 | app: frontend
14 | track: stable
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: "nginx:1.9.14"
19 | lifecycle:
20 | preStop:
21 | exec:
22 | command: ["/usr/sbin/nginx","-s","quit"]
23 | volumeMounts:
24 | - name: "nginx-frontend-conf"
25 | mountPath: "/etc/nginx/conf.d"
26 | - name: "tls-certs"
27 | mountPath: "/etc/tls"
28 | volumes:
29 | - name: "tls-certs"
30 | secret:
31 | secretName: "tls-certs"
32 | - name: "nginx-frontend-conf"
33 | configMap:
34 | name: "nginx-frontend-conf"
35 | items:
36 | - key: "frontend.conf"
37 | path: "frontend.conf"
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.frontend
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/frontend.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: frontend
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: frontend
10 | template:
11 | metadata:
12 | labels:
13 | app: frontend
14 | track: stable
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: "nginx:1.9.14"
19 | lifecycle:
20 | preStop:
21 | exec:
22 | command: ["/usr/sbin/nginx","-s","quit"]
23 | volumeMounts:
24 | - name: "nginx-frontend-conf"
25 | mountPath: "/etc/nginx/conf.d"
26 | - name: "tls-certs"
27 | mountPath: "/etc/tls"
28 | volumes:
29 | - name: "tls-certs"
30 | secret:
31 | secretName: "tls-certs"
32 | - name: "nginx-frontend-conf"
33 | configMap:
34 | name: "nginx-frontend-conf"
35 | items:
36 | - key: "frontend.conf"
37 | path: "frontend.conf"
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.frontend
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/frontend.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: frontend
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: frontend
10 | template:
11 | metadata:
12 | labels:
13 | app: frontend
14 | track: stable
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: "nginx:1.9.14"
19 | lifecycle:
20 | preStop:
21 | exec:
22 | command: ["/usr/sbin/nginx","-s","quit"]
23 | volumeMounts:
24 | - name: "nginx-frontend-conf"
25 | mountPath: "/etc/nginx/conf.d"
26 | - name: "tls-certs"
27 | mountPath: "/etc/tls"
28 | volumes:
29 | - name: "tls-certs"
30 | secret:
31 | secretName: "tls-certs"
32 | - name: "nginx-frontend-conf"
33 | configMap:
34 | name: "nginx-frontend-conf"
35 | items:
36 | - key: "frontend.conf"
37 | path: "frontend.conf"
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.frontend
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/frontend.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: frontend
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: frontend
10 | template:
11 | metadata:
12 | labels:
13 | app: frontend
14 | track: stable
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: "nginx:1.9.14"
19 | lifecycle:
20 | preStop:
21 | exec:
22 | command: ["/usr/sbin/nginx","-s","quit"]
23 | volumeMounts:
24 | - name: "nginx-frontend-conf"
25 | mountPath: "/etc/nginx/conf.d"
26 | - name: "tls-certs"
27 | mountPath: "/etc/tls"
28 | volumes:
29 | - name: "tls-certs"
30 | secret:
31 | secretName: "tls-certs"
32 | - name: "nginx-frontend-conf"
33 | configMap:
34 | name: "nginx-frontend-conf"
35 | items:
36 | - key: "frontend.conf"
37 | path: "frontend.conf"
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.frontend
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/frontend.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: frontend
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: frontend
10 | template:
11 | metadata:
12 | labels:
13 | app: frontend
14 | track: stable
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: "nginx:1.9.14"
19 | lifecycle:
20 | preStop:
21 | exec:
22 | command: ["/usr/sbin/nginx","-s","quit"]
23 | volumeMounts:
24 | - name: "nginx-frontend-conf"
25 | mountPath: "/etc/nginx/conf.d"
26 | - name: "tls-certs"
27 | mountPath: "/etc/tls"
28 | volumes:
29 | - name: "tls-certs"
30 | secret:
31 | secretName: "tls-certs"
32 | - name: "nginx-frontend-conf"
33 | configMap:
34 | name: "nginx-frontend-conf"
35 | items:
36 | - key: "frontend.conf"
37 | path: "frontend.conf"
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.frontend
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/frontend.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: frontend
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: frontend
10 | template:
11 | metadata:
12 | labels:
13 | app: frontend
14 | track: stable
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: "nginx:1.9.14"
19 | lifecycle:
20 | preStop:
21 | exec:
22 | command: ["/usr/sbin/nginx","-s","quit"]
23 | volumeMounts:
24 | - name: "nginx-frontend-conf"
25 | mountPath: "/etc/nginx/conf.d"
26 | - name: "tls-certs"
27 | mountPath: "/etc/tls"
28 | volumes:
29 | - name: "tls-certs"
30 | secret:
31 | secretName: "tls-certs"
32 | - name: "nginx-frontend-conf"
33 | configMap:
34 | name: "nginx-frontend-conf"
35 | items:
36 | - key: "frontend.conf"
37 | path: "frontend.conf"
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.frontend
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/frontend.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: frontend
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: frontend
10 | template:
11 | metadata:
12 | labels:
13 | app: frontend
14 | track: stable
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: "nginx:1.9.14"
19 | lifecycle:
20 | preStop:
21 | exec:
22 | command: ["/usr/sbin/nginx","-s","quit"]
23 | volumeMounts:
24 | - name: "nginx-frontend-conf"
25 | mountPath: "/etc/nginx/conf.d"
26 | - name: "tls-certs"
27 | mountPath: "/etc/tls"
28 | volumes:
29 | - name: "tls-certs"
30 | secret:
31 | secretName: "tls-certs"
32 | - name: "nginx-frontend-conf"
33 | configMap:
34 | name: "nginx-frontend-conf"
35 | items:
36 | - key: "frontend.conf"
37 | path: "frontend.conf"
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.frontend
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/frontend.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: frontend
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: frontend
10 | template:
11 | metadata:
12 | labels:
13 | app: frontend
14 | track: stable
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: "nginx:1.9.14"
19 | lifecycle:
20 | preStop:
21 | exec:
22 | command: ["/usr/sbin/nginx","-s","quit"]
23 | volumeMounts:
24 | - name: "nginx-frontend-conf"
25 | mountPath: "/etc/nginx/conf.d"
26 | - name: "tls-certs"
27 | mountPath: "/etc/tls"
28 | volumes:
29 | - name: "tls-certs"
30 | secret:
31 | secretName: "tls-certs"
32 | - name: "nginx-frontend-conf"
33 | configMap:
34 | name: "nginx-frontend-conf"
35 | items:
36 | - key: "frontend.conf"
37 | path: "frontend.conf"
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.frontend
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/frontend.yaml:1-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: frontend
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: frontend
10 | template:
11 | metadata:
12 | labels:
13 | app: frontend
14 | track: stable
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: "nginx:1.9.14"
19 | lifecycle:
20 | preStop:
21 | exec:
22 | command: ["/usr/sbin/nginx","-s","quit"]
23 | volumeMounts:
24 | - name: "nginx-frontend-conf"
25 | mountPath: "/etc/nginx/conf.d"
26 | - name: "tls-certs"
27 | mountPath: "/etc/tls"
28 | volumes:
29 | - name: "tls-certs"
30 | secret:
31 | secretName: "tls-certs"
32 | - name: "nginx-frontend-conf"
33 | configMap:
34 | name: "nginx-frontend-conf"
35 | items:
36 | - key: "frontend.conf"
37 | path: "frontend.conf"
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.hello-canary
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/hello-canary.yaml:1-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hello-canary
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: hello
10 | template:
11 | metadata:
12 | labels:
13 | app: hello
14 | track: canary
15 | version: 2.0.0
16 | spec:
17 | containers:
18 | - name: hello
19 | image: kelseyhightower/hello:2.0.0
20 | ports:
21 | - name: http
22 | containerPort: 80
23 | - name: health
24 | containerPort: 81
25 | resources:
26 | limits:
27 | cpu: 0.2
28 | memory: 10Mi
29 | livenessProbe:
30 | httpGet:
31 | path: /healthz
32 | port: 81
33 | scheme: HTTP
34 | initialDelaySeconds: 5
35 | periodSeconds: 15
36 | timeoutSeconds: 5
37 | readinessProbe:
38 | httpGet:
39 | path: /readiness
40 | port: 81
41 | scheme: HTTP
42 | initialDelaySeconds: 5
43 | timeoutSeconds: 1
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.hello-canary
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/hello-canary.yaml:1-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hello-canary
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: hello
10 | template:
11 | metadata:
12 | labels:
13 | app: hello
14 | track: canary
15 | version: 2.0.0
16 | spec:
17 | containers:
18 | - name: hello
19 | image: kelseyhightower/hello:2.0.0
20 | ports:
21 | - name: http
22 | containerPort: 80
23 | - name: health
24 | containerPort: 81
25 | resources:
26 | limits:
27 | cpu: 0.2
28 | memory: 10Mi
29 | livenessProbe:
30 | httpGet:
31 | path: /healthz
32 | port: 81
33 | scheme: HTTP
34 | initialDelaySeconds: 5
35 | periodSeconds: 15
36 | timeoutSeconds: 5
37 | readinessProbe:
38 | httpGet:
39 | path: /readiness
40 | port: 81
41 | scheme: HTTP
42 | initialDelaySeconds: 5
43 | timeoutSeconds: 1
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.hello-canary
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/hello-canary.yaml:1-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hello-canary
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: hello
10 | template:
11 | metadata:
12 | labels:
13 | app: hello
14 | track: canary
15 | version: 2.0.0
16 | spec:
17 | containers:
18 | - name: hello
19 | image: kelseyhightower/hello:2.0.0
20 | ports:
21 | - name: http
22 | containerPort: 80
23 | - name: health
24 | containerPort: 81
25 | resources:
26 | limits:
27 | cpu: 0.2
28 | memory: 10Mi
29 | livenessProbe:
30 | httpGet:
31 | path: /healthz
32 | port: 81
33 | scheme: HTTP
34 | initialDelaySeconds: 5
35 | periodSeconds: 15
36 | timeoutSeconds: 5
37 | readinessProbe:
38 | httpGet:
39 | path: /readiness
40 | port: 81
41 | scheme: HTTP
42 | initialDelaySeconds: 5
43 | timeoutSeconds: 1
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.hello-canary
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/hello-canary.yaml:1-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hello-canary
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: hello
10 | template:
11 | metadata:
12 | labels:
13 | app: hello
14 | track: canary
15 | version: 2.0.0
16 | spec:
17 | containers:
18 | - name: hello
19 | image: kelseyhightower/hello:2.0.0
20 | ports:
21 | - name: http
22 | containerPort: 80
23 | - name: health
24 | containerPort: 81
25 | resources:
26 | limits:
27 | cpu: 0.2
28 | memory: 10Mi
29 | livenessProbe:
30 | httpGet:
31 | path: /healthz
32 | port: 81
33 | scheme: HTTP
34 | initialDelaySeconds: 5
35 | periodSeconds: 15
36 | timeoutSeconds: 5
37 | readinessProbe:
38 | httpGet:
39 | path: /readiness
40 | port: 81
41 | scheme: HTTP
42 | initialDelaySeconds: 5
43 | timeoutSeconds: 1
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.hello-canary
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/hello-canary.yaml:1-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hello-canary
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: hello
10 | template:
11 | metadata:
12 | labels:
13 | app: hello
14 | track: canary
15 | version: 2.0.0
16 | spec:
17 | containers:
18 | - name: hello
19 | image: kelseyhightower/hello:2.0.0
20 | ports:
21 | - name: http
22 | containerPort: 80
23 | - name: health
24 | containerPort: 81
25 | resources:
26 | limits:
27 | cpu: 0.2
28 | memory: 10Mi
29 | livenessProbe:
30 | httpGet:
31 | path: /healthz
32 | port: 81
33 | scheme: HTTP
34 | initialDelaySeconds: 5
35 | periodSeconds: 15
36 | timeoutSeconds: 5
37 | readinessProbe:
38 | httpGet:
39 | path: /readiness
40 | port: 81
41 | scheme: HTTP
42 | initialDelaySeconds: 5
43 | timeoutSeconds: 1
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.hello-canary
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/hello-canary.yaml:1-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hello-canary
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: hello
10 | template:
11 | metadata:
12 | labels:
13 | app: hello
14 | track: canary
15 | version: 2.0.0
16 | spec:
17 | containers:
18 | - name: hello
19 | image: kelseyhightower/hello:2.0.0
20 | ports:
21 | - name: http
22 | containerPort: 80
23 | - name: health
24 | containerPort: 81
25 | resources:
26 | limits:
27 | cpu: 0.2
28 | memory: 10Mi
29 | livenessProbe:
30 | httpGet:
31 | path: /healthz
32 | port: 81
33 | scheme: HTTP
34 | initialDelaySeconds: 5
35 | periodSeconds: 15
36 | timeoutSeconds: 5
37 | readinessProbe:
38 | httpGet:
39 | path: /readiness
40 | port: 81
41 | scheme: HTTP
42 | initialDelaySeconds: 5
43 | timeoutSeconds: 1
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.hello-canary
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/hello-canary.yaml:1-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hello-canary
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: hello
10 | template:
11 | metadata:
12 | labels:
13 | app: hello
14 | track: canary
15 | version: 2.0.0
16 | spec:
17 | containers:
18 | - name: hello
19 | image: kelseyhightower/hello:2.0.0
20 | ports:
21 | - name: http
22 | containerPort: 80
23 | - name: health
24 | containerPort: 81
25 | resources:
26 | limits:
27 | cpu: 0.2
28 | memory: 10Mi
29 | livenessProbe:
30 | httpGet:
31 | path: /healthz
32 | port: 81
33 | scheme: HTTP
34 | initialDelaySeconds: 5
35 | periodSeconds: 15
36 | timeoutSeconds: 5
37 | readinessProbe:
38 | httpGet:
39 | path: /readiness
40 | port: 81
41 | scheme: HTTP
42 | initialDelaySeconds: 5
43 | timeoutSeconds: 1
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.hello-canary
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/hello-canary.yaml:1-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hello-canary
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: hello
10 | template:
11 | metadata:
12 | labels:
13 | app: hello
14 | track: canary
15 | version: 2.0.0
16 | spec:
17 | containers:
18 | - name: hello
19 | image: kelseyhightower/hello:2.0.0
20 | ports:
21 | - name: http
22 | containerPort: 80
23 | - name: health
24 | containerPort: 81
25 | resources:
26 | limits:
27 | cpu: 0.2
28 | memory: 10Mi
29 | livenessProbe:
30 | httpGet:
31 | path: /healthz
32 | port: 81
33 | scheme: HTTP
34 | initialDelaySeconds: 5
35 | periodSeconds: 15
36 | timeoutSeconds: 5
37 | readinessProbe:
38 | httpGet:
39 | path: /readiness
40 | port: 81
41 | scheme: HTTP
42 | initialDelaySeconds: 5
43 | timeoutSeconds: 1
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.hello-canary
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/hello-canary.yaml:1-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hello-canary
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: hello
10 | template:
11 | metadata:
12 | labels:
13 | app: hello
14 | track: canary
15 | version: 2.0.0
16 | spec:
17 | containers:
18 | - name: hello
19 | image: kelseyhightower/hello:2.0.0
20 | ports:
21 | - name: http
22 | containerPort: 80
23 | - name: health
24 | containerPort: 81
25 | resources:
26 | limits:
27 | cpu: 0.2
28 | memory: 10Mi
29 | livenessProbe:
30 | httpGet:
31 | path: /healthz
32 | port: 81
33 | scheme: HTTP
34 | initialDelaySeconds: 5
35 | periodSeconds: 15
36 | timeoutSeconds: 5
37 | readinessProbe:
38 | httpGet:
39 | path: /readiness
40 | port: 81
41 | scheme: HTTP
42 | initialDelaySeconds: 5
43 | timeoutSeconds: 1
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.hello-canary
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/hello-canary.yaml:1-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hello-canary
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: hello
10 | template:
11 | metadata:
12 | labels:
13 | app: hello
14 | track: canary
15 | version: 2.0.0
16 | spec:
17 | containers:
18 | - name: hello
19 | image: kelseyhightower/hello:2.0.0
20 | ports:
21 | - name: http
22 | containerPort: 80
23 | - name: health
24 | containerPort: 81
25 | resources:
26 | limits:
27 | cpu: 0.2
28 | memory: 10Mi
29 | livenessProbe:
30 | httpGet:
31 | path: /healthz
32 | port: 81
33 | scheme: HTTP
34 | initialDelaySeconds: 5
35 | periodSeconds: 15
36 | timeoutSeconds: 5
37 | readinessProbe:
38 | httpGet:
39 | path: /readiness
40 | port: 81
41 | scheme: HTTP
42 | initialDelaySeconds: 5
43 | timeoutSeconds: 1
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.hello-canary
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/hello-canary.yaml:1-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hello-canary
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: hello
10 | template:
11 | metadata:
12 | labels:
13 | app: hello
14 | track: canary
15 | version: 2.0.0
16 | spec:
17 | containers:
18 | - name: hello
19 | image: kelseyhightower/hello:2.0.0
20 | ports:
21 | - name: http
22 | containerPort: 80
23 | - name: health
24 | containerPort: 81
25 | resources:
26 | limits:
27 | cpu: 0.2
28 | memory: 10Mi
29 | livenessProbe:
30 | httpGet:
31 | path: /healthz
32 | port: 81
33 | scheme: HTTP
34 | initialDelaySeconds: 5
35 | periodSeconds: 15
36 | timeoutSeconds: 5
37 | readinessProbe:
38 | httpGet:
39 | path: /readiness
40 | port: 81
41 | scheme: HTTP
42 | initialDelaySeconds: 5
43 | timeoutSeconds: 1
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.hello-canary
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/hello-canary.yaml:1-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hello-canary
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: hello
10 | template:
11 | metadata:
12 | labels:
13 | app: hello
14 | track: canary
15 | version: 2.0.0
16 | spec:
17 | containers:
18 | - name: hello
19 | image: kelseyhightower/hello:2.0.0
20 | ports:
21 | - name: http
22 | containerPort: 80
23 | - name: health
24 | containerPort: 81
25 | resources:
26 | limits:
27 | cpu: 0.2
28 | memory: 10Mi
29 | livenessProbe:
30 | httpGet:
31 | path: /healthz
32 | port: 81
33 | scheme: HTTP
34 | initialDelaySeconds: 5
35 | periodSeconds: 15
36 | timeoutSeconds: 5
37 | readinessProbe:
38 | httpGet:
39 | path: /readiness
40 | port: 81
41 | scheme: HTTP
42 | initialDelaySeconds: 5
43 | timeoutSeconds: 1
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.hello-canary
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/hello-canary.yaml:1-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hello-canary
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: hello
10 | template:
11 | metadata:
12 | labels:
13 | app: hello
14 | track: canary
15 | version: 2.0.0
16 | spec:
17 | containers:
18 | - name: hello
19 | image: kelseyhightower/hello:2.0.0
20 | ports:
21 | - name: http
22 | containerPort: 80
23 | - name: health
24 | containerPort: 81
25 | resources:
26 | limits:
27 | cpu: 0.2
28 | memory: 10Mi
29 | livenessProbe:
30 | httpGet:
31 | path: /healthz
32 | port: 81
33 | scheme: HTTP
34 | initialDelaySeconds: 5
35 | periodSeconds: 15
36 | timeoutSeconds: 5
37 | readinessProbe:
38 | httpGet:
39 | path: /readiness
40 | port: 81
41 | scheme: HTTP
42 | initialDelaySeconds: 5
43 | timeoutSeconds: 1
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.hello
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/hello.yaml:1-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hello
5 | spec:
6 | replicas: 3
7 | selector:
8 | matchLabels:
9 | app: hello
10 | template:
11 | metadata:
12 | labels:
13 | app: hello
14 | track: stable
15 | version: 1.0.0
16 | spec:
17 | containers:
18 | - name: hello
19 | image: "kelseyhightower/hello:1.0.0"
20 | ports:
21 | - name: http
22 | containerPort: 80
23 | - name: health
24 | containerPort: 81
25 | resources:
26 | limits:
27 | cpu: 0.2
28 | memory: "10Mi"
29 | livenessProbe:
30 | httpGet:
31 | path: /healthz
32 | port: 81
33 | scheme: HTTP
34 | initialDelaySeconds: 5
35 | periodSeconds: 15
36 | timeoutSeconds: 5
37 | readinessProbe:
38 | httpGet:
39 | path: /readiness
40 | port: 81
41 | scheme: HTTP
42 | initialDelaySeconds: 5
43 | timeoutSeconds: 1
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.hello
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/hello.yaml:1-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hello
5 | spec:
6 | replicas: 3
7 | selector:
8 | matchLabels:
9 | app: hello
10 | template:
11 | metadata:
12 | labels:
13 | app: hello
14 | track: stable
15 | version: 1.0.0
16 | spec:
17 | containers:
18 | - name: hello
19 | image: "kelseyhightower/hello:1.0.0"
20 | ports:
21 | - name: http
22 | containerPort: 80
23 | - name: health
24 | containerPort: 81
25 | resources:
26 | limits:
27 | cpu: 0.2
28 | memory: "10Mi"
29 | livenessProbe:
30 | httpGet:
31 | path: /healthz
32 | port: 81
33 | scheme: HTTP
34 | initialDelaySeconds: 5
35 | periodSeconds: 15
36 | timeoutSeconds: 5
37 | readinessProbe:
38 | httpGet:
39 | path: /readiness
40 | port: 81
41 | scheme: HTTP
42 | initialDelaySeconds: 5
43 | timeoutSeconds: 1
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.hello
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/hello.yaml:1-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hello
5 | spec:
6 | replicas: 3
7 | selector:
8 | matchLabels:
9 | app: hello
10 | template:
11 | metadata:
12 | labels:
13 | app: hello
14 | track: stable
15 | version: 1.0.0
16 | spec:
17 | containers:
18 | - name: hello
19 | image: "kelseyhightower/hello:1.0.0"
20 | ports:
21 | - name: http
22 | containerPort: 80
23 | - name: health
24 | containerPort: 81
25 | resources:
26 | limits:
27 | cpu: 0.2
28 | memory: "10Mi"
29 | livenessProbe:
30 | httpGet:
31 | path: /healthz
32 | port: 81
33 | scheme: HTTP
34 | initialDelaySeconds: 5
35 | periodSeconds: 15
36 | timeoutSeconds: 5
37 | readinessProbe:
38 | httpGet:
39 | path: /readiness
40 | port: 81
41 | scheme: HTTP
42 | initialDelaySeconds: 5
43 | timeoutSeconds: 1
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.hello
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/hello.yaml:1-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hello
5 | spec:
6 | replicas: 3
7 | selector:
8 | matchLabels:
9 | app: hello
10 | template:
11 | metadata:
12 | labels:
13 | app: hello
14 | track: stable
15 | version: 1.0.0
16 | spec:
17 | containers:
18 | - name: hello
19 | image: "kelseyhightower/hello:1.0.0"
20 | ports:
21 | - name: http
22 | containerPort: 80
23 | - name: health
24 | containerPort: 81
25 | resources:
26 | limits:
27 | cpu: 0.2
28 | memory: "10Mi"
29 | livenessProbe:
30 | httpGet:
31 | path: /healthz
32 | port: 81
33 | scheme: HTTP
34 | initialDelaySeconds: 5
35 | periodSeconds: 15
36 | timeoutSeconds: 5
37 | readinessProbe:
38 | httpGet:
39 | path: /readiness
40 | port: 81
41 | scheme: HTTP
42 | initialDelaySeconds: 5
43 | timeoutSeconds: 1
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.hello
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/hello.yaml:1-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hello
5 | spec:
6 | replicas: 3
7 | selector:
8 | matchLabels:
9 | app: hello
10 | template:
11 | metadata:
12 | labels:
13 | app: hello
14 | track: stable
15 | version: 1.0.0
16 | spec:
17 | containers:
18 | - name: hello
19 | image: "kelseyhightower/hello:1.0.0"
20 | ports:
21 | - name: http
22 | containerPort: 80
23 | - name: health
24 | containerPort: 81
25 | resources:
26 | limits:
27 | cpu: 0.2
28 | memory: "10Mi"
29 | livenessProbe:
30 | httpGet:
31 | path: /healthz
32 | port: 81
33 | scheme: HTTP
34 | initialDelaySeconds: 5
35 | periodSeconds: 15
36 | timeoutSeconds: 5
37 | readinessProbe:
38 | httpGet:
39 | path: /readiness
40 | port: 81
41 | scheme: HTTP
42 | initialDelaySeconds: 5
43 | timeoutSeconds: 1
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.hello
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/hello.yaml:1-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hello
5 | spec:
6 | replicas: 3
7 | selector:
8 | matchLabels:
9 | app: hello
10 | template:
11 | metadata:
12 | labels:
13 | app: hello
14 | track: stable
15 | version: 1.0.0
16 | spec:
17 | containers:
18 | - name: hello
19 | image: "kelseyhightower/hello:1.0.0"
20 | ports:
21 | - name: http
22 | containerPort: 80
23 | - name: health
24 | containerPort: 81
25 | resources:
26 | limits:
27 | cpu: 0.2
28 | memory: "10Mi"
29 | livenessProbe:
30 | httpGet:
31 | path: /healthz
32 | port: 81
33 | scheme: HTTP
34 | initialDelaySeconds: 5
35 | periodSeconds: 15
36 | timeoutSeconds: 5
37 | readinessProbe:
38 | httpGet:
39 | path: /readiness
40 | port: 81
41 | scheme: HTTP
42 | initialDelaySeconds: 5
43 | timeoutSeconds: 1
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.hello
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/hello.yaml:1-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hello
5 | spec:
6 | replicas: 3
7 | selector:
8 | matchLabels:
9 | app: hello
10 | template:
11 | metadata:
12 | labels:
13 | app: hello
14 | track: stable
15 | version: 1.0.0
16 | spec:
17 | containers:
18 | - name: hello
19 | image: "kelseyhightower/hello:1.0.0"
20 | ports:
21 | - name: http
22 | containerPort: 80
23 | - name: health
24 | containerPort: 81
25 | resources:
26 | limits:
27 | cpu: 0.2
28 | memory: "10Mi"
29 | livenessProbe:
30 | httpGet:
31 | path: /healthz
32 | port: 81
33 | scheme: HTTP
34 | initialDelaySeconds: 5
35 | periodSeconds: 15
36 | timeoutSeconds: 5
37 | readinessProbe:
38 | httpGet:
39 | path: /readiness
40 | port: 81
41 | scheme: HTTP
42 | initialDelaySeconds: 5
43 | timeoutSeconds: 1
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.hello
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/hello.yaml:1-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hello
5 | spec:
6 | replicas: 3
7 | selector:
8 | matchLabels:
9 | app: hello
10 | template:
11 | metadata:
12 | labels:
13 | app: hello
14 | track: stable
15 | version: 1.0.0
16 | spec:
17 | containers:
18 | - name: hello
19 | image: "kelseyhightower/hello:1.0.0"
20 | ports:
21 | - name: http
22 | containerPort: 80
23 | - name: health
24 | containerPort: 81
25 | resources:
26 | limits:
27 | cpu: 0.2
28 | memory: "10Mi"
29 | livenessProbe:
30 | httpGet:
31 | path: /healthz
32 | port: 81
33 | scheme: HTTP
34 | initialDelaySeconds: 5
35 | periodSeconds: 15
36 | timeoutSeconds: 5
37 | readinessProbe:
38 | httpGet:
39 | path: /readiness
40 | port: 81
41 | scheme: HTTP
42 | initialDelaySeconds: 5
43 | timeoutSeconds: 1
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.hello
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/hello.yaml:1-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hello
5 | spec:
6 | replicas: 3
7 | selector:
8 | matchLabels:
9 | app: hello
10 | template:
11 | metadata:
12 | labels:
13 | app: hello
14 | track: stable
15 | version: 1.0.0
16 | spec:
17 | containers:
18 | - name: hello
19 | image: "kelseyhightower/hello:1.0.0"
20 | ports:
21 | - name: http
22 | containerPort: 80
23 | - name: health
24 | containerPort: 81
25 | resources:
26 | limits:
27 | cpu: 0.2
28 | memory: "10Mi"
29 | livenessProbe:
30 | httpGet:
31 | path: /healthz
32 | port: 81
33 | scheme: HTTP
34 | initialDelaySeconds: 5
35 | periodSeconds: 15
36 | timeoutSeconds: 5
37 | readinessProbe:
38 | httpGet:
39 | path: /readiness
40 | port: 81
41 | scheme: HTTP
42 | initialDelaySeconds: 5
43 | timeoutSeconds: 1
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.hello
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/hello.yaml:1-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hello
5 | spec:
6 | replicas: 3
7 | selector:
8 | matchLabels:
9 | app: hello
10 | template:
11 | metadata:
12 | labels:
13 | app: hello
14 | track: stable
15 | version: 1.0.0
16 | spec:
17 | containers:
18 | - name: hello
19 | image: "kelseyhightower/hello:1.0.0"
20 | ports:
21 | - name: http
22 | containerPort: 80
23 | - name: health
24 | containerPort: 81
25 | resources:
26 | limits:
27 | cpu: 0.2
28 | memory: "10Mi"
29 | livenessProbe:
30 | httpGet:
31 | path: /healthz
32 | port: 81
33 | scheme: HTTP
34 | initialDelaySeconds: 5
35 | periodSeconds: 15
36 | timeoutSeconds: 5
37 | readinessProbe:
38 | httpGet:
39 | path: /readiness
40 | port: 81
41 | scheme: HTTP
42 | initialDelaySeconds: 5
43 | timeoutSeconds: 1
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.hello
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/hello.yaml:1-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hello
5 | spec:
6 | replicas: 3
7 | selector:
8 | matchLabels:
9 | app: hello
10 | template:
11 | metadata:
12 | labels:
13 | app: hello
14 | track: stable
15 | version: 1.0.0
16 | spec:
17 | containers:
18 | - name: hello
19 | image: "kelseyhightower/hello:1.0.0"
20 | ports:
21 | - name: http
22 | containerPort: 80
23 | - name: health
24 | containerPort: 81
25 | resources:
26 | limits:
27 | cpu: 0.2
28 | memory: "10Mi"
29 | livenessProbe:
30 | httpGet:
31 | path: /healthz
32 | port: 81
33 | scheme: HTTP
34 | initialDelaySeconds: 5
35 | periodSeconds: 15
36 | timeoutSeconds: 5
37 | readinessProbe:
38 | httpGet:
39 | path: /readiness
40 | port: 81
41 | scheme: HTTP
42 | initialDelaySeconds: 5
43 | timeoutSeconds: 1
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.hello
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/hello.yaml:1-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hello
5 | spec:
6 | replicas: 3
7 | selector:
8 | matchLabels:
9 | app: hello
10 | template:
11 | metadata:
12 | labels:
13 | app: hello
14 | track: stable
15 | version: 1.0.0
16 | spec:
17 | containers:
18 | - name: hello
19 | image: "kelseyhightower/hello:1.0.0"
20 | ports:
21 | - name: http
22 | containerPort: 80
23 | - name: health
24 | containerPort: 81
25 | resources:
26 | limits:
27 | cpu: 0.2
28 | memory: "10Mi"
29 | livenessProbe:
30 | httpGet:
31 | path: /healthz
32 | port: 81
33 | scheme: HTTP
34 | initialDelaySeconds: 5
35 | periodSeconds: 15
36 | timeoutSeconds: 5
37 | readinessProbe:
38 | httpGet:
39 | path: /readiness
40 | port: 81
41 | scheme: HTTP
42 | initialDelaySeconds: 5
43 | timeoutSeconds: 1
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.hello
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/hello.yaml:1-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hello
5 | spec:
6 | replicas: 3
7 | selector:
8 | matchLabels:
9 | app: hello
10 | template:
11 | metadata:
12 | labels:
13 | app: hello
14 | track: stable
15 | version: 1.0.0
16 | spec:
17 | containers:
18 | - name: hello
19 | image: "kelseyhightower/hello:1.0.0"
20 | ports:
21 | - name: http
22 | containerPort: 80
23 | - name: health
24 | containerPort: 81
25 | resources:
26 | limits:
27 | cpu: 0.2
28 | memory: "10Mi"
29 | livenessProbe:
30 | httpGet:
31 | path: /healthz
32 | port: 81
33 | scheme: HTTP
34 | initialDelaySeconds: 5
35 | periodSeconds: 15
36 | timeoutSeconds: 5
37 | readinessProbe:
38 | httpGet:
39 | path: /readiness
40 | port: 81
41 | scheme: HTTP
42 | initialDelaySeconds: 5
43 | timeoutSeconds: 1
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.devops-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun/k8s-manifests.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: devops-deployment
6 | labels:
7 | app: devops
8 | tier: frontend
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: devops
14 | tier: frontend
15 | template:
16 | metadata:
17 | labels:
18 | app: devops
19 | tier: frontend
20 | spec:
21 | containers:
22 | - name: devops-demo
23 | image:
24 | ports:
25 | - containerPort: 8080
26 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.devops-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun/k8s-manifests.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: devops-deployment
6 | labels:
7 | app: devops
8 | tier: frontend
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: devops
14 | tier: frontend
15 | template:
16 | metadata:
17 | labels:
18 | app: devops
19 | tier: frontend
20 | spec:
21 | containers:
22 | - name: devops-demo
23 | image:
24 | ports:
25 | - containerPort: 8080
26 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.devops-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun/k8s-manifests.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: devops-deployment
6 | labels:
7 | app: devops
8 | tier: frontend
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: devops
14 | tier: frontend
15 | template:
16 | metadata:
17 | labels:
18 | app: devops
19 | tier: frontend
20 | spec:
21 | containers:
22 | - name: devops-demo
23 | image:
24 | ports:
25 | - containerPort: 8080
26 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.devops-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun/k8s-manifests.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: devops-deployment
6 | labels:
7 | app: devops
8 | tier: frontend
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: devops
14 | tier: frontend
15 | template:
16 | metadata:
17 | labels:
18 | app: devops
19 | tier: frontend
20 | spec:
21 | containers:
22 | - name: devops-demo
23 | image:
24 | ports:
25 | - containerPort: 8080
26 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.devops-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun/k8s-manifests.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: devops-deployment
6 | labels:
7 | app: devops
8 | tier: frontend
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: devops
14 | tier: frontend
15 | template:
16 | metadata:
17 | labels:
18 | app: devops
19 | tier: frontend
20 | spec:
21 | containers:
22 | - name: devops-demo
23 | image:
24 | ports:
25 | - containerPort: 8080
26 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.devops-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun/k8s-manifests.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: devops-deployment
6 | labels:
7 | app: devops
8 | tier: frontend
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: devops
14 | tier: frontend
15 | template:
16 | metadata:
17 | labels:
18 | app: devops
19 | tier: frontend
20 | spec:
21 | containers:
22 | - name: devops-demo
23 | image:
24 | ports:
25 | - containerPort: 8080
26 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.devops-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun/k8s-manifests.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: devops-deployment
6 | labels:
7 | app: devops
8 | tier: frontend
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: devops
14 | tier: frontend
15 | template:
16 | metadata:
17 | labels:
18 | app: devops
19 | tier: frontend
20 | spec:
21 | containers:
22 | - name: devops-demo
23 | image:
24 | ports:
25 | - containerPort: 8080
26 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.devops-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun/k8s-manifests.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: devops-deployment
6 | labels:
7 | app: devops
8 | tier: frontend
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: devops
14 | tier: frontend
15 | template:
16 | metadata:
17 | labels:
18 | app: devops
19 | tier: frontend
20 | spec:
21 | containers:
22 | - name: devops-demo
23 | image:
24 | ports:
25 | - containerPort: 8080
26 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.devops-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun/k8s-manifests.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: devops-deployment
6 | labels:
7 | app: devops
8 | tier: frontend
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: devops
14 | tier: frontend
15 | template:
16 | metadata:
17 | labels:
18 | app: devops
19 | tier: frontend
20 | spec:
21 | containers:
22 | - name: devops-demo
23 | image:
24 | ports:
25 | - containerPort: 8080
26 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.devops-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun/k8s-manifests.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: devops-deployment
6 | labels:
7 | app: devops
8 | tier: frontend
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: devops
14 | tier: frontend
15 | template:
16 | metadata:
17 | labels:
18 | app: devops
19 | tier: frontend
20 | spec:
21 | containers:
22 | - name: devops-demo
23 | image:
24 | ports:
25 | - containerPort: 8080
26 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.devops-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun/k8s-manifests.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: devops-deployment
6 | labels:
7 | app: devops
8 | tier: frontend
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: devops
14 | tier: frontend
15 | template:
16 | metadata:
17 | labels:
18 | app: devops
19 | tier: frontend
20 | spec:
21 | containers:
22 | - name: devops-demo
23 | image:
24 | ports:
25 | - containerPort: 8080
26 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.devops-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun/k8s-manifests.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: devops-deployment
6 | labels:
7 | app: devops
8 | tier: frontend
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: devops
14 | tier: frontend
15 | template:
16 | metadata:
17 | labels:
18 | app: devops
19 | tier: frontend
20 | spec:
21 | containers:
22 | - name: devops-demo
23 | image:
24 | ports:
25 | - containerPort: 8080
26 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.devops-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun/k8s-manifests.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: devops-deployment
6 | labels:
7 | app: devops
8 | tier: frontend
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: devops
14 | tier: frontend
15 | template:
16 | metadata:
17 | labels:
18 | app: devops
19 | tier: frontend
20 | spec:
21 | containers:
22 | - name: devops-demo
23 | image:
24 | ports:
25 | - containerPort: 8080
26 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.devops-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun/k8s-manifests.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: devops-deployment
6 | labels:
7 | app: devops
8 | tier: frontend
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: devops
14 | tier: frontend
15 | template:
16 | metadata:
17 | labels:
18 | app: devops
19 | tier: frontend
20 | spec:
21 | containers:
22 | - name: devops-demo
23 | image:
24 | ports:
25 | - containerPort: 8080
26 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.devops-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun/k8s-manifests.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: devops-deployment
6 | labels:
7 | app: devops
8 | tier: frontend
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: devops
14 | tier: frontend
15 | template:
16 | metadata:
17 | labels:
18 | app: devops
19 | tier: frontend
20 | spec:
21 | containers:
22 | - name: devops-demo
23 | image:
24 | ports:
25 | - containerPort: 8080
26 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.devops-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun/k8s-manifests.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: devops-deployment
6 | labels:
7 | app: devops
8 | tier: frontend
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: devops
14 | tier: frontend
15 | template:
16 | metadata:
17 | labels:
18 | app: devops
19 | tier: frontend
20 | spec:
21 | containers:
22 | - name: devops-demo
23 | image:
24 | ports:
25 | - containerPort: 8080
26 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.devops-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun/k8s-manifests.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: devops-deployment
6 | labels:
7 | app: devops
8 | tier: frontend
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: devops
14 | tier: frontend
15 | template:
16 | metadata:
17 | labels:
18 | app: devops
19 | tier: frontend
20 | spec:
21 | containers:
22 | - name: devops-demo
23 | image:
24 | ports:
25 | - containerPort: 8080
26 | ---
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.devops-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun/k8s-manifests.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: devops-deployment
6 | labels:
7 | app: devops
8 | tier: frontend
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: devops
14 | tier: frontend
15 | template:
16 | metadata:
17 | labels:
18 | app: devops
19 | tier: frontend
20 | spec:
21 | containers:
22 | - name: devops-demo
23 | image:
24 | ports:
25 | - containerPort: 8080
26 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.devops-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun/k8s-manifests.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: devops-deployment
6 | labels:
7 | app: devops
8 | tier: frontend
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: devops
14 | tier: frontend
15 | template:
16 | metadata:
17 | labels:
18 | app: devops
19 | tier: frontend
20 | spec:
21 | containers:
22 | - name: devops-demo
23 | image:
24 | ports:
25 | - containerPort: 8080
26 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.devops-deployment-lb
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun/k8s-manifests.yaml:27-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
27 | apiVersion: v1
28 | kind: Service
29 | metadata:
30 | name: devops-deployment-lb
31 | labels:
32 | app: devops
33 | tier: frontend-lb
34 | spec:
35 | type: LoadBalancer
36 | ports:
37 | - port: 80
38 | targetPort: 8080
39 | selector:
40 | app: devops
41 | tier: frontend
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ServiceAccount.default.sleep
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/sleep.yaml:4-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
4 | apiVersion: v1
5 | kind: ServiceAccount
6 | metadata:
7 | name: sleep
8 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.sleep
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/sleep.yaml:9-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
9 | apiVersion: v1
10 | kind: Service
11 | metadata:
12 | name: sleep
13 | labels:
14 | app: sleep
15 | spec:
16 | ports:
17 | - port: 80
18 | name: http
19 | selector:
20 | app: sleep
21 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.sleep
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/sleep.yaml:22-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
22 | apiVersion: apps/v1
23 | kind: Deployment
24 | metadata:
25 | name: sleep
26 | spec:
27 | replicas: 1
28 | selector:
29 | matchLabels:
30 | app: sleep
31 | template:
32 | metadata:
33 | labels:
34 | app: sleep
35 | spec:
36 | serviceAccountName: sleep
37 | containers:
38 | - name: sleep
39 | image: governmentpaas/curl-ssl
40 | command: ["/bin/sleep", "3650d"]
41 | imagePullPolicy: IfNotPresent
42 | volumeMounts:
43 | - mountPath: /etc/sleep/tls
44 | name: secret-volume
45 | volumes:
46 | - name: secret-volume
47 | secret:
48 | secretName: sleep-secret
49 | optional: true
50 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.sleep
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/sleep.yaml:22-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
22 | apiVersion: apps/v1
23 | kind: Deployment
24 | metadata:
25 | name: sleep
26 | spec:
27 | replicas: 1
28 | selector:
29 | matchLabels:
30 | app: sleep
31 | template:
32 | metadata:
33 | labels:
34 | app: sleep
35 | spec:
36 | serviceAccountName: sleep
37 | containers:
38 | - name: sleep
39 | image: governmentpaas/curl-ssl
40 | command: ["/bin/sleep", "3650d"]
41 | imagePullPolicy: IfNotPresent
42 | volumeMounts:
43 | - mountPath: /etc/sleep/tls
44 | name: secret-volume
45 | volumes:
46 | - name: secret-volume
47 | secret:
48 | secretName: sleep-secret
49 | optional: true
50 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.sleep
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/sleep.yaml:22-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
22 | apiVersion: apps/v1
23 | kind: Deployment
24 | metadata:
25 | name: sleep
26 | spec:
27 | replicas: 1
28 | selector:
29 | matchLabels:
30 | app: sleep
31 | template:
32 | metadata:
33 | labels:
34 | app: sleep
35 | spec:
36 | serviceAccountName: sleep
37 | containers:
38 | - name: sleep
39 | image: governmentpaas/curl-ssl
40 | command: ["/bin/sleep", "3650d"]
41 | imagePullPolicy: IfNotPresent
42 | volumeMounts:
43 | - mountPath: /etc/sleep/tls
44 | name: secret-volume
45 | volumes:
46 | - name: secret-volume
47 | secret:
48 | secretName: sleep-secret
49 | optional: true
50 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.sleep
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/sleep.yaml:22-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
22 | apiVersion: apps/v1
23 | kind: Deployment
24 | metadata:
25 | name: sleep
26 | spec:
27 | replicas: 1
28 | selector:
29 | matchLabels:
30 | app: sleep
31 | template:
32 | metadata:
33 | labels:
34 | app: sleep
35 | spec:
36 | serviceAccountName: sleep
37 | containers:
38 | - name: sleep
39 | image: governmentpaas/curl-ssl
40 | command: ["/bin/sleep", "3650d"]
41 | imagePullPolicy: IfNotPresent
42 | volumeMounts:
43 | - mountPath: /etc/sleep/tls
44 | name: secret-volume
45 | volumes:
46 | - name: secret-volume
47 | secret:
48 | secretName: sleep-secret
49 | optional: true
50 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.sleep
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/sleep.yaml:22-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
22 | apiVersion: apps/v1
23 | kind: Deployment
24 | metadata:
25 | name: sleep
26 | spec:
27 | replicas: 1
28 | selector:
29 | matchLabels:
30 | app: sleep
31 | template:
32 | metadata:
33 | labels:
34 | app: sleep
35 | spec:
36 | serviceAccountName: sleep
37 | containers:
38 | - name: sleep
39 | image: governmentpaas/curl-ssl
40 | command: ["/bin/sleep", "3650d"]
41 | imagePullPolicy: IfNotPresent
42 | volumeMounts:
43 | - mountPath: /etc/sleep/tls
44 | name: secret-volume
45 | volumes:
46 | - name: secret-volume
47 | secret:
48 | secretName: sleep-secret
49 | optional: true
50 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.sleep
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/sleep.yaml:22-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
22 | apiVersion: apps/v1
23 | kind: Deployment
24 | metadata:
25 | name: sleep
26 | spec:
27 | replicas: 1
28 | selector:
29 | matchLabels:
30 | app: sleep
31 | template:
32 | metadata:
33 | labels:
34 | app: sleep
35 | spec:
36 | serviceAccountName: sleep
37 | containers:
38 | - name: sleep
39 | image: governmentpaas/curl-ssl
40 | command: ["/bin/sleep", "3650d"]
41 | imagePullPolicy: IfNotPresent
42 | volumeMounts:
43 | - mountPath: /etc/sleep/tls
44 | name: secret-volume
45 | volumes:
46 | - name: secret-volume
47 | secret:
48 | secretName: sleep-secret
49 | optional: true
50 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.sleep
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/sleep.yaml:22-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
22 | apiVersion: apps/v1
23 | kind: Deployment
24 | metadata:
25 | name: sleep
26 | spec:
27 | replicas: 1
28 | selector:
29 | matchLabels:
30 | app: sleep
31 | template:
32 | metadata:
33 | labels:
34 | app: sleep
35 | spec:
36 | serviceAccountName: sleep
37 | containers:
38 | - name: sleep
39 | image: governmentpaas/curl-ssl
40 | command: ["/bin/sleep", "3650d"]
41 | imagePullPolicy: IfNotPresent
42 | volumeMounts:
43 | - mountPath: /etc/sleep/tls
44 | name: secret-volume
45 | volumes:
46 | - name: secret-volume
47 | secret:
48 | secretName: sleep-secret
49 | optional: true
50 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.sleep
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/sleep.yaml:22-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
22 | apiVersion: apps/v1
23 | kind: Deployment
24 | metadata:
25 | name: sleep
26 | spec:
27 | replicas: 1
28 | selector:
29 | matchLabels:
30 | app: sleep
31 | template:
32 | metadata:
33 | labels:
34 | app: sleep
35 | spec:
36 | serviceAccountName: sleep
37 | containers:
38 | - name: sleep
39 | image: governmentpaas/curl-ssl
40 | command: ["/bin/sleep", "3650d"]
41 | imagePullPolicy: IfNotPresent
42 | volumeMounts:
43 | - mountPath: /etc/sleep/tls
44 | name: secret-volume
45 | volumes:
46 | - name: secret-volume
47 | secret:
48 | secretName: sleep-secret
49 | optional: true
50 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.sleep
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/sleep.yaml:22-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
22 | apiVersion: apps/v1
23 | kind: Deployment
24 | metadata:
25 | name: sleep
26 | spec:
27 | replicas: 1
28 | selector:
29 | matchLabels:
30 | app: sleep
31 | template:
32 | metadata:
33 | labels:
34 | app: sleep
35 | spec:
36 | serviceAccountName: sleep
37 | containers:
38 | - name: sleep
39 | image: governmentpaas/curl-ssl
40 | command: ["/bin/sleep", "3650d"]
41 | imagePullPolicy: IfNotPresent
42 | volumeMounts:
43 | - mountPath: /etc/sleep/tls
44 | name: secret-volume
45 | volumes:
46 | - name: secret-volume
47 | secret:
48 | secretName: sleep-secret
49 | optional: true
50 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.sleep
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/sleep.yaml:22-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
22 | apiVersion: apps/v1
23 | kind: Deployment
24 | metadata:
25 | name: sleep
26 | spec:
27 | replicas: 1
28 | selector:
29 | matchLabels:
30 | app: sleep
31 | template:
32 | metadata:
33 | labels:
34 | app: sleep
35 | spec:
36 | serviceAccountName: sleep
37 | containers:
38 | - name: sleep
39 | image: governmentpaas/curl-ssl
40 | command: ["/bin/sleep", "3650d"]
41 | imagePullPolicy: IfNotPresent
42 | volumeMounts:
43 | - mountPath: /etc/sleep/tls
44 | name: secret-volume
45 | volumes:
46 | - name: secret-volume
47 | secret:
48 | secretName: sleep-secret
49 | optional: true
50 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.sleep
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/sleep.yaml:22-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
22 | apiVersion: apps/v1
23 | kind: Deployment
24 | metadata:
25 | name: sleep
26 | spec:
27 | replicas: 1
28 | selector:
29 | matchLabels:
30 | app: sleep
31 | template:
32 | metadata:
33 | labels:
34 | app: sleep
35 | spec:
36 | serviceAccountName: sleep
37 | containers:
38 | - name: sleep
39 | image: governmentpaas/curl-ssl
40 | command: ["/bin/sleep", "3650d"]
41 | imagePullPolicy: IfNotPresent
42 | volumeMounts:
43 | - mountPath: /etc/sleep/tls
44 | name: secret-volume
45 | volumes:
46 | - name: secret-volume
47 | secret:
48 | secretName: sleep-secret
49 | optional: true
50 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.sleep
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/sleep.yaml:22-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
22 | apiVersion: apps/v1
23 | kind: Deployment
24 | metadata:
25 | name: sleep
26 | spec:
27 | replicas: 1
28 | selector:
29 | matchLabels:
30 | app: sleep
31 | template:
32 | metadata:
33 | labels:
34 | app: sleep
35 | spec:
36 | serviceAccountName: sleep
37 | containers:
38 | - name: sleep
39 | image: governmentpaas/curl-ssl
40 | command: ["/bin/sleep", "3650d"]
41 | imagePullPolicy: IfNotPresent
42 | volumeMounts:
43 | - mountPath: /etc/sleep/tls
44 | name: secret-volume
45 | volumes:
46 | - name: secret-volume
47 | secret:
48 | secretName: sleep-secret
49 | optional: true
50 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.sleep
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/sleep.yaml:22-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
22 | apiVersion: apps/v1
23 | kind: Deployment
24 | metadata:
25 | name: sleep
26 | spec:
27 | replicas: 1
28 | selector:
29 | matchLabels:
30 | app: sleep
31 | template:
32 | metadata:
33 | labels:
34 | app: sleep
35 | spec:
36 | serviceAccountName: sleep
37 | containers:
38 | - name: sleep
39 | image: governmentpaas/curl-ssl
40 | command: ["/bin/sleep", "3650d"]
41 | imagePullPolicy: IfNotPresent
42 | volumeMounts:
43 | - mountPath: /etc/sleep/tls
44 | name: secret-volume
45 | volumes:
46 | - name: secret-volume
47 | secret:
48 | secretName: sleep-secret
49 | optional: true
50 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.sleep
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/sleep.yaml:22-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
22 | apiVersion: apps/v1
23 | kind: Deployment
24 | metadata:
25 | name: sleep
26 | spec:
27 | replicas: 1
28 | selector:
29 | matchLabels:
30 | app: sleep
31 | template:
32 | metadata:
33 | labels:
34 | app: sleep
35 | spec:
36 | serviceAccountName: sleep
37 | containers:
38 | - name: sleep
39 | image: governmentpaas/curl-ssl
40 | command: ["/bin/sleep", "3650d"]
41 | imagePullPolicy: IfNotPresent
42 | volumeMounts:
43 | - mountPath: /etc/sleep/tls
44 | name: secret-volume
45 | volumes:
46 | - name: secret-volume
47 | secret:
48 | secretName: sleep-secret
49 | optional: true
50 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.sleep
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/sleep.yaml:22-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
22 | apiVersion: apps/v1
23 | kind: Deployment
24 | metadata:
25 | name: sleep
26 | spec:
27 | replicas: 1
28 | selector:
29 | matchLabels:
30 | app: sleep
31 | template:
32 | metadata:
33 | labels:
34 | app: sleep
35 | spec:
36 | serviceAccountName: sleep
37 | containers:
38 | - name: sleep
39 | image: governmentpaas/curl-ssl
40 | command: ["/bin/sleep", "3650d"]
41 | imagePullPolicy: IfNotPresent
42 | volumeMounts:
43 | - mountPath: /etc/sleep/tls
44 | name: secret-volume
45 | volumes:
46 | - name: secret-volume
47 | secret:
48 | secretName: sleep-secret
49 | optional: true
50 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.sleep
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/sleep.yaml:22-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
22 | apiVersion: apps/v1
23 | kind: Deployment
24 | metadata:
25 | name: sleep
26 | spec:
27 | replicas: 1
28 | selector:
29 | matchLabels:
30 | app: sleep
31 | template:
32 | metadata:
33 | labels:
34 | app: sleep
35 | spec:
36 | serviceAccountName: sleep
37 | containers:
38 | - name: sleep
39 | image: governmentpaas/curl-ssl
40 | command: ["/bin/sleep", "3650d"]
41 | imagePullPolicy: IfNotPresent
42 | volumeMounts:
43 | - mountPath: /etc/sleep/tls
44 | name: secret-volume
45 | volumes:
46 | - name: secret-volume
47 | secret:
48 | secretName: sleep-secret
49 | optional: true
50 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.sleep
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/sleep.yaml:22-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
22 | apiVersion: apps/v1
23 | kind: Deployment
24 | metadata:
25 | name: sleep
26 | spec:
27 | replicas: 1
28 | selector:
29 | matchLabels:
30 | app: sleep
31 | template:
32 | metadata:
33 | labels:
34 | app: sleep
35 | spec:
36 | serviceAccountName: sleep
37 | containers:
38 | - name: sleep
39 | image: governmentpaas/curl-ssl
40 | command: ["/bin/sleep", "3650d"]
41 | imagePullPolicy: IfNotPresent
42 | volumeMounts:
43 | - mountPath: /etc/sleep/tls
44 | name: secret-volume
45 | volumes:
46 | - name: secret-volume
47 | secret:
48 | secretName: sleep-secret
49 | optional: true
50 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.sleep
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/sleep.yaml:22-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
22 | apiVersion: apps/v1
23 | kind: Deployment
24 | metadata:
25 | name: sleep
26 | spec:
27 | replicas: 1
28 | selector:
29 | matchLabels:
30 | app: sleep
31 | template:
32 | metadata:
33 | labels:
34 | app: sleep
35 | spec:
36 | serviceAccountName: sleep
37 | containers:
38 | - name: sleep
39 | image: governmentpaas/curl-ssl
40 | command: ["/bin/sleep", "3650d"]
41 | imagePullPolicy: IfNotPresent
42 | volumeMounts:
43 | - mountPath: /etc/sleep/tls
44 | name: secret-volume
45 | volumes:
46 | - name: secret-volume
47 | secret:
48 | secretName: sleep-secret
49 | optional: true
50 | ---
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.sleep
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/sleep.yaml:22-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
22 | apiVersion: apps/v1
23 | kind: Deployment
24 | metadata:
25 | name: sleep
26 | spec:
27 | replicas: 1
28 | selector:
29 | matchLabels:
30 | app: sleep
31 | template:
32 | metadata:
33 | labels:
34 | app: sleep
35 | spec:
36 | serviceAccountName: sleep
37 | containers:
38 | - name: sleep
39 | image: governmentpaas/curl-ssl
40 | command: ["/bin/sleep", "3650d"]
41 | imagePullPolicy: IfNotPresent
42 | volumeMounts:
43 | - mountPath: /etc/sleep/tls
44 | name: secret-volume
45 | volumes:
46 | - name: secret-volume
47 | secret:
48 | secretName: sleep-secret
49 | optional: true
50 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.sleep
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/sleep.yaml:22-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
22 | apiVersion: apps/v1
23 | kind: Deployment
24 | metadata:
25 | name: sleep
26 | spec:
27 | replicas: 1
28 | selector:
29 | matchLabels:
30 | app: sleep
31 | template:
32 | metadata:
33 | labels:
34 | app: sleep
35 | spec:
36 | serviceAccountName: sleep
37 | containers:
38 | - name: sleep
39 | image: governmentpaas/curl-ssl
40 | command: ["/bin/sleep", "3650d"]
41 | imagePullPolicy: IfNotPresent
42 | volumeMounts:
43 | - mountPath: /etc/sleep/tls
44 | name: secret-volume
45 | volumes:
46 | - name: secret-volume
47 | secret:
48 | secretName: sleep-secret
49 | optional: true
50 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ServiceAccount.default.httpbin
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/httpbin.yaml:4-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
4 | apiVersion: v1
5 | kind: ServiceAccount
6 | metadata:
7 | name: httpbin
8 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.httpbin
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/httpbin.yaml:9-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
9 | apiVersion: v1
10 | kind: Service
11 | metadata:
12 | name: httpbin
13 | labels:
14 | app: httpbin
15 | spec:
16 | ports:
17 | - name: http
18 | port: 8000
19 | targetPort: 80
20 | selector:
21 | app: httpbin
22 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.httpbin
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/httpbin.yaml:23-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
23 | apiVersion: apps/v1
24 | kind: Deployment
25 | metadata:
26 | name: httpbin
27 | spec:
28 | replicas: 1
29 | selector:
30 | matchLabels:
31 | app: httpbin
32 | version: v1
33 | template:
34 | metadata:
35 | labels:
36 | app: httpbin
37 | version: v1
38 | spec:
39 | serviceAccountName: httpbin
40 | containers:
41 | - image: docker.io/kennethreitz/httpbin
42 | imagePullPolicy: IfNotPresent
43 | name: httpbin
44 | ports:
45 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.httpbin
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/httpbin.yaml:23-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
23 | apiVersion: apps/v1
24 | kind: Deployment
25 | metadata:
26 | name: httpbin
27 | spec:
28 | replicas: 1
29 | selector:
30 | matchLabels:
31 | app: httpbin
32 | version: v1
33 | template:
34 | metadata:
35 | labels:
36 | app: httpbin
37 | version: v1
38 | spec:
39 | serviceAccountName: httpbin
40 | containers:
41 | - image: docker.io/kennethreitz/httpbin
42 | imagePullPolicy: IfNotPresent
43 | name: httpbin
44 | ports:
45 | - containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.httpbin
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/httpbin.yaml:23-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
23 | apiVersion: apps/v1
24 | kind: Deployment
25 | metadata:
26 | name: httpbin
27 | spec:
28 | replicas: 1
29 | selector:
30 | matchLabels:
31 | app: httpbin
32 | version: v1
33 | template:
34 | metadata:
35 | labels:
36 | app: httpbin
37 | version: v1
38 | spec:
39 | serviceAccountName: httpbin
40 | containers:
41 | - image: docker.io/kennethreitz/httpbin
42 | imagePullPolicy: IfNotPresent
43 | name: httpbin
44 | ports:
45 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.httpbin
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/httpbin.yaml:23-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
23 | apiVersion: apps/v1
24 | kind: Deployment
25 | metadata:
26 | name: httpbin
27 | spec:
28 | replicas: 1
29 | selector:
30 | matchLabels:
31 | app: httpbin
32 | version: v1
33 | template:
34 | metadata:
35 | labels:
36 | app: httpbin
37 | version: v1
38 | spec:
39 | serviceAccountName: httpbin
40 | containers:
41 | - image: docker.io/kennethreitz/httpbin
42 | imagePullPolicy: IfNotPresent
43 | name: httpbin
44 | ports:
45 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.httpbin
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/httpbin.yaml:23-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
23 | apiVersion: apps/v1
24 | kind: Deployment
25 | metadata:
26 | name: httpbin
27 | spec:
28 | replicas: 1
29 | selector:
30 | matchLabels:
31 | app: httpbin
32 | version: v1
33 | template:
34 | metadata:
35 | labels:
36 | app: httpbin
37 | version: v1
38 | spec:
39 | serviceAccountName: httpbin
40 | containers:
41 | - image: docker.io/kennethreitz/httpbin
42 | imagePullPolicy: IfNotPresent
43 | name: httpbin
44 | ports:
45 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.httpbin
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/httpbin.yaml:23-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
23 | apiVersion: apps/v1
24 | kind: Deployment
25 | metadata:
26 | name: httpbin
27 | spec:
28 | replicas: 1
29 | selector:
30 | matchLabels:
31 | app: httpbin
32 | version: v1
33 | template:
34 | metadata:
35 | labels:
36 | app: httpbin
37 | version: v1
38 | spec:
39 | serviceAccountName: httpbin
40 | containers:
41 | - image: docker.io/kennethreitz/httpbin
42 | imagePullPolicy: IfNotPresent
43 | name: httpbin
44 | ports:
45 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.httpbin
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/httpbin.yaml:23-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
23 | apiVersion: apps/v1
24 | kind: Deployment
25 | metadata:
26 | name: httpbin
27 | spec:
28 | replicas: 1
29 | selector:
30 | matchLabels:
31 | app: httpbin
32 | version: v1
33 | template:
34 | metadata:
35 | labels:
36 | app: httpbin
37 | version: v1
38 | spec:
39 | serviceAccountName: httpbin
40 | containers:
41 | - image: docker.io/kennethreitz/httpbin
42 | imagePullPolicy: IfNotPresent
43 | name: httpbin
44 | ports:
45 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.httpbin
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/httpbin.yaml:23-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
23 | apiVersion: apps/v1
24 | kind: Deployment
25 | metadata:
26 | name: httpbin
27 | spec:
28 | replicas: 1
29 | selector:
30 | matchLabels:
31 | app: httpbin
32 | version: v1
33 | template:
34 | metadata:
35 | labels:
36 | app: httpbin
37 | version: v1
38 | spec:
39 | serviceAccountName: httpbin
40 | containers:
41 | - image: docker.io/kennethreitz/httpbin
42 | imagePullPolicy: IfNotPresent
43 | name: httpbin
44 | ports:
45 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.httpbin
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/httpbin.yaml:23-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
23 | apiVersion: apps/v1
24 | kind: Deployment
25 | metadata:
26 | name: httpbin
27 | spec:
28 | replicas: 1
29 | selector:
30 | matchLabels:
31 | app: httpbin
32 | version: v1
33 | template:
34 | metadata:
35 | labels:
36 | app: httpbin
37 | version: v1
38 | spec:
39 | serviceAccountName: httpbin
40 | containers:
41 | - image: docker.io/kennethreitz/httpbin
42 | imagePullPolicy: IfNotPresent
43 | name: httpbin
44 | ports:
45 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.httpbin
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/httpbin.yaml:23-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
23 | apiVersion: apps/v1
24 | kind: Deployment
25 | metadata:
26 | name: httpbin
27 | spec:
28 | replicas: 1
29 | selector:
30 | matchLabels:
31 | app: httpbin
32 | version: v1
33 | template:
34 | metadata:
35 | labels:
36 | app: httpbin
37 | version: v1
38 | spec:
39 | serviceAccountName: httpbin
40 | containers:
41 | - image: docker.io/kennethreitz/httpbin
42 | imagePullPolicy: IfNotPresent
43 | name: httpbin
44 | ports:
45 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.httpbin
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/httpbin.yaml:23-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
23 | apiVersion: apps/v1
24 | kind: Deployment
25 | metadata:
26 | name: httpbin
27 | spec:
28 | replicas: 1
29 | selector:
30 | matchLabels:
31 | app: httpbin
32 | version: v1
33 | template:
34 | metadata:
35 | labels:
36 | app: httpbin
37 | version: v1
38 | spec:
39 | serviceAccountName: httpbin
40 | containers:
41 | - image: docker.io/kennethreitz/httpbin
42 | imagePullPolicy: IfNotPresent
43 | name: httpbin
44 | ports:
45 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.httpbin
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/httpbin.yaml:23-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
23 | apiVersion: apps/v1
24 | kind: Deployment
25 | metadata:
26 | name: httpbin
27 | spec:
28 | replicas: 1
29 | selector:
30 | matchLabels:
31 | app: httpbin
32 | version: v1
33 | template:
34 | metadata:
35 | labels:
36 | app: httpbin
37 | version: v1
38 | spec:
39 | serviceAccountName: httpbin
40 | containers:
41 | - image: docker.io/kennethreitz/httpbin
42 | imagePullPolicy: IfNotPresent
43 | name: httpbin
44 | ports:
45 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.httpbin
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/httpbin.yaml:23-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
23 | apiVersion: apps/v1
24 | kind: Deployment
25 | metadata:
26 | name: httpbin
27 | spec:
28 | replicas: 1
29 | selector:
30 | matchLabels:
31 | app: httpbin
32 | version: v1
33 | template:
34 | metadata:
35 | labels:
36 | app: httpbin
37 | version: v1
38 | spec:
39 | serviceAccountName: httpbin
40 | containers:
41 | - image: docker.io/kennethreitz/httpbin
42 | imagePullPolicy: IfNotPresent
43 | name: httpbin
44 | ports:
45 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.httpbin
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/httpbin.yaml:23-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
23 | apiVersion: apps/v1
24 | kind: Deployment
25 | metadata:
26 | name: httpbin
27 | spec:
28 | replicas: 1
29 | selector:
30 | matchLabels:
31 | app: httpbin
32 | version: v1
33 | template:
34 | metadata:
35 | labels:
36 | app: httpbin
37 | version: v1
38 | spec:
39 | serviceAccountName: httpbin
40 | containers:
41 | - image: docker.io/kennethreitz/httpbin
42 | imagePullPolicy: IfNotPresent
43 | name: httpbin
44 | ports:
45 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.httpbin
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/httpbin.yaml:23-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
23 | apiVersion: apps/v1
24 | kind: Deployment
25 | metadata:
26 | name: httpbin
27 | spec:
28 | replicas: 1
29 | selector:
30 | matchLabels:
31 | app: httpbin
32 | version: v1
33 | template:
34 | metadata:
35 | labels:
36 | app: httpbin
37 | version: v1
38 | spec:
39 | serviceAccountName: httpbin
40 | containers:
41 | - image: docker.io/kennethreitz/httpbin
42 | imagePullPolicy: IfNotPresent
43 | name: httpbin
44 | ports:
45 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.httpbin
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/httpbin.yaml:23-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
23 | apiVersion: apps/v1
24 | kind: Deployment
25 | metadata:
26 | name: httpbin
27 | spec:
28 | replicas: 1
29 | selector:
30 | matchLabels:
31 | app: httpbin
32 | version: v1
33 | template:
34 | metadata:
35 | labels:
36 | app: httpbin
37 | version: v1
38 | spec:
39 | serviceAccountName: httpbin
40 | containers:
41 | - image: docker.io/kennethreitz/httpbin
42 | imagePullPolicy: IfNotPresent
43 | name: httpbin
44 | ports:
45 | - containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.httpbin
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/httpbin.yaml:23-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
23 | apiVersion: apps/v1
24 | kind: Deployment
25 | metadata:
26 | name: httpbin
27 | spec:
28 | replicas: 1
29 | selector:
30 | matchLabels:
31 | app: httpbin
32 | version: v1
33 | template:
34 | metadata:
35 | labels:
36 | app: httpbin
37 | version: v1
38 | spec:
39 | serviceAccountName: httpbin
40 | containers:
41 | - image: docker.io/kennethreitz/httpbin
42 | imagePullPolicy: IfNotPresent
43 | name: httpbin
44 | ports:
45 | - containerPort: 80
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.httpbin
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/httpbin.yaml:23-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
23 | apiVersion: apps/v1
24 | kind: Deployment
25 | metadata:
26 | name: httpbin
27 | spec:
28 | replicas: 1
29 | selector:
30 | matchLabels:
31 | app: httpbin
32 | version: v1
33 | template:
34 | metadata:
35 | labels:
36 | app: httpbin
37 | version: v1
38 | spec:
39 | serviceAccountName: httpbin
40 | containers:
41 | - image: docker.io/kennethreitz/httpbin
42 | imagePullPolicy: IfNotPresent
43 | name: httpbin
44 | ports:
45 | - containerPort: 80
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.httpbin
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/httpbin.yaml:23-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
23 | apiVersion: apps/v1
24 | kind: Deployment
25 | metadata:
26 | name: httpbin
27 | spec:
28 | replicas: 1
29 | selector:
30 | matchLabels:
31 | app: httpbin
32 | version: v1
33 | template:
34 | metadata:
35 | labels:
36 | app: httpbin
37 | version: v1
38 | spec:
39 | serviceAccountName: httpbin
40 | containers:
41 | - image: docker.io/kennethreitz/httpbin
42 | imagePullPolicy: IfNotPresent
43 | name: httpbin
44 | ports:
45 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.httpbin
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/httpbin.yaml:23-45
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
23 | apiVersion: apps/v1
24 | kind: Deployment
25 | metadata:
26 | name: httpbin
27 | spec:
28 | replicas: 1
29 | selector:
30 | matchLabels:
31 | app: httpbin
32 | version: v1
33 | template:
34 | metadata:
35 | labels:
36 | app: httpbin
37 | version: v1
38 | spec:
39 | serviceAccountName: httpbin
40 | containers:
41 | - image: docker.io/kennethreitz/httpbin
42 | imagePullPolicy: IfNotPresent
43 | name: httpbin
44 | ports:
45 | - containerPort: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.devops-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun__python/k8s-manifests.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: devops-deployment
6 | labels:
7 | app: devops
8 | tier: frontend
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: devops
14 | tier: frontend
15 | template:
16 | metadata:
17 | labels:
18 | app: devops
19 | tier: frontend
20 | spec:
21 | containers:
22 | - name: devops-demo
23 | image:
24 | ports:
25 | - containerPort: 8080
26 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.devops-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun__python/k8s-manifests.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: devops-deployment
6 | labels:
7 | app: devops
8 | tier: frontend
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: devops
14 | tier: frontend
15 | template:
16 | metadata:
17 | labels:
18 | app: devops
19 | tier: frontend
20 | spec:
21 | containers:
22 | - name: devops-demo
23 | image:
24 | ports:
25 | - containerPort: 8080
26 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.devops-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun__python/k8s-manifests.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: devops-deployment
6 | labels:
7 | app: devops
8 | tier: frontend
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: devops
14 | tier: frontend
15 | template:
16 | metadata:
17 | labels:
18 | app: devops
19 | tier: frontend
20 | spec:
21 | containers:
22 | - name: devops-demo
23 | image:
24 | ports:
25 | - containerPort: 8080
26 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.devops-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun__python/k8s-manifests.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: devops-deployment
6 | labels:
7 | app: devops
8 | tier: frontend
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: devops
14 | tier: frontend
15 | template:
16 | metadata:
17 | labels:
18 | app: devops
19 | tier: frontend
20 | spec:
21 | containers:
22 | - name: devops-demo
23 | image:
24 | ports:
25 | - containerPort: 8080
26 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.devops-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun__python/k8s-manifests.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: devops-deployment
6 | labels:
7 | app: devops
8 | tier: frontend
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: devops
14 | tier: frontend
15 | template:
16 | metadata:
17 | labels:
18 | app: devops
19 | tier: frontend
20 | spec:
21 | containers:
22 | - name: devops-demo
23 | image:
24 | ports:
25 | - containerPort: 8080
26 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.devops-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun__python/k8s-manifests.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: devops-deployment
6 | labels:
7 | app: devops
8 | tier: frontend
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: devops
14 | tier: frontend
15 | template:
16 | metadata:
17 | labels:
18 | app: devops
19 | tier: frontend
20 | spec:
21 | containers:
22 | - name: devops-demo
23 | image:
24 | ports:
25 | - containerPort: 8080
26 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.devops-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun__python/k8s-manifests.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: devops-deployment
6 | labels:
7 | app: devops
8 | tier: frontend
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: devops
14 | tier: frontend
15 | template:
16 | metadata:
17 | labels:
18 | app: devops
19 | tier: frontend
20 | spec:
21 | containers:
22 | - name: devops-demo
23 | image:
24 | ports:
25 | - containerPort: 8080
26 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.devops-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun__python/k8s-manifests.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: devops-deployment
6 | labels:
7 | app: devops
8 | tier: frontend
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: devops
14 | tier: frontend
15 | template:
16 | metadata:
17 | labels:
18 | app: devops
19 | tier: frontend
20 | spec:
21 | containers:
22 | - name: devops-demo
23 | image:
24 | ports:
25 | - containerPort: 8080
26 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.devops-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun__python/k8s-manifests.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: devops-deployment
6 | labels:
7 | app: devops
8 | tier: frontend
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: devops
14 | tier: frontend
15 | template:
16 | metadata:
17 | labels:
18 | app: devops
19 | tier: frontend
20 | spec:
21 | containers:
22 | - name: devops-demo
23 | image:
24 | ports:
25 | - containerPort: 8080
26 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.devops-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun__python/k8s-manifests.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: devops-deployment
6 | labels:
7 | app: devops
8 | tier: frontend
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: devops
14 | tier: frontend
15 | template:
16 | metadata:
17 | labels:
18 | app: devops
19 | tier: frontend
20 | spec:
21 | containers:
22 | - name: devops-demo
23 | image:
24 | ports:
25 | - containerPort: 8080
26 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.devops-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun__python/k8s-manifests.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: devops-deployment
6 | labels:
7 | app: devops
8 | tier: frontend
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: devops
14 | tier: frontend
15 | template:
16 | metadata:
17 | labels:
18 | app: devops
19 | tier: frontend
20 | spec:
21 | containers:
22 | - name: devops-demo
23 | image:
24 | ports:
25 | - containerPort: 8080
26 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.devops-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun__python/k8s-manifests.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: devops-deployment
6 | labels:
7 | app: devops
8 | tier: frontend
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: devops
14 | tier: frontend
15 | template:
16 | metadata:
17 | labels:
18 | app: devops
19 | tier: frontend
20 | spec:
21 | containers:
22 | - name: devops-demo
23 | image:
24 | ports:
25 | - containerPort: 8080
26 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.devops-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun__python/k8s-manifests.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: devops-deployment
6 | labels:
7 | app: devops
8 | tier: frontend
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: devops
14 | tier: frontend
15 | template:
16 | metadata:
17 | labels:
18 | app: devops
19 | tier: frontend
20 | spec:
21 | containers:
22 | - name: devops-demo
23 | image:
24 | ports:
25 | - containerPort: 8080
26 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.devops-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun__python/k8s-manifests.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: devops-deployment
6 | labels:
7 | app: devops
8 | tier: frontend
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: devops
14 | tier: frontend
15 | template:
16 | metadata:
17 | labels:
18 | app: devops
19 | tier: frontend
20 | spec:
21 | containers:
22 | - name: devops-demo
23 | image:
24 | ports:
25 | - containerPort: 8080
26 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.devops-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun__python/k8s-manifests.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: devops-deployment
6 | labels:
7 | app: devops
8 | tier: frontend
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: devops
14 | tier: frontend
15 | template:
16 | metadata:
17 | labels:
18 | app: devops
19 | tier: frontend
20 | spec:
21 | containers:
22 | - name: devops-demo
23 | image:
24 | ports:
25 | - containerPort: 8080
26 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.devops-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun__python/k8s-manifests.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: devops-deployment
6 | labels:
7 | app: devops
8 | tier: frontend
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: devops
14 | tier: frontend
15 | template:
16 | metadata:
17 | labels:
18 | app: devops
19 | tier: frontend
20 | spec:
21 | containers:
22 | - name: devops-demo
23 | image:
24 | ports:
25 | - containerPort: 8080
26 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.devops-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun__python/k8s-manifests.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: devops-deployment
6 | labels:
7 | app: devops
8 | tier: frontend
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: devops
14 | tier: frontend
15 | template:
16 | metadata:
17 | labels:
18 | app: devops
19 | tier: frontend
20 | spec:
21 | containers:
22 | - name: devops-demo
23 | image:
24 | ports:
25 | - containerPort: 8080
26 | ---
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.devops-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun__python/k8s-manifests.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: devops-deployment
6 | labels:
7 | app: devops
8 | tier: frontend
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: devops
14 | tier: frontend
15 | template:
16 | metadata:
17 | labels:
18 | app: devops
19 | tier: frontend
20 | spec:
21 | containers:
22 | - name: devops-demo
23 | image:
24 | ports:
25 | - containerPort: 8080
26 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.devops-deployment
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun__python/k8s-manifests.yaml:2-26
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: devops-deployment
6 | labels:
7 | app: devops
8 | tier: frontend
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: devops
14 | tier: frontend
15 | template:
16 | metadata:
17 | labels:
18 | app: devops
19 | tier: frontend
20 | spec:
21 | containers:
22 | - name: devops-demo
23 | image:
24 | ports:
25 | - containerPort: 8080
26 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.devops-deployment-lb
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun__python/k8s-manifests.yaml:27-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
27 | apiVersion: v1
28 | kind: Service
29 | metadata:
30 | name: devops-deployment-lb
31 | labels:
32 | app: devops
33 | tier: frontend-lb
34 | spec:
35 | type: LoadBalancer
36 | ports:
37 | - port: 80
38 | targetPort: 8080
39 | selector:
40 | app: devops
41 | tier: frontend
Check: CKV2_K8S_5: "No ServiceAccount/Node should be able to read all secrets"
FAILED for resource: RoleBinding.ingress-nginx-ext.ingress-nginx-ext-admission
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/build/ingress_nginx_ext_all.yaml:284-308
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/no-serviceaccountnode-should-be-able-to-read-all-secrets.html
284 | apiVersion: rbac.authorization.k8s.io/v1
285 | kind: RoleBinding
286 | metadata:
287 | annotations:
288 | helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
289 | helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
290 | labels:
291 | app.kubernetes.io/component: admission-webhook
292 | app.kubernetes.io/instance: ingress-nginx-ext
293 | app.kubernetes.io/managed-by: Helm
294 | app.kubernetes.io/name: ingress-nginx
295 | app.kubernetes.io/part-of: ingress-nginx
296 | app.kubernetes.io/version: 1.8.0
297 | helm.sh/chart: ingress-nginx-4.7.0
298 | name: ingress-nginx-ext-admission
299 | namespace: ingress-nginx-ext
300 | roleRef:
301 | apiGroup: rbac.authorization.k8s.io
302 | kind: Role
303 | name: ingress-nginx-ext-admission
304 | subjects:
305 | - kind: ServiceAccount
306 | name: ingress-nginx-ext-admission
307 | namespace: ingress-nginx-ext
308 | ---
Check: CKV2_K8S_5: "No ServiceAccount/Node should be able to read all secrets"
FAILED for resource: RoleBinding.ingress-nginx-ext.ingress-nginx-ext-admission
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/vendor/ingress-nginx/ingress-nginx-ext-vendor.yaml:590-614
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/no-serviceaccountnode-should-be-able-to-read-all-secrets.html
590 | apiVersion: rbac.authorization.k8s.io/v1
591 | kind: RoleBinding
592 | metadata:
593 | name: ingress-nginx-ext-admission
594 | namespace: ingress-nginx-ext
595 | annotations:
596 | "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
597 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
598 | labels:
599 | helm.sh/chart: ingress-nginx-4.7.0
600 | app.kubernetes.io/name: ingress-nginx
601 | app.kubernetes.io/instance: ingress-nginx-ext
602 | app.kubernetes.io/version: "1.8.0"
603 | app.kubernetes.io/part-of: ingress-nginx
604 | app.kubernetes.io/managed-by: Helm
605 | app.kubernetes.io/component: admission-webhook
606 | roleRef:
607 | apiGroup: rbac.authorization.k8s.io
608 | kind: Role
609 | name: ingress-nginx-ext-admission
610 | subjects:
611 | - kind: ServiceAccount
612 | name: ingress-nginx-ext-admission
613 | namespace: "ingress-nginx-ext"
614 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.nginx-dep.app-nginx-dep
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_008_k8s_nginx/dep.yaml:1-24
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | creationTimestamp: null
5 | labels:
6 | app: nginx-dep
7 | name: nginx-dep
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: nginx-dep
13 | strategy: {}
14 | template:
15 | metadata:
16 | creationTimestamp: null
17 | labels:
18 | app: nginx-dep
19 | spec:
20 | containers:
21 | - image: dubizzledotcom/demo-nginx
22 | name: demo-nginx
23 | resources: {}
24 | status: {}
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.db.io.kompose.service-db
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/db-deployment.yaml:1-47
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | annotations:
5 | kompose.cmd: kompose convert
6 | kompose.version: 1.18.0 (06a2e56)
7 | labels:
8 | io.kompose.service: db
9 | name: db
10 | spec:
11 | replicas: 1
12 | strategy:
13 | type: Recreate
14 | template:
15 | metadata:
16 | labels:
17 | io.kompose.service: db
18 | spec:
19 | containers:
20 | - env:
21 | - name: MONGO_INITDB_ROOT_PASSWORD
22 | # value: "password"
23 | valueFrom:
24 | secretKeyRef:
25 | name: mongo-secret
26 | key: MONGO_PASSWORD
27 | - name: MONGO_INITDB_ROOT_USERNAME
28 | # value: "admin"
29 | valueFrom:
30 | secretKeyRef:
31 | name: mongo-secret
32 | key: MONGO_USERNAME
33 | image: mongo:4.1.8-xenial
34 | name: db
35 | resources: {}
36 | volumeMounts:
37 | - mountPath: /data/db
38 | name: dbdata
39 | restartPolicy: Always
40 | volumes:
41 | - name: dbdata
42 | persistentVolumeClaim:
43 | claimName: dbdata
44 | selector:
45 | matchLabels:
46 | io.kompose.service: db
47 | status: {}
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.nodejs.io.kompose.service-nodejs
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/nodejs-deployment.yaml:1-56
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.nginx
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_010_logging_and_monitoring/nginx.yaml:1-19
1 | apiVersion: apps/v1
2 | kind: ReplicaSet
3 | metadata:
4 | name: nginx
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: webapp
9 | template:
10 | metadata:
11 | annotations:
12 | ad.datadoghq.com/nginx.logs: '[{"source":"nginx","service":"webapp"}]'
13 | labels:
14 | app: webapp
15 | name: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.mongo-mongodb-arbiter.app.kubernetes.io/name-mongodb.helm.sh/chart-mongodb-10.7.1.app.kubernetes.io/instance-mongo.app.kubernetes.io/managed-by-Helm.app.kubernetes.io/component-arbiter
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-db.yaml:97-208
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.mongo-mongodb.app.kubernetes.io/name-mongodb.helm.sh/chart-mongodb-10.7.1.app.kubernetes.io/instance-mongo.app.kubernetes.io/managed-by-Helm.app.kubernetes.io/component-mongodb
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-db.yaml:210-361
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app-nodeapp.app.kubernetes.io/name-nodeapp.app.kubernetes.io/instance-app
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-app.yaml:59-139
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.app-nodeapp-test-connection
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-app.yaml:165-183
165 | apiVersion: v1
166 | kind: Pod
167 | metadata:
168 | name: "app-nodeapp-test-connection"
169 | labels:
170 | helm.sh/chart: nodeapp-0.1.0
171 | app.kubernetes.io/name: nodeapp
172 | app.kubernetes.io/instance: app
173 | app.kubernetes.io/version: "1.16.0"
174 | app.kubernetes.io/managed-by: Helm
175 | annotations:
176 | "helm.sh/hook": test
177 | spec:
178 | containers:
179 | - name: wget
180 | image: busybox
181 | command: ['wget']
182 | args: ['app-nodeapp:80']
183 | restartPolicy: Never
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.www.app-www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_021__gcp__intermediate_namespace_wide_kubeconfig/www.yaml:1-21
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: kube-system
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.whoami.app-whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/25-whoami-deployment.yaml:1-24
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.traefik.app-traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_032__gcp__traefik_whoami_tls_custom_certs/15-traefik-deployment.yaml:2-43
2 | kind: Deployment
3 | apiVersion: apps/v1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | volumes:
21 | - name: config
22 | configMap:
23 | name: traefik-config-map
24 | - name: start-domain-com-ssl
25 | secret:
26 | secretName: start-domain-com-ssl
27 | containers:
28 | - name: traefik
29 | image: traefik:v2.2.1
30 | ports:
31 | - name: web
32 | containerPort: 80
33 | - name: admin
34 | containerPort: 8080
35 | - name: websecure
36 | containerPort: 443
37 | volumeMounts:
38 | - mountPath: /etc/traefik/traefik.toml
39 | name: config
40 | subPath: traefik.toml
41 | - mountPath: "/var/ssl/start-domain-com-ssl"
42 | name: start-domain-com-ssl
43 | readOnly: true
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.ingress-nginx-ext-controller.app.kubernetes.io/component-controller.app.kubernetes.io/instance-ingress-nginx-ext.app.kubernetes.io/managed-by-Helm.app.kubernetes.io/name-ingress-nginx.app.kubernetes.io/part-of-ingress-nginx.app.kubernetes.io/version-1.8.0.helm.sh/chart-ingress-nginx-4.7.0
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/build/ingress_nginx_ext_all.yaml:432-550
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.ingress-nginx-ext-admission-create
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/build/ingress_nginx_ext_all.yaml:551-604
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.ingress-nginx-ext-admission-patch
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/build/ingress_nginx_ext_all.yaml:605-660
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.ingress-nginx-ext-controller.helm.sh/chart-ingress-nginx-4.7.0.app.kubernetes.io/name-ingress-nginx.app.kubernetes.io/instance-ingress-nginx-ext.app.kubernetes.io/version-1.8.0.app.kubernetes.io/part-of-ingress-nginx.app.kubernetes.io/managed-by-Helm.app.kubernetes.io/component-controller
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/vendor/ingress-nginx/ingress-nginx-ext-vendor.yaml:319-437
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.ingress-nginx-ext-admission-create
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/vendor/ingress-nginx/ingress-nginx-ext-vendor.yaml:616-669
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.ingress-nginx-ext-admission-patch
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/vendor/ingress-nginx/ingress-nginx-ext-vendor.yaml:671-725
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.whoami.app-whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_041__gcp_k8s__nginx_ingress/base/app/dep_whoami.yaml:1-23
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: ingress-nginx-ext
5 | name: whoami
6 | labels:
7 | app: whoami
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: containous/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.kafka-template-zookeeper
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_008__local__kafka/kafka-manifests.yaml:158-323
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.kafka-template.app.kubernetes.io/name-kafka.helm.sh/chart-kafka-14.1.0.app.kubernetes.io/instance-kafka-template.app.kubernetes.io/managed-by-Helm.app.kubernetes.io/component-kafka
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_008__local__kafka/kafka-manifests.yaml:325-503
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.kube-state-metrics.app.kubernetes.io/name-kube-state-metrics.app.kubernetes.io/version-1.9.5
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/35-deployment.yaml:1-44
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: kube-state-metrics
6 | app.kubernetes.io/version: 1.9.5
7 | name: kube-state-metrics
8 | namespace: kube-system
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app.kubernetes.io/name: kube-state-metrics
14 | template:
15 | metadata:
16 | labels:
17 | app.kubernetes.io/name: kube-state-metrics
18 | app.kubernetes.io/version: 1.9.5
19 | spec:
20 | containers:
21 | - image: quay.io/coreos/kube-state-metrics:v1.9.5
22 | livenessProbe:
23 | httpGet:
24 | path: /healthz
25 | port: 8080
26 | initialDelaySeconds: 5
27 | timeoutSeconds: 5
28 | name: kube-state-metrics
29 | ports:
30 | - containerPort: 8080
31 | name: http-metrics
32 | - containerPort: 8081
33 | name: telemetry
34 | readinessProbe:
35 | httpGet:
36 | path: /
37 | port: 8081
38 | initialDelaySeconds: 5
39 | timeoutSeconds: 5
40 | securityContext:
41 | runAsUser: 65534
42 | nodeSelector:
43 | kubernetes.io/os: linux
44 | serviceAccountName: kube-state-metrics
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.datadog-agent
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/25-datadog-agent.yaml:1-215
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.datadog-agent
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_028__gcp__configuring_datadog/20-datadog-cluster-agent.yaml:14-57
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | name: datadog-cluster-agent
18 | namespace: default
19 | spec:
20 | selector:
21 | matchLabels:
22 | app: datadog-cluster-agent
23 | template:
24 | metadata:
25 | labels:
26 | app: datadog-cluster-agent
27 | name: datadog-agent
28 | annotations:
29 | ad.datadoghq.com/datadog-cluster-agent.check_names: '["prometheus"]'
30 | ad.datadoghq.com/datadog-cluster-agent.init_configs: '[{}]'
31 | ad.datadoghq.com/datadog-cluster-agent.instances: '[{"prometheus_url": "http://%%host%%:5000/metrics","namespace": "datadog.cluster_agent","metrics": ["go_goroutines","go_memstats_*","process_*","api_requests","datadog_requests","external_metrics", "cluster_checks_*"]}]'
32 | spec:
33 | serviceAccountName: dca
34 | containers:
35 | - image: datadog/cluster-agent:latest
36 | imagePullPolicy: Always
37 | name: datadog-cluster-agent
38 | env:
39 | - name: DD_API_KEY
40 | valueFrom:
41 | secretKeyRef:
42 | name: datadog-secret
43 | key: api-key
44 | # Optionally reference an APP KEY for the External Metrics Provider.
45 | # - name: DD_APP_KEY
46 | # value: ''
47 | - name: DD_CLUSTER_AGENT_AUTH_TOKEN
48 | valueFrom:
49 | secretKeyRef:
50 | name: datadog-auth-token
51 | key: token
52 | - name: DD_COLLECT_KUBERNETES_EVENTS
53 | value: "true"
54 | - name: DD_LEADER_ELECTION
55 | value: "true"
56 | - name: DD_EXTERNAL_METRICS_PROVIDER_ENABLED
57 | value: "true"
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.jenkins.app.kubernetes.io/name-jenkins.app.kubernetes.io/managed-by-Helm.app.kubernetes.io/instance-RELEASE-NAME.app.kubernetes.io/component-jenkins-controller
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:312-484
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.whoami.app-whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/25-whoami-deployment.yaml:1-24
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.traefik.app-traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_023__gcp__traefik_whoami/15-traefik-deployment.yaml:2-37
2 | kind: Deployment
3 | apiVersion: extensions/v1beta1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | containers:
21 | - name: traefik
22 | image: traefik:v2.2
23 | args:
24 | - --accesslog=true
25 | - --api
26 | - --api.insecure
27 | - --entrypoints.web.address=:80
28 | - --entrypoints.websecure.address=:443
29 | - --providers.kubernetescrd
30 | - --configfile=/config/traefik.toml
31 | ports:
32 | - name: web
33 | containerPort: 80
34 | - name: admin
35 | containerPort: 8080
36 | - name: websecure
37 | containerPort: 443
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.whoami.app-whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/whoami.yaml:3-20
3 | apiVersion: apps/v1
4 | kind: Deployment
5 | metadata:
6 | name: whoami
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: whoami
12 | template:
13 | metadata:
14 | labels:
15 | app: whoami
16 | spec:
17 | containers:
18 | - name: whoami
19 | image: containous/whoami:v1.4.0
20 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.cert-manager-name-cainjector.app-cainjector.app.kubernetes.io/name-cainjector.app.kubernetes.io/instance-cert-manager-name.app.kubernetes.io/managed-by-Helm.app.kubernetes.io/component-cainjector.helm.sh/chart-cert-manager-v1.1.1
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:687-731
687 | apiVersion: apps/v1
688 | kind: Deployment
689 | metadata:
690 | name: cert-manager-name-cainjector
691 | namespace: "default"
692 | labels:
693 | app: cainjector
694 | app.kubernetes.io/name: cainjector
695 | app.kubernetes.io/instance: cert-manager-name
696 | app.kubernetes.io/managed-by: Helm
697 | app.kubernetes.io/component: "cainjector"
698 | helm.sh/chart: cert-manager-v1.1.1
699 | spec:
700 | replicas: 1
701 | selector:
702 | matchLabels:
703 | app.kubernetes.io/name: cainjector
704 | app.kubernetes.io/instance: cert-manager-name
705 | app.kubernetes.io/component: "cainjector"
706 | template:
707 | metadata:
708 | labels:
709 | app: cainjector
710 | app.kubernetes.io/name: cainjector
711 | app.kubernetes.io/instance: cert-manager-name
712 | app.kubernetes.io/managed-by: Helm
713 | app.kubernetes.io/component: "cainjector"
714 | helm.sh/chart: cert-manager-v1.1.1
715 | spec:
716 | serviceAccountName: cert-manager-name-cainjector
717 | containers:
718 | - name: cert-manager
719 | image: "quay.io/jetstack/cert-manager-cainjector:v1.1.1"
720 | imagePullPolicy: IfNotPresent
721 | args:
722 | - --v=2
723 | - --leader-election-namespace=kube-system
724 | env:
725 | - name: POD_NAMESPACE
726 | valueFrom:
727 | fieldRef:
728 | fieldPath: metadata.namespace
729 | resources:
730 | {}
731 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.cert-manager-name.app-cert-manager.app.kubernetes.io/name-cert-manager.app.kubernetes.io/instance-cert-manager-name.app.kubernetes.io/component-controller.app.kubernetes.io/managed-by-Helm.helm.sh/chart-cert-manager-v1.1.1
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:733-785
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.cert-manager-name-webhook.app-webhook.app.kubernetes.io/name-webhook.app.kubernetes.io/instance-cert-manager-name.app.kubernetes.io/managed-by-Helm.app.kubernetes.io/component-webhook.helm.sh/chart-cert-manager-v1.1.1
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:787-857
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.journalbeat.k8s-app-journalbeat-logging.version-v1.app-journalbeat.name-journalbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_035__gcp__journalbeat/12-daemonset.yaml:1-107
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.helloweb.app-hello.tier-web
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_033__gcp__configuring_dns_with_static_IPs_k8_using_Service/helloweb-deployment.yaml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: helloweb
5 | labels:
6 | app: hello
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hello
11 | tier: web
12 | template:
13 | metadata:
14 | labels:
15 | app: hello
16 | tier: web
17 | spec:
18 | containers:
19 | - name: hello-app
20 | image: gcr.io/google-samples/hello-app:1.0
21 | ports:
22 | - containerPort: 8080
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.keycloak-keycloakx.app.kubernetes.io/instance-keycloak.app.kubernetes.io/name-keycloakx
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/build/keycloakx_all.yaml:99-277
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.keycloak-db-postgresql
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/vendor/postgresql/keycloak-db-manifest-vendor.yaml:78-237
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.keycloak-keycloakx.app.kubernetes.io/name-keycloakx.app.kubernetes.io/instance-keycloak
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/vendor/keycloakx/keycloak-server-manifest-vendor.yaml:107-293
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.whoami.app-whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_014__aws__traefik_kops_whoami_middleware/whoami.yaml:1-25
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
25 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.traefik-helm-template-traefik.app.kubernetes.io/name-traefik.helm.sh/chart-traefik-9.19.1.app.kubernetes.io/managed-by-Helm.app.kubernetes.io/instance-traefik-helm-template
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_014__aws__traefik_kops_whoami_middleware/traefik-resources.yaml:88-184
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.kafdrop.app.kubernetes.io/name-kafdrop.app.kubernetes.io/instance-kafdrop
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_013__aws__oauth2_proxy/kafdrop-chart/kafdrop-manifests.yaml:27-103
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.oauth2-oauth2-proxy.app.kubernetes.io/name-oauth2-proxy.helm.sh/chart-oauth2-proxy-0.1.8.app.kubernetes.io/instance-oauth2.app.kubernetes.io/managed-by-Helm.app.kubernetes.io/component-oauth2-proxy
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_013__aws__oauth2_proxy/oauth2-proxy/oauth2-manifests.yaml:126-251
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.dashboard-metrics-scraper.k8s-app-dashboard-metrics-scraper
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_022__gcp__k8s_dashboard/55-service-dashboard-metrics-scraper.yaml:1-51
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.kubernetes-dashboard.k8s-app-kubernetes-dashboard
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_022__gcp__k8s_dashboard/45-deployment.yaml:1-63
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.nginx-pod-1
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:1-12
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: nginx-pod-1
5 | labels:
6 | app: nginx-app
7 | spec:
8 | containers:
9 | - name: nginx
10 | image: nginx
11 |
12 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.nginx-pod-2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:13-24
13 | apiVersion: v1
14 | kind: Pod
15 | metadata:
16 | name: nginx-pod-2
17 | labels:
18 | app: nginx-app
19 | spec:
20 | containers:
21 | - name: nginx
22 | image: nginx
23 |
24 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.nginx-pod-3
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_050__local__kind__headless_svc/nginx-pods.yaml:25-34
25 | apiVersion: v1
26 | kind: Pod
27 | metadata:
28 | name: nginx-pod-3
29 | labels:
30 | app: nginx-app
31 | spec:
32 | containers:
33 | - name: nginx
34 | image: nginx
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.www.app-www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_027__gcp__intermediate_cluster_wide_kubeconfig/www.yaml:1-21
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: kube-system
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.whoami.app-whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/25-whoami-deployment.yaml:1-24
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 2
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.traefik.app-traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_025__gcp__traefik_whoami_lets_encrypt/15-traefik-deployment.yaml:2-43
2 | kind: Deployment
3 | apiVersion: apps/v1
4 | metadata:
5 | namespace: default
6 | name: traefik
7 | labels:
8 | app: traefik
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | containers:
21 | - name: traefik
22 | image: traefik:v2.1
23 | args:
24 | - --api
25 | - --log.level=DEBUG
26 | - --api.insecure
27 | - --accesslog
28 | - --entrypoints.web.address=:80
29 | - --entrypoints.websecure.address=:443
30 | - --providers.kubernetescrd
31 | - --certificatesresolvers.default.acme.tlschallenge
32 | - --certificatesresolvers.default.acme.email=emailexample@gmail.com
33 | - --certificatesresolvers.default.acme.storage=acme.json
34 | # Please note that this is the staging Let's Encrypt server.
35 | # Once you get things working, you should remove that whole line altogether.
36 | # - --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
37 | ports:
38 | - name: web
39 | containerPort: 80
40 | - name: admin
41 | containerPort: 8080
42 | - name: websecure
43 | containerPort: 443
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.hello-world.app.kubernetes.io/name-load-balancer-example
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_026__gcp__external_IP_to_access_Application_In_Cluster/service/load-balancer-example.yaml:1-21
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: load-balancer-example
6 | name: hello-world
7 | spec:
8 | replicas: 5
9 | selector:
10 | matchLabels:
11 | app.kubernetes.io/name: load-balancer-example
12 | template:
13 | metadata:
14 | labels:
15 | app.kubernetes.io/name: load-balancer-example
16 | spec:
17 | containers:
18 | - image: gcr.io/google-samples/node-hello:1.0
19 | name: hello-world
20 | ports:
21 | - containerPort: 8080
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.www.app-www
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_020__gcp__basic_namespace_wide_kubeconfig/www.yaml:1-21
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: www
5 | namespace: development
6 | spec:
7 | replicas: 3
8 | selector:
9 | matchLabels:
10 | app: www
11 | template:
12 | metadata:
13 | labels:
14 | app: www
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx:1.14-alpine
19 | ports:
20 | - containerPort: 80
21 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.whoami.app-whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_011__aws__traefik_kops_whoami/whoami.yaml:1-25
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
25 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.traefik-helm-template-traefik.app.kubernetes.io/name-traefik.helm.sh/chart-traefik-9.19.1.app.kubernetes.io/managed-by-Helm.app.kubernetes.io/instance-traefik-helm-template
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_011__aws__traefik_kops_whoami/traefik-resources.yaml:88-184
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.traefik-helm-template-traefik.app.kubernetes.io/name-traefik.helm.sh/chart-traefik-9.19.1.app.kubernetes.io/managed-by-Helm.app.kubernetes.io/instance-traefik-helm-template
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_010__aws__deploy_traefik_kops_k8s_helm/traefik-resources.yaml:88-184
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.loki-grafana-loki-promtail.app.kubernetes.io/name-grafana-loki.helm.sh/chart-grafana-loki-2.5.6.app.kubernetes.io/instance-loki.app.kubernetes.io/managed-by-Helm.app.kubernetes.io/part-of-grafana-loki.app.kubernetes.io/component-promtail.loki-gossip-member-true
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:742-861
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.loki-grafana-loki-compactor.app.kubernetes.io/name-grafana-loki.helm.sh/chart-grafana-loki-2.5.6.app.kubernetes.io/instance-loki.app.kubernetes.io/managed-by-Helm.app.kubernetes.io/part-of-grafana-loki.app.kubernetes.io/component-compactor.loki-gossip-member-true
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:863-970
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.loki-grafana-loki-distributor.app.kubernetes.io/name-grafana-loki.helm.sh/chart-grafana-loki-2.5.6.app.kubernetes.io/instance-loki.app.kubernetes.io/managed-by-Helm.app.kubernetes.io/part-of-grafana-loki.app.kubernetes.io/component-distributor.loki-gossip-member-true
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:972-1077
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.loki-grafana-loki-gateway.app.kubernetes.io/name-grafana-loki.helm.sh/chart-grafana-loki-2.5.6.app.kubernetes.io/instance-loki.app.kubernetes.io/managed-by-Helm.app.kubernetes.io/part-of-grafana-loki.app.kubernetes.io/component-gateway
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1079-1182
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.loki-grafana-loki-query-frontend.app.kubernetes.io/name-grafana-loki.helm.sh/chart-grafana-loki-2.5.6.app.kubernetes.io/instance-loki.app.kubernetes.io/managed-by-Helm.app.kubernetes.io/part-of-grafana-loki.app.kubernetes.io/component-query-frontend.loki-gossip-member-true
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1184-1285
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.loki-memcachedchunks.app.kubernetes.io/name-memcachedchunks.helm.sh/chart-memcachedchunks-6.3.5.app.kubernetes.io/instance-loki.app.kubernetes.io/managed-by-Helm
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1287-1377
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.loki-memcachedfrontend.app.kubernetes.io/name-memcachedfrontend.helm.sh/chart-memcachedfrontend-6.3.5.app.kubernetes.io/instance-loki.app.kubernetes.io/managed-by-Helm
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1379-1469
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.loki-memcachedindexqueries.app.kubernetes.io/name-memcachedindexqueries.helm.sh/chart-memcachedindexqueries-6.3.5.app.kubernetes.io/instance-loki.app.kubernetes.io/managed-by-Helm
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1471-1561
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.loki-grafana-loki-ingester.app.kubernetes.io/name-grafana-loki.helm.sh/chart-grafana-loki-2.5.6.app.kubernetes.io/instance-loki.app.kubernetes.io/managed-by-Helm.app.kubernetes.io/part-of-grafana-loki.app.kubernetes.io/component-ingester.loki-gossip-member-true
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1563-1678
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.loki-grafana-loki-querier.app.kubernetes.io/name-grafana-loki.helm.sh/chart-grafana-loki-2.5.6.app.kubernetes.io/instance-loki.app.kubernetes.io/managed-by-Helm.app.kubernetes.io/part-of-grafana-loki.app.kubernetes.io/component-querier.loki-gossip-member-true
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_040__local__kind__bitnami_loki___using_39/loki.yaml:1680-1796
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.whoami.app-whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/dep-whoami.yaml:1-23
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 |
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: traefik/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.cert-manager-cainjector.app-cainjector.app.kubernetes.io/name-cainjector.app.kubernetes.io/instance-cert-manager.app.kubernetes.io/component-cainjector.app.kubernetes.io/version-v1.10.0
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5229-5280
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.cert-manager.app-cert-manager.app.kubernetes.io/name-cert-manager.app.kubernetes.io/instance-cert-manager.app.kubernetes.io/component-controller.app.kubernetes.io/version-v1.10.0
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5282-5342
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.cert-manager-webhook.app-webhook.app.kubernetes.io/name-webhook.app.kubernetes.io/instance-cert-manager.app.kubernetes.io/component-webhook.app.kubernetes.io/version-v1.10.0
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5344-5428
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.kafdrop-template.app.kubernetes.io/name-kafdrop.app.kubernetes.io/instance-kafdrop-template
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_009__local__kafdrop/kafdrop-manifests.yaml:27-102
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.kube-state-metrics.app.kubernetes.io/name-kube-state-metrics.app.kubernetes.io/version-1.9.7
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_031__gcp__kube_state_metrics/deployment.yaml:1-44
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app.kubernetes.io/name: kube-state-metrics
6 | app.kubernetes.io/version: 1.9.7
7 | name: kube-state-metrics
8 | namespace: kube-system
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app.kubernetes.io/name: kube-state-metrics
14 | template:
15 | metadata:
16 | labels:
17 | app.kubernetes.io/name: kube-state-metrics
18 | app.kubernetes.io/version: 1.9.7
19 | spec:
20 | containers:
21 | - image: quay.io/coreos/kube-state-metrics:v1.9.7
22 | livenessProbe:
23 | httpGet:
24 | path: /healthz
25 | port: 8080
26 | initialDelaySeconds: 5
27 | timeoutSeconds: 5
28 | name: kube-state-metrics
29 | ports:
30 | - containerPort: 8080
31 | name: http-metrics
32 | - containerPort: 8081
33 | name: telemetry
34 | readinessProbe:
35 | httpGet:
36 | path: /
37 | port: 8081
38 | initialDelaySeconds: 5
39 | timeoutSeconds: 5
40 | securityContext:
41 | runAsUser: 65534
42 | nodeSelector:
43 | kubernetes.io/os: linux
44 | serviceAccountName: kube-state-metrics
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.helloweb.app-hello.tier-web
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_029__gcp__configuring_dns_with_static_IPs_k8_using_Ingress/helloweb-deployment.yaml:1-22
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: helloweb
5 | labels:
6 | app: hello
7 | spec:
8 | selector:
9 | matchLabels:
10 | app: hello
11 | tier: web
12 | template:
13 | metadata:
14 | labels:
15 | app: hello
16 | tier: web
17 | spec:
18 | containers:
19 | - name: hello-app
20 | image: gcr.io/google-samples/hello-app:1.0
21 | ports:
22 | - containerPort: 8080
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.httpbin.app-httpbin
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/httpbin-app/dep.yaml:1-19
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: httpbin
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: httpbin
10 | template:
11 | metadata:
12 | labels:
13 | app: httpbin
14 | spec:
15 | containers:
16 | - image: docker.io/kennethreitz/httpbin
17 | name: httpbin
18 | ports:
19 | - containerPort: 80
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.echo.app-echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/echo-app/dep.yaml:1-41
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | creationTimestamp: null
16 | labels:
17 | app: echo
18 | spec:
19 | containers:
20 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
21 | name: echo
22 | ports:
23 | - containerPort: 8080
24 | env:
25 | - name: NODE_NAME
26 | valueFrom:
27 | fieldRef:
28 | fieldPath: spec.nodeName
29 | - name: POD_NAME
30 | valueFrom:
31 | fieldRef:
32 | fieldPath: metadata.name
33 | - name: POD_NAMESPACE
34 | valueFrom:
35 | fieldRef:
36 | fieldPath: metadata.namespace
37 | - name: POD_IP
38 | valueFrom:
39 | fieldRef:
40 | fieldPath: status.podIP
41 | resources: {}
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.bar-app
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/pod_bar_app.yaml:1-15
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: bar-app
5 | labels:
6 | app: bar
7 | spec:
8 | containers:
9 | - command:
10 | - /agnhost
11 | - netexec
12 | - --http-port
13 | - "8080"
14 | image: registry.k8s.io/e2e-test-images/agnhost:2.39
15 | name: bar-app
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.foo-app
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_047__local__kind__ingress_nginx/pod_foo_app.yaml:1-15
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo-app
5 | labels:
6 | app: foo
7 | spec:
8 | containers:
9 | - command:
10 | - /agnhost
11 | - netexec
12 | - --http-port
13 | - "8080"
14 | image: registry.k8s.io/e2e-test-images/agnhost:2.39
15 | name: foo-app
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.cert-manager.app-cert-manager.app.kubernetes.io/component-controller.app.kubernetes.io/instance-cert-manager.app.kubernetes.io/managed-by-Helm.app.kubernetes.io/name-cert-manager.app.kubernetes.io/version-v1.12.2.helm.sh/chart-cert-manager-v1.12.2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9695-9766
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.cert-manager-cainjector.app-cainjector.app.kubernetes.io/component-cainjector.app.kubernetes.io/instance-cert-manager.app.kubernetes.io/managed-by-Helm.app.kubernetes.io/name-cainjector.app.kubernetes.io/version-v1.12.2.helm.sh/chart-cert-manager-v1.12.2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9767-9822
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.cert-manager-webhook.app-webhook.app.kubernetes.io/component-webhook.app.kubernetes.io/instance-cert-manager.app.kubernetes.io/managed-by-Helm.app.kubernetes.io/name-webhook.app.kubernetes.io/version-v1.12.2.helm.sh/chart-cert-manager-v1.12.2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9823-9910
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.cert-manager-startupapicheck.app-startupapicheck.app.kubernetes.io/component-startupapicheck.app.kubernetes.io/instance-cert-manager.app.kubernetes.io/managed-by-Helm.app.kubernetes.io/name-startupapicheck.app.kubernetes.io/version-v1.12.2.helm.sh/chart-cert-manager-v1.12.2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:9911-9962
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.echo.app-echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/app_all.yaml:34-75
34 | apiVersion: apps/v1
35 | kind: Deployment
36 | metadata:
37 | labels:
38 | app: echo
39 | name: echo
40 | namespace: default
41 | spec:
42 | replicas: 1
43 | selector:
44 | matchLabels:
45 | app: echo
46 | strategy: {}
47 | template:
48 | metadata:
49 | labels:
50 | app: echo
51 | spec:
52 | containers:
53 | - env:
54 | - name: NODE_NAME
55 | valueFrom:
56 | fieldRef:
57 | fieldPath: spec.nodeName
58 | - name: POD_NAME
59 | valueFrom:
60 | fieldRef:
61 | fieldPath: metadata.name
62 | - name: POD_NAMESPACE
63 | valueFrom:
64 | fieldRef:
65 | fieldPath: metadata.namespace
66 | - name: POD_IP
67 | valueFrom:
68 | fieldRef:
69 | fieldPath: status.podIP
70 | image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
71 | name: echo
72 | ports:
73 | - containerPort: 8080
74 | resources: {}
75 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.whoami.app-whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/app_all.yaml:76-99
76 | apiVersion: apps/v1
77 | kind: Deployment
78 | metadata:
79 | labels:
80 | app: whoami
81 | name: whoami
82 | namespace: default
83 | spec:
84 | replicas: 1
85 | selector:
86 | matchLabels:
87 | app: whoami
88 | template:
89 | metadata:
90 | labels:
91 | app: whoami
92 | spec:
93 | containers:
94 | - image: containous/whoami
95 | name: whoami
96 | ports:
97 | - containerPort: 80
98 | name: web
99 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.cert-manager-cainjector.app-cainjector.app.kubernetes.io/name-cainjector.app.kubernetes.io/instance-cert-manager.app.kubernetes.io/component-cainjector.app.kubernetes.io/version-v1.12.2.app.kubernetes.io/managed-by-Helm.helm.sh/chart-cert-manager-v1.12.2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5364-5419
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.cert-manager.app-cert-manager.app.kubernetes.io/name-cert-manager.app.kubernetes.io/instance-cert-manager.app.kubernetes.io/component-controller.app.kubernetes.io/version-v1.12.2.app.kubernetes.io/managed-by-Helm.helm.sh/chart-cert-manager-v1.12.2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5421-5492
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.cert-manager-webhook.app-webhook.app.kubernetes.io/name-webhook.app.kubernetes.io/instance-cert-manager.app.kubernetes.io/component-webhook.app.kubernetes.io/version-v1.12.2.app.kubernetes.io/managed-by-Helm.helm.sh/chart-cert-manager-v1.12.2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5494-5582
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.cert-manager-startupapicheck.app-startupapicheck.app.kubernetes.io/name-startupapicheck.app.kubernetes.io/instance-cert-manager.app.kubernetes.io/component-startupapicheck.app.kubernetes.io/version-v1.12.2.app.kubernetes.io/managed-by-Helm.helm.sh/chart-cert-manager-v1.12.2
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5750-5800
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.whoami.app-whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/base/app/dep_whoami.yaml:1-22
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: whoami
12 | template:
13 | metadata:
14 | labels:
15 | app: whoami
16 | spec:
17 | containers:
18 | - name: whoami
19 | image: containous/whoami
20 | ports:
21 | - name: web
22 | containerPort: 80
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.echo.app-echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/base/app/dep_echo.yaml:1-40
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | labels:
16 | app: echo
17 | spec:
18 | containers:
19 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
20 | name: echo
21 | ports:
22 | - containerPort: 8080
23 | env:
24 | - name: NODE_NAME
25 | valueFrom:
26 | fieldRef:
27 | fieldPath: spec.nodeName
28 | - name: POD_NAME
29 | valueFrom:
30 | fieldRef:
31 | fieldPath: metadata.name
32 | - name: POD_NAMESPACE
33 | valueFrom:
34 | fieldRef:
35 | fieldPath: metadata.namespace
36 | - name: POD_IP
37 | valueFrom:
38 | fieldRef:
39 | fieldPath: status.podIP
40 | resources: {}
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.foo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_046__local__kind__nodeport_with_port_mapping/pod.yaml:1-12
1 | kind: Pod
2 | apiVersion: v1
3 | metadata:
4 | name: foo
5 | labels:
6 | app: foo
7 | spec:
8 | containers:
9 | - name: foo
10 | image: nginx:latest
11 | ports:
12 | - containerPort: 80
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.httpbin.app-httpbin
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/httpbin-app/dep.yaml:1-19
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: httpbin
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: httpbin
10 | template:
11 | metadata:
12 | labels:
13 | app: httpbin
14 | spec:
15 | containers:
16 | - image: docker.io/kennethreitz/httpbin
17 | name: httpbin
18 | ports:
19 | - containerPort: 80
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.traefik.app.kubernetes.io/name-traefik.helm.sh/chart-traefik-10.3.6.app.kubernetes.io/managed-by-Helm.app.kubernetes.io/instance-traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/traefik-helm-chart/traefik-manifests.yaml:89-199
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.echo.app-echo
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/echo-app/dep.yaml:1-41
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: echo
6 | name: echo
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: echo
12 | strategy: {}
13 | template:
14 | metadata:
15 | creationTimestamp: null
16 | labels:
17 | app: echo
18 | spec:
19 | containers:
20 | - image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
21 | name: echo
22 | ports:
23 | - containerPort: 8080
24 | env:
25 | - name: NODE_NAME
26 | valueFrom:
27 | fieldRef:
28 | fieldPath: spec.nodeName
29 | - name: POD_NAME
30 | valueFrom:
31 | fieldRef:
32 | fieldPath: metadata.name
33 | - name: POD_NAMESPACE
34 | valueFrom:
35 | fieldRef:
36 | fieldPath: metadata.namespace
37 | - name: POD_IP
38 | valueFrom:
39 | fieldRef:
40 | fieldPath: status.podIP
41 | resources: {}
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.whoami.app-whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/dep-whoami.yaml:1-23
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: whoami
5 | labels:
6 | app: whoami
7 |
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | app: whoami
13 | template:
14 | metadata:
15 | labels:
16 | app: whoami
17 | spec:
18 | containers:
19 | - name: whoami
20 | image: traefik/whoami
21 | ports:
22 | - name: web
23 | containerPort: 80
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.cert-manager-cainjector.app-cainjector.app.kubernetes.io/name-cainjector.app.kubernetes.io/instance-cert-manager.app.kubernetes.io/component-cainjector.app.kubernetes.io/version-v1.10.0
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5229-5280
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.cert-manager.app-cert-manager.app.kubernetes.io/name-cert-manager.app.kubernetes.io/instance-cert-manager.app.kubernetes.io/component-controller.app.kubernetes.io/version-v1.10.0
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5282-5342
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.cert-manager-webhook.app-webhook.app.kubernetes.io/name-webhook.app.kubernetes.io/instance-cert-manager.app.kubernetes.io/component-webhook.app.kubernetes.io/version-v1.10.0
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5344-5428
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.metricbeat.k8s-app-metricbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_034__gcp__metricbeat/24-deployment.yaml:2-69
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.metricbeat.k8s-app-metricbeat
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_034__gcp__metricbeat/20-daemonset.yaml:2-96
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.whoami.app-whoami
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/25-whoami-deployment.yaml:1-24
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | namespace: default
5 | name: whoami
6 | labels:
7 | app: whoami
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: whoami
14 | template:
15 | metadata:
16 | labels:
17 | app: whoami
18 | spec:
19 | containers:
20 | - name: whoami
21 | image: containous/whoami
22 | ports:
23 | - name: web
24 | containerPort: 80
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.traefik.app-traefik
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_024__gcp__traefik_whoami_tomlInConfigMap/15-traefik-deployment.yaml:2-45
2 | kind: Deployment
3 | apiVersion: extensions/v1beta1
4 | metadata:
5 | name: traefik
6 | labels:
7 | app: traefik
8 |
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: traefik
14 | template:
15 | metadata:
16 | labels:
17 | app: traefik
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | volumes:
21 | - name: config
22 | configMap:
23 | name: traefik-config-map
24 | containers:
25 | - name: traefik
26 | image: traefik:v2.1
27 | args:
28 | - --accesslog=true
29 | - --api
30 | - --api.insecure
31 | - --entrypoints.web.address=:80
32 | - --entrypoints.websecure.address=:443
33 | - --providers.kubernetescrd
34 | - --configfile=/config/traefik.toml
35 | ports:
36 | - name: web
37 | containerPort: 80
38 | - name: admin
39 | containerPort: 8080
40 | - name: websecure
41 | containerPort: 443
42 | volumeMounts:
43 | - mountPath: /etc/traefik/traefik.toml
44 | name: config
45 | subPath: traefik.toml
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.qotd.app-qotd
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_049__openshift__deploy_sample_backend_app/k8s-qotd-python/deploymentconfig.yaml:1-32
1 | apiVersion: apps.openshift.io/v1
2 | kind: DeploymentConfig
3 | metadata:
4 | name: qotd
5 | labels:
6 | app: qotd
7 | spec:
8 | selector:
9 | app: qotd
10 | replicas: 1
11 | template:
12 | metadata:
13 | labels:
14 | app: qotd
15 | spec:
16 | containers:
17 | - name: qotd
18 | image: image-registry.openshift-image-registry.svc:5000/pipelines-tutorial/qotd:latest
19 | imagePullPolicy: Always
20 | ports:
21 | - containerPort: 10000
22 | protocol: TCP
23 | triggers:
24 | - type: ConfigChange
25 | - imageChangeParams:
26 | automatic: true
27 | containerNames:
28 | - qotd
29 | from:
30 | kind: ImageStreamTag
31 | name: qotd:latest
32 | type: ImageChange
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.quotes.app-quotes
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_049__openshift__deploy_sample_backend_app/k8s-qotd-python/quotes-deployment.yaml:1-25
1 | kind: Deployment
2 | apiVersion: apps/v1
3 | metadata:
4 | name: quotes
5 | labels:
6 | app: quotes
7 | sandbox: learn-kubernetes
8 | learn-kubernetes: quotes
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | app: quotes
14 | template:
15 | metadata:
16 | labels:
17 | app: quotes
18 | spec:
19 | containers:
20 | - name: quotes
21 | image: quay.io/donschenck/quotes:v1
22 | imagePullPolicy: Always
23 | ports:
24 | - containerPort: 10000
25 | protocol: TCP
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.statefulset-demo.app-MyApp
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_022_configuring_persistent_storage_for_google_kubernetes_engine/statefulset-demo.yaml:12-45
12 | apiVersion: apps/v1
13 | kind: StatefulSet
14 | metadata:
15 | name: statefulset-demo
16 | spec:
17 | selector:
18 | matchLabels:
19 | app: MyApp
20 | serviceName: statefulset-demo-service
21 | replicas: 3
22 | updateStrategy:
23 | type: RollingUpdate
24 | template:
25 | metadata:
26 | labels:
27 | app: MyApp
28 | spec:
29 | containers:
30 | - name: stateful-set-container
31 | image: nginx
32 | ports:
33 | - containerPort: 80
34 | name: http
35 | volumeMounts:
36 | - name: hello-web-disk
37 | mountPath: "/var/www/html"
38 | volumeClaimTemplates:
39 | - metadata:
40 | name: hello-web-disk
41 | spec:
42 | accessModes: [ "ReadWriteOnce" ]
43 | resources:
44 | requests:
45 | storage: 30Gi
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.nginx-deployment.app-nginx
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_021_creating_google_kubernetes_engine_deployments/nginx-deployment.yaml:1-21
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-deployment
5 | labels:
6 | app: nginx
7 | spec:
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | spec:
17 | containers:
18 | - name: nginx
19 | image: nginx:1.7.9
20 | ports:
21 | - containerPort: 80
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.nginx-canary.app-nginx.track-canary.Version-1.9.1
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_021_creating_google_kubernetes_engine_deployments/nginx-canary.yaml:1-23
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: nginx-canary
5 | labels:
6 | app: nginx
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: nginx
12 | template:
13 | metadata:
14 | labels:
15 | app: nginx
16 | track: canary
17 | Version: 1.9.1
18 | spec:
19 | containers:
20 | - name: nginx
21 | image: nginx:1.9.1
22 | ports:
23 | - containerPort: 80
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.secure-monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/secure-monolith.yaml:1-55
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/monolith.yaml:1-23
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: monolith
5 | labels:
6 | app: monolith
7 | spec:
8 | containers:
9 | - name: monolith
10 | image: kelseyhightower/monolith:1.0.0
11 | args:
12 | - "-http=0.0.0.0:80"
13 | - "-health=0.0.0.0:81"
14 | - "-secret=secret"
15 | ports:
16 | - name: http
17 | containerPort: 80
18 | - name: health
19 | containerPort: 81
20 | resources:
21 | limits:
22 | cpu: 0.2
23 | memory: "10Mi"
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.healthy-monolith
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/pods/healthy-monolith.yaml:1-34
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: "healthy-monolith"
5 | labels:
6 | app: monolith
7 | spec:
8 | containers:
9 | - name: monolith
10 | image: kelseyhightower/monolith:1.0.0
11 | ports:
12 | - name: http
13 | containerPort: 80
14 | - name: health
15 | containerPort: 81
16 | resources:
17 | limits:
18 | cpu: 0.2
19 | memory: "10Mi"
20 | livenessProbe:
21 | httpGet:
22 | path: /healthz
23 | port: 81
24 | scheme: HTTP
25 | initialDelaySeconds: 5
26 | periodSeconds: 15
27 | timeoutSeconds: 5
28 | readinessProbe:
29 | httpGet:
30 | path: /readiness
31 | port: 81
32 | scheme: HTTP
33 | initialDelaySeconds: 5
34 | timeoutSeconds: 1
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.auth.app-auth.track-stable
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/auth.yaml:1-42
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: auth
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: auth
10 | template:
11 | metadata:
12 | labels:
13 | app: auth
14 | track: stable
15 | spec:
16 | containers:
17 | - name: auth
18 | image: "kelseyhightower/auth:2.0.0"
19 | ports:
20 | - name: http
21 | containerPort: 80
22 | - name: health
23 | containerPort: 81
24 | resources:
25 | limits:
26 | cpu: 0.2
27 | memory: "10Mi"
28 | livenessProbe:
29 | httpGet:
30 | path: /healthz
31 | port: 81
32 | scheme: HTTP
33 | initialDelaySeconds: 5
34 | periodSeconds: 15
35 | timeoutSeconds: 5
36 | readinessProbe:
37 | httpGet:
38 | path: /readiness
39 | port: 81
40 | scheme: HTTP
41 | initialDelaySeconds: 5
42 | timeoutSeconds: 1
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.hello-green.app-hello.track-stable.version-2.0.0
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/hello-green.yaml:1-43
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hello-green
5 | spec:
6 | replicas: 3
7 | selector:
8 | matchLabels:
9 | app: hello
10 | template:
11 | metadata:
12 | labels:
13 | app: hello
14 | track: stable
15 | version: 2.0.0
16 | spec:
17 | containers:
18 | - name: hello
19 | image: kelseyhightower/hello:2.0.0
20 | ports:
21 | - name: http
22 | containerPort: 80
23 | - name: health
24 | containerPort: 81
25 | resources:
26 | limits:
27 | cpu: 0.2
28 | memory: 10Mi
29 | livenessProbe:
30 | httpGet:
31 | path: /healthz
32 | port: 81
33 | scheme: HTTP
34 | initialDelaySeconds: 5
35 | periodSeconds: 15
36 | timeoutSeconds: 5
37 | readinessProbe:
38 | httpGet:
39 | path: /readiness
40 | port: 81
41 | scheme: HTTP
42 | initialDelaySeconds: 5
43 | timeoutSeconds: 1
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.frontend.app-frontend.track-stable
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/frontend.yaml:1-37
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: frontend
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: frontend
10 | template:
11 | metadata:
12 | labels:
13 | app: frontend
14 | track: stable
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: "nginx:1.9.14"
19 | lifecycle:
20 | preStop:
21 | exec:
22 | command: ["/usr/sbin/nginx","-s","quit"]
23 | volumeMounts:
24 | - name: "nginx-frontend-conf"
25 | mountPath: "/etc/nginx/conf.d"
26 | - name: "tls-certs"
27 | mountPath: "/etc/tls"
28 | volumes:
29 | - name: "tls-certs"
30 | secret:
31 | secretName: "tls-certs"
32 | - name: "nginx-frontend-conf"
33 | configMap:
34 | name: "nginx-frontend-conf"
35 | items:
36 | - key: "frontend.conf"
37 | path: "frontend.conf"
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.hello-canary.app-hello.track-canary.version-2.0.0
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/hello-canary.yaml:1-43
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hello-canary
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: hello
10 | template:
11 | metadata:
12 | labels:
13 | app: hello
14 | track: canary
15 | version: 2.0.0
16 | spec:
17 | containers:
18 | - name: hello
19 | image: kelseyhightower/hello:2.0.0
20 | ports:
21 | - name: http
22 | containerPort: 80
23 | - name: health
24 | containerPort: 81
25 | resources:
26 | limits:
27 | cpu: 0.2
28 | memory: 10Mi
29 | livenessProbe:
30 | httpGet:
31 | path: /healthz
32 | port: 81
33 | scheme: HTTP
34 | initialDelaySeconds: 5
35 | periodSeconds: 15
36 | timeoutSeconds: 5
37 | readinessProbe:
38 | httpGet:
39 | path: /readiness
40 | port: 81
41 | scheme: HTTP
42 | initialDelaySeconds: 5
43 | timeoutSeconds: 1
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.hello.app-hello.track-stable.version-1.0.0
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_028_managing_deployments_using_kubernetes_engine/deployments/hello.yaml:1-43
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hello
5 | spec:
6 | replicas: 3
7 | selector:
8 | matchLabels:
9 | app: hello
10 | template:
11 | metadata:
12 | labels:
13 | app: hello
14 | track: stable
15 | version: 1.0.0
16 | spec:
17 | containers:
18 | - name: hello
19 | image: "kelseyhightower/hello:1.0.0"
20 | ports:
21 | - name: http
22 | containerPort: 80
23 | - name: health
24 | containerPort: 81
25 | resources:
26 | limits:
27 | cpu: 0.2
28 | memory: "10Mi"
29 | livenessProbe:
30 | httpGet:
31 | path: /healthz
32 | port: 81
33 | scheme: HTTP
34 | initialDelaySeconds: 5
35 | periodSeconds: 15
36 | timeoutSeconds: 5
37 | readinessProbe:
38 | httpGet:
39 | path: /readiness
40 | port: 81
41 | scheme: HTTP
42 | initialDelaySeconds: 5
43 | timeoutSeconds: 1
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.devops-deployment.app-devops.tier-frontend
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun/k8s-manifests.yaml:2-26
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: devops-deployment
6 | labels:
7 | app: devops
8 | tier: frontend
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: devops
14 | tier: frontend
15 | template:
16 | metadata:
17 | labels:
18 | app: devops
19 | tier: frontend
20 | spec:
21 | containers:
22 | - name: devops-demo
23 | image:
24 | ports:
25 | - containerPort: 8080
26 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.sleep.app-sleep
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/sleep.yaml:22-50
22 | apiVersion: apps/v1
23 | kind: Deployment
24 | metadata:
25 | name: sleep
26 | spec:
27 | replicas: 1
28 | selector:
29 | matchLabels:
30 | app: sleep
31 | template:
32 | metadata:
33 | labels:
34 | app: sleep
35 | spec:
36 | serviceAccountName: sleep
37 | containers:
38 | - name: sleep
39 | image: governmentpaas/curl-ssl
40 | command: ["/bin/sleep", "3650d"]
41 | imagePullPolicy: IfNotPresent
42 | volumeMounts:
43 | - mountPath: /etc/sleep/tls
44 | name: secret-volume
45 | volumes:
46 | - name: secret-volume
47 | secret:
48 | secretName: sleep-secret
49 | optional: true
50 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.httpbin.app-httpbin.version-v1
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_026_securing_traffic_through_anthos_service_mesh/manifests/httpbin.yaml:23-45
23 | apiVersion: apps/v1
24 | kind: Deployment
25 | metadata:
26 | name: httpbin
27 | spec:
28 | replicas: 1
29 | selector:
30 | matchLabels:
31 | app: httpbin
32 | version: v1
33 | template:
34 | metadata:
35 | labels:
36 | app: httpbin
37 | version: v1
38 | spec:
39 | serviceAccountName: httpbin
40 | containers:
41 | - image: docker.io/kennethreitz/httpbin
42 | imagePullPolicy: IfNotPresent
43 | name: httpbin
44 | ports:
45 | - containerPort: 80
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.devops-deployment.app-devops.tier-frontend
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun__python/k8s-manifests.yaml:2-26
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | name: devops-deployment
6 | labels:
7 | app: devops
8 | tier: frontend
9 | spec:
10 | replicas: 3
11 | selector:
12 | matchLabels:
13 | app: devops
14 | tier: frontend
15 | template:
16 | metadata:
17 | labels:
18 | app: devops
19 | tier: frontend
20 | spec:
21 | containers:
22 | - name: devops-demo
23 | image:
24 | ports:
25 | - containerPort: 8080
26 | ---
dockerfile scan results:
Passed checks: 1462, Failed checks: 50, Skipped checks: 0
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /home/containers/docker/taskset_docker_containers/task_022_sample_app/app/Dockerfile.
File: /home/containers/docker/taskset_docker_containers/task_022_sample_app/app/Dockerfile:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | # syntax=docker/dockerfile:1
2 | FROM node:12-alpine
3 | RUN apk add --no-cache python2 g++ make
4 | WORKDIR /app
5 | COPY . .
6 | RUN yarn install --production
7 | CMD ["node", "src/index.js"]
8 | EXPOSE 3000
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /home/containers/docker/taskset_docker_containers/task_022_sample_app/app/Dockerfile.
File: /home/containers/docker/taskset_docker_containers/task_022_sample_app/app/Dockerfile:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | # syntax=docker/dockerfile:1
2 | FROM node:12-alpine
3 | RUN apk add --no-cache python2 g++ make
4 | WORKDIR /app
5 | COPY . .
6 | RUN yarn install --production
7 | CMD ["node", "src/index.js"]
8 | EXPOSE 3000
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_031_hello_node_kubernetes__node/Dockerfile.
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_031_hello_node_kubernetes__node/Dockerfile:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | # Use Node.js v6.9.2 as base image
2 | FROM node:6.9.2
3 |
4 | # Expose port 8080 for incoming traffic
5 | EXPOSE 8080
6 |
7 | # Copy the server.js file from the current directory to the image
8 | COPY server.js .
9 |
10 | # Set the default command to run the server.js file with Node.js
11 | CMD node server.js
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_031_hello_node_kubernetes__node/Dockerfile.
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_031_hello_node_kubernetes__node/Dockerfile:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | # Use Node.js v6.9.2 as base image
2 | FROM node:6.9.2
3 |
4 | # Expose port 8080 for incoming traffic
5 | EXPOSE 8080
6 |
7 | # Copy the server.js file from the current directory to the image
8 | COPY server.js .
9 |
10 | # Set the default command to run the server.js file with Node.js
11 | CMD node server.js
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_006_hello_cloud_run__node/hello-world-node/Dockerfile.
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_006_hello_cloud_run__node/hello-world-node/Dockerfile:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | # Use the official lightweight Node.js 12 image.
2 | # https://hub.docker.com/_/node
3 | FROM node:12-slim
4 | # Create and change to the app directory.
5 | WORKDIR /usr/src/app
6 | # Copy application dependency manifests to the container image.
7 | # A wildcard is used to ensure copying both package.json AND package-lock.json (when available).
8 | # Copying this first prevents re-running npm install on every code change.
9 | COPY package*.json ./
10 | # Install production dependencies.
11 | # If you add a package-lock.json, speed your build by switching to 'npm ci'.
12 | # RUN npm ci --only=production
13 | RUN npm install --only=production
14 | # Copy local code to the container image.
15 | COPY . ./
16 | # Run the web service on container startup.
17 | CMD [ "npm", "start" ]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_006_hello_cloud_run__node/hello-world-node/Dockerfile.
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_006_hello_cloud_run__node/hello-world-node/Dockerfile:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | # Use the official lightweight Node.js 12 image.
2 | # https://hub.docker.com/_/node
3 | FROM node:12-slim
4 | # Create and change to the app directory.
5 | WORKDIR /usr/src/app
6 | # Copy application dependency manifests to the container image.
7 | # A wildcard is used to ensure copying both package.json AND package-lock.json (when available).
8 | # Copying this first prevents re-running npm install on every code change.
9 | COPY package*.json ./
10 | # Install production dependencies.
11 | # If you add a package-lock.json, speed your build by switching to 'npm ci'.
12 | # RUN npm ci --only=production
13 | RUN npm install --only=production
14 | # Copy local code to the container image.
15 | COPY . ./
16 | # Run the web service on container startup.
17 | CMD [ "npm", "start" ]
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /home/web_servers/nginx/taskset_nginx_web_servers/task_004_return_different_http_codes/Dockerfile.
File: /home/web_servers/nginx/taskset_nginx_web_servers/task_004_return_different_http_codes/Dockerfile:1-6
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM nginx:alpine
2 |
3 | COPY conf.d /etc/nginx/conf.d
4 | COPY html /usr/share/nginx/html
5 |
6 |
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /home/web_servers/nginx/taskset_nginx_web_servers/task_004_return_different_http_codes/Dockerfile.
File: /home/web_servers/nginx/taskset_nginx_web_servers/task_004_return_different_http_codes/Dockerfile:1-6
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM nginx:alpine
2 |
3 | COPY conf.d /etc/nginx/conf.d
4 | COPY html /usr/share/nginx/html
5 |
6 |
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_010_alerting_in_google_cloud__python/Dockerfile.
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_010_alerting_in_google_cloud__python/Dockerfile:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM python:3.7
2 | WORKDIR /app
3 | COPY . .
4 | RUN pip install gunicorn
5 | RUN pip install -r requirements.txt
6 | ENV PORT=8080
7 | CMD exec gunicorn --bind :$PORT --workers 1 --threads 8 main:app
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_010_alerting_in_google_cloud__python/Dockerfile.
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_010_alerting_in_google_cloud__python/Dockerfile:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM python:3.7
2 | WORKDIR /app
3 | COPY . .
4 | RUN pip install gunicorn
5 | RUN pip install -r requirements.txt
6 | ENV PORT=8080
7 | CMD exec gunicorn --bind :$PORT --workers 1 --threads 8 main:app
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /home/containers/docker_compose/taskset_docker_compose_containers/task_009__local__natsStreaming_metricbeat_elasticsearch_kibana/docker/metricbeat/Dockerfile.
File: /home/containers/docker_compose/taskset_docker_compose_containers/task_009__local__natsStreaming_metricbeat_elasticsearch_kibana/docker/metricbeat/Dockerfile:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM docker.elastic.co/beats/metricbeat:7.8.1
2 |
3 | # The file to monitor the host is different from the file to monitor docker services.ADD
4 | # So we pass the filename at build time to choose the target (host or services) of the image built.
5 | ARG METRICBEAT_FILE=metricbeat.yml
6 | COPY ${METRICBEAT_FILE} /usr/share/metricbeat/metricbeat.yml
7 |
8 | USER root
9 |
10 | RUN yum -y install nc
11 |
12 | RUN mkdir /var/log/metricbeat \
13 | && chown metricbeat /usr/share/metricbeat/metricbeat.yml \
14 | && chmod go-w /usr/share/metricbeat/metricbeat.yml \
15 | && chown metricbeat /var/log/metricbeat
16 |
17 | COPY entrypoint.sh /usr/local/bin/custom-entrypoint
18 | RUN chmod +x /usr/local/bin/custom-entrypoint
19 |
20 | USER metricbeat
21 |
22 | ENTRYPOINT ["/usr/local/bin/custom-entrypoint"]
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_007_building_a_devops_pipeline__python/Dockerfile.
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_007_building_a_devops_pipeline__python/Dockerfile:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM python:3.7
2 | WORKDIR /app
3 | COPY . .
4 | RUN pip install gunicorn
5 | RUN pip install -r requirements.txt
6 | ENV PORT=80
7 | CMD exec gunicorn --bind :$PORT --workers 1 --threads 8 main:app
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_007_building_a_devops_pipeline__python/Dockerfile.
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_007_building_a_devops_pipeline__python/Dockerfile:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM python:3.7
2 | WORKDIR /app
3 | COPY . .
4 | RUN pip install gunicorn
5 | RUN pip install -r requirements.txt
6 | ENV PORT=80
7 | CMD exec gunicorn --bind :$PORT --workers 1 --threads 8 main:app
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_002_nodejs_mongo_docker/node_project/Dockerfile.
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_002_nodejs_mongo_docker/node_project/Dockerfile:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM node:10-alpine
2 |
3 | RUN mkdir -p /home/node/app/node_modules && chown -R node:node /home/node/app
4 |
5 | WORKDIR /home/node/app
6 |
7 | COPY package*.json ./
8 |
9 | USER node
10 |
11 | RUN npm install
12 |
13 | COPY --chown=node:node . .
14 |
15 | EXPOSE 8080
16 |
17 | CMD [ "node", "app.js" ]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/node_project/Dockerfile.
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/node_project/Dockerfile:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM node:10-alpine
2 |
3 | RUN mkdir -p /home/node/app/node_modules && chown -R node:node /home/node/app
4 |
5 | WORKDIR /home/node/app
6 |
7 | COPY package*.json ./
8 |
9 | USER node
10 |
11 | RUN npm install
12 |
13 | COPY --chown=node:node . .
14 |
15 | EXPOSE 8080
16 |
17 | CMD [ "node", "app.js" ]
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/traefik-custom-image/Dockerfile.
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/traefik-custom-image/Dockerfile:1-2
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM traefik:v2.5.3
2 | COPY ./traefik-add-trace-id ./plugins-local/src/github.com/trinnylondon/traefik-add-trace-id
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/traefik-custom-image/Dockerfile.
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_012__aws__kops_with_traefik_customization/traefik-custom-image/Dockerfile:1-2
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM traefik:v2.5.3
2 | COPY ./traefik-add-trace-id ./plugins-local/src/github.com/trinnylondon/traefik-add-trace-id
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun/Dockerfile.
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun/Dockerfile:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM python:3.7
2 | WORKDIR /app
3 | COPY . .
4 | RUN pip install gunicorn
5 | RUN pip install -r requirements.txt
6 | ENV PORT=8080
7 | CMD exec gunicorn --bind :$PORT --workers 1 --threads 8 main:app
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun/Dockerfile.
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun/Dockerfile:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM python:3.7
2 | WORKDIR /app
3 | COPY . .
4 | RUN pip install gunicorn
5 | RUN pip install -r requirements.txt
6 | ENV PORT=8080
7 | CMD exec gunicorn --bind :$PORT --workers 1 --threads 8 main:app
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_003_nodejs_mongo_docker_compose/node_project/Dockerfile.
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_003_nodejs_mongo_docker_compose/node_project/Dockerfile:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM node:10-alpine
2 |
3 | RUN mkdir -p /home/node/app/node_modules && chown -R node:node /home/node/app
4 |
5 | WORKDIR /home/node/app
6 |
7 | COPY package*.json ./
8 |
9 | USER node
10 |
11 | RUN npm install
12 |
13 | COPY --chown=node:node . .
14 |
15 | EXPOSE 8080
16 |
17 | CMD [ "node", "app.js" ]
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-controller.Dockerfile.
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-controller.Dockerfile:1-2
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM jenkins/jenkins:lts
2 | RUN jenkins-plugin-cli --plugins google-login kubernetes workflow-aggregator git configuration-as-code ace-editor ansible ansicolor ant htmlpublisher antisamy-markup-formatter apache-httpcomponents-client-4-api authentication-tokens authorize-project bouncycastle-api branch-api build-name-setter build-timeout build-with-parameters cloudbees-folder collapsing-console-sections command-launcher conditional-buildstep config-file-provider console-badge console-column-plugin console-navigation console-tail credentials credentials-binding dashboard-view display-console-output display-url-api docker-commons docker-java-api docker-plugin docker-workflow durable-task dynamic-search-view email-ext extended-choice-parameter extensible-choice-parameter external-monitor-job extra-columns generic-webhook-trigger git-changelog git-client git-server github github-api github-branch-source github-oauth github-pullrequest gradle handlebars hudson-pview-plugin icon-shim jackson2-api javadoc jdk-tool job-dsl jobConfigHistory jquery jquery-detached jquery-ui jsch junit ldap lockable-resources mailer mapdb-api matrix-auth matrix-combinations-parameter matrix-project maven-plugin mission-control-view momentjs nodejs nodelabelparameter pam-auth parameter-separator parameterized-trigger pipeline-build-step pipeline-github-lib pipeline-graph-analysis pipeline-input-step pipeline-milestone-step pipeline-model-api pipeline-model-declarative-agent pipeline-model-definition pipeline-model-extensions pipeline-rest-api pipeline-stage-step pipeline-stage-tags-metadata pipeline-stage-view plain-credentials rebuild resource-disposer role-strategy run-condition scm-api script-security show-build-parameters simple-theme-plugin slack ssh-agent ssh-credentials ssh-slaves structs subversion throttle-concurrents timestamper token-macro trilead-api view-job-filters windows-slaves workflow-aggregator workflow-api workflow-basic-steps workflow-cps workflow-cps-global-lib workflow-durable-task-step workflow-job workflow-multibranch workflow-scm-step workflow-step-api workflow-support ws-cleanup
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-controller.Dockerfile.
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-controller.Dockerfile:1-2
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM jenkins/jenkins:lts
2 | RUN jenkins-plugin-cli --plugins google-login kubernetes workflow-aggregator git configuration-as-code ace-editor ansible ansicolor ant htmlpublisher antisamy-markup-formatter apache-httpcomponents-client-4-api authentication-tokens authorize-project bouncycastle-api branch-api build-name-setter build-timeout build-with-parameters cloudbees-folder collapsing-console-sections command-launcher conditional-buildstep config-file-provider console-badge console-column-plugin console-navigation console-tail credentials credentials-binding dashboard-view display-console-output display-url-api docker-commons docker-java-api docker-plugin docker-workflow durable-task dynamic-search-view email-ext extended-choice-parameter extensible-choice-parameter external-monitor-job extra-columns generic-webhook-trigger git-changelog git-client git-server github github-api github-branch-source github-oauth github-pullrequest gradle handlebars hudson-pview-plugin icon-shim jackson2-api javadoc jdk-tool job-dsl jobConfigHistory jquery jquery-detached jquery-ui jsch junit ldap lockable-resources mailer mapdb-api matrix-auth matrix-combinations-parameter matrix-project maven-plugin mission-control-view momentjs nodejs nodelabelparameter pam-auth parameter-separator parameterized-trigger pipeline-build-step pipeline-github-lib pipeline-graph-analysis pipeline-input-step pipeline-milestone-step pipeline-model-api pipeline-model-declarative-agent pipeline-model-definition pipeline-model-extensions pipeline-rest-api pipeline-stage-step pipeline-stage-tags-metadata pipeline-stage-view plain-credentials rebuild resource-disposer role-strategy run-condition scm-api script-security show-build-parameters simple-theme-plugin slack ssh-agent ssh-credentials ssh-slaves structs subversion throttle-concurrents timestamper token-macro trilead-api view-job-filters windows-slaves workflow-aggregator workflow-api workflow-basic-steps workflow-cps workflow-cps-global-lib workflow-durable-task-step workflow-job workflow-multibranch workflow-scm-step workflow-step-api workflow-support ws-cleanup
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /home/containers/docker/taskset_docker_containers/task_015_elastic_search_bkp_restore/Dockerfile.
File: /home/containers/docker/taskset_docker_containers/task_015_elastic_search_bkp_restore/Dockerfile:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM docker.elastic.co/elasticsearch/elasticsearch:7.7.0
2 |
3 | #this is to tell that we are passing these arguments at runtime
4 | ARG ENV_VAR_AWS_ACCESS_KEY_ID
5 | ARG ENV_VAR_AWS_SECRET_ACCESS_KEY
6 |
7 | ENV AWS_ACCESS_KEY_ID ${ENV_VAR_AWS_ACCESS_KEY_ID}
8 | ENV AWS_SECRET_ACCESS_KEY ${ENV_VAR_AWS_SECRET_ACCESS_KEY}
9 | ENV xpack.security.enabled 'false'
10 | ENV xpack.monitoring.enabled 'false'
11 | ENV xpack.graph.enabled 'false'
12 | ENV xpack.watcher.enabled 'false'
13 | ENV discovery.type 'single-node'
14 | ENV bootstrap.memory_lock 'true'
15 | ENV indices.memory.index_buffer_size '30%'
16 |
17 | RUN /usr/share/elasticsearch/bin/elasticsearch-plugin install --batch repository-s3
18 | RUN /usr/share/elasticsearch/bin/elasticsearch-keystore create
19 | RUN echo $AWS_ACCESS_KEY_ID | /usr/share/elasticsearch/bin/elasticsearch-keystore add --stdin s3.client.default.access_key
20 | RUN echo $AWS_SECRET_ACCESS_KEY | /usr/share/elasticsearch/bin/elasticsearch-keystore add --stdin s3.client.default.secret_key
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /home/containers/docker/taskset_docker_containers/task_015_elastic_search_bkp_restore/Dockerfile.
File: /home/containers/docker/taskset_docker_containers/task_015_elastic_search_bkp_restore/Dockerfile:1-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM docker.elastic.co/elasticsearch/elasticsearch:7.7.0
2 |
3 | #this is to tell that we are passing these arguments at runtime
4 | ARG ENV_VAR_AWS_ACCESS_KEY_ID
5 | ARG ENV_VAR_AWS_SECRET_ACCESS_KEY
6 |
7 | ENV AWS_ACCESS_KEY_ID ${ENV_VAR_AWS_ACCESS_KEY_ID}
8 | ENV AWS_SECRET_ACCESS_KEY ${ENV_VAR_AWS_SECRET_ACCESS_KEY}
9 | ENV xpack.security.enabled 'false'
10 | ENV xpack.monitoring.enabled 'false'
11 | ENV xpack.graph.enabled 'false'
12 | ENV xpack.watcher.enabled 'false'
13 | ENV discovery.type 'single-node'
14 | ENV bootstrap.memory_lock 'true'
15 | ENV indices.memory.index_buffer_size '30%'
16 |
17 | RUN /usr/share/elasticsearch/bin/elasticsearch-plugin install --batch repository-s3
18 | RUN /usr/share/elasticsearch/bin/elasticsearch-keystore create
19 | RUN echo $AWS_ACCESS_KEY_ID | /usr/share/elasticsearch/bin/elasticsearch-keystore add --stdin s3.client.default.access_key
20 | RUN echo $AWS_SECRET_ACCESS_KEY | /usr/share/elasticsearch/bin/elasticsearch-keystore add --stdin s3.client.default.secret_key
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun__python/Dockerfile.
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun__python/Dockerfile:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM python:3.7
2 | WORKDIR /app
3 | COPY . .
4 | RUN pip install gunicorn
5 | RUN pip install -r requirements.txt
6 | ENV PORT=8080
7 | CMD exec gunicorn --bind :$PORT --workers 1 --threads 8 main:app
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun__python/Dockerfile.
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_008_deploying_app_to_app_engine_and_gke_and_cloudrun__python/Dockerfile:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM python:3.7
2 | WORKDIR /app
3 | COPY . .
4 | RUN pip install gunicorn
5 | RUN pip install -r requirements.txt
6 | ENV PORT=8080
7 | CMD exec gunicorn --bind :$PORT --workers 1 --threads 8 main:app
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /home/containers/docker/taskset_docker_containers/task_023_update_sample_app/app/Dockerfile.
File: /home/containers/docker/taskset_docker_containers/task_023_update_sample_app/app/Dockerfile:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | # syntax=docker/dockerfile:1
2 | FROM node:12-alpine
3 | RUN apk add --no-cache python2 g++ make
4 | WORKDIR /app
5 | COPY . .
6 | RUN yarn install --production
7 | CMD ["node", "src/index.js"]
8 | EXPOSE 3000
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /home/containers/docker/taskset_docker_containers/task_023_update_sample_app/app/Dockerfile.
File: /home/containers/docker/taskset_docker_containers/task_023_update_sample_app/app/Dockerfile:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | # syntax=docker/dockerfile:1
2 | FROM node:12-alpine
3 | RUN apk add --no-cache python2 g++ make
4 | WORKDIR /app
5 | COPY . .
6 | RUN yarn install --production
7 | CMD ["node", "src/index.js"]
8 | EXPOSE 3000
Check: CKV_DOCKER_4: "Ensure that COPY is used instead of ADD in Dockerfiles"
FAILED for resource: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_030_minimal_nodejs_app_dockerize_google_artifact_registry/test/Dockerfile.ADD
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_030_minimal_nodejs_app_dockerize_google_artifact_registry/test/Dockerfile:6-6
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-copy-is-used-instead-of-add-in-dockerfiles.html
6 | ADD . /app
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_030_minimal_nodejs_app_dockerize_google_artifact_registry/test/Dockerfile.
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_030_minimal_nodejs_app_dockerize_google_artifact_registry/test/Dockerfile:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | # Use an official Node runtime as the parent image
2 | FROM node:lts
3 | # Set the working directory in the container to /app
4 | WORKDIR /app
5 | # Copy the current directory contents into the container at /app
6 | ADD . /app
7 | # Make the container's port 80 available to the outside world
8 | EXPOSE 80
9 | # Run app.js using node when the container launches
10 | CMD ["node", "app.js"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_030_minimal_nodejs_app_dockerize_google_artifact_registry/test/Dockerfile.
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_030_minimal_nodejs_app_dockerize_google_artifact_registry/test/Dockerfile:1-10
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | # Use an official Node runtime as the parent image
2 | FROM node:lts
3 | # Set the working directory in the container to /app
4 | WORKDIR /app
5 | # Copy the current directory contents into the container at /app
6 | ADD . /app
7 | # Make the container's port 80 available to the outside world
8 | EXPOSE 80
9 | # Run app.js using node when the container launches
10 | CMD ["node", "app.js"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/node_project/Dockerfile.
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/node_project/Dockerfile:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM node:10-alpine
2 |
3 | RUN mkdir -p /home/node/app/node_modules && chown -R node:node /home/node/app
4 |
5 | WORKDIR /home/node/app
6 |
7 | COPY package*.json ./
8 |
9 | USER node
10 |
11 | RUN npm install
12 |
13 | COPY --chown=node:node . .
14 |
15 | EXPOSE 8080
16 |
17 | CMD [ "node", "app.js" ]
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
FAILED for resource: /home/containers/docker/taskset_docker_containers/task_010_docker_build/Dockerfile.FROM
File: /home/containers/docker/taskset_docker_containers/task_010_docker_build/Dockerfile:1-1
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-the-base-image-uses-a-non-latest-version-tag.html
1 | FROM nginx:latest
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /home/containers/docker/taskset_docker_containers/task_010_docker_build/Dockerfile.
File: /home/containers/docker/taskset_docker_containers/task_010_docker_build/Dockerfile:1-2
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM nginx:latest
2 | COPY index.html /usr/share/nginx/html/
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /home/containers/docker/taskset_docker_containers/task_010_docker_build/Dockerfile.
File: /home/containers/docker/taskset_docker_containers/task_010_docker_build/Dockerfile:1-2
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM nginx:latest
2 | COPY index.html /usr/share/nginx/html/
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /home/containers/docker/taskset_docker_containers/task_024_sample_app_persist_db/app/Dockerfile.
File: /home/containers/docker/taskset_docker_containers/task_024_sample_app_persist_db/app/Dockerfile:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | # syntax=docker/dockerfile:1
2 | FROM node:12-alpine
3 | RUN apk add --no-cache python2 g++ make
4 | WORKDIR /app
5 | COPY . .
6 | RUN yarn install --production
7 | CMD ["node", "src/index.js"]
8 | EXPOSE 3000
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /home/containers/docker/taskset_docker_containers/task_024_sample_app_persist_db/app/Dockerfile.
File: /home/containers/docker/taskset_docker_containers/task_024_sample_app_persist_db/app/Dockerfile:1-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | # syntax=docker/dockerfile:1
2 | FROM node:12-alpine
3 | RUN apk add --no-cache python2 g++ make
4 | WORKDIR /app
5 | COPY . .
6 | RUN yarn install --production
7 | CMD ["node", "src/index.js"]
8 | EXPOSE 3000
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /home/containers/docker_compose/taskset_docker_compose_containers/task_010__local__mysql_metricbeat_elasticsearch_kibana/docker/metricbeat/Dockerfile.
File: /home/containers/docker_compose/taskset_docker_compose_containers/task_010__local__mysql_metricbeat_elasticsearch_kibana/docker/metricbeat/Dockerfile:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM docker.elastic.co/beats/metricbeat:7.8.1
2 |
3 | # The file to monitor the host is different from the file to monitor docker services.ADD
4 | # So we pass the filename at build time to choose the target (host or services) of the image built.
5 | ARG METRICBEAT_FILE=metricbeat.yml
6 | COPY ${METRICBEAT_FILE} /usr/share/metricbeat/metricbeat.yml
7 |
8 | USER root
9 |
10 | RUN yum -y install nc
11 |
12 | RUN mkdir /var/log/metricbeat \
13 | && chown metricbeat /usr/share/metricbeat/metricbeat.yml \
14 | && chmod go-w /usr/share/metricbeat/metricbeat.yml \
15 | && chown metricbeat /var/log/metricbeat
16 |
17 | COPY entrypoint.sh /usr/local/bin/custom-entrypoint
18 | RUN chmod +x /usr/local/bin/custom-entrypoint
19 |
20 | USER metricbeat
21 |
22 | ENTRYPOINT ["/usr/local/bin/custom-entrypoint"]
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /home/containers/docker/taskset_docker_containers/task_016_elastic_search_backup_restore_sample_data/Dockerfile.
File: /home/containers/docker/taskset_docker_containers/task_016_elastic_search_backup_restore_sample_data/Dockerfile:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM docker.elastic.co/elasticsearch/elasticsearch:7.7.0
2 |
3 | #this is to tell that we are passing these arguments at runtime
4 | ARG ENV_VAR_AWS_ACCESS_KEY_ID
5 | ARG ENV_VAR_AWS_SECRET_ACCESS_KEY
6 |
7 | ENV AWS_ACCESS_KEY_ID ${ENV_VAR_AWS_ACCESS_KEY_ID}
8 | ENV AWS_SECRET_ACCESS_KEY ${ENV_VAR_AWS_SECRET_ACCESS_KEY}
9 | ENV xpack.security.enabled 'false'
10 | ENV xpack.monitoring.enabled 'false'
11 | ENV xpack.graph.enabled 'false'
12 | ENV xpack.watcher.enabled 'false'
13 | ENV discovery.type 'single-node'
14 | ENV bootstrap.memory_lock 'true'
15 | ENV indices.memory.index_buffer_size '30%'
16 |
17 | RUN /usr/share/elasticsearch/bin/elasticsearch-plugin install --batch repository-s3
18 | RUN /usr/share/elasticsearch/bin/elasticsearch-keystore create
19 | RUN echo $AWS_ACCESS_KEY_ID | /usr/share/elasticsearch/bin/elasticsearch-keystore add --stdin s3.client.default.access_key
20 | RUN echo $AWS_SECRET_ACCESS_KEY | /usr/share/elasticsearch/bin/elasticsearch-keystore add --stdin s3.client.default.secret_key
21 |
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /home/containers/docker/taskset_docker_containers/task_016_elastic_search_backup_restore_sample_data/Dockerfile.
File: /home/containers/docker/taskset_docker_containers/task_016_elastic_search_backup_restore_sample_data/Dockerfile:1-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM docker.elastic.co/elasticsearch/elasticsearch:7.7.0
2 |
3 | #this is to tell that we are passing these arguments at runtime
4 | ARG ENV_VAR_AWS_ACCESS_KEY_ID
5 | ARG ENV_VAR_AWS_SECRET_ACCESS_KEY
6 |
7 | ENV AWS_ACCESS_KEY_ID ${ENV_VAR_AWS_ACCESS_KEY_ID}
8 | ENV AWS_SECRET_ACCESS_KEY ${ENV_VAR_AWS_SECRET_ACCESS_KEY}
9 | ENV xpack.security.enabled 'false'
10 | ENV xpack.monitoring.enabled 'false'
11 | ENV xpack.graph.enabled 'false'
12 | ENV xpack.watcher.enabled 'false'
13 | ENV discovery.type 'single-node'
14 | ENV bootstrap.memory_lock 'true'
15 | ENV indices.memory.index_buffer_size '30%'
16 |
17 | RUN /usr/share/elasticsearch/bin/elasticsearch-plugin install --batch repository-s3
18 | RUN /usr/share/elasticsearch/bin/elasticsearch-keystore create
19 | RUN echo $AWS_ACCESS_KEY_ID | /usr/share/elasticsearch/bin/elasticsearch-keystore add --stdin s3.client.default.access_key
20 | RUN echo $AWS_SECRET_ACCESS_KEY | /usr/share/elasticsearch/bin/elasticsearch-keystore add --stdin s3.client.default.secret_key
21 |
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_009_monitoring_applications_in_gcp__python/Dockerfile.
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_009_monitoring_applications_in_gcp__python/Dockerfile:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM python:3.7
2 | WORKDIR /app
3 | COPY . .
4 | RUN pip install gunicorn
5 | RUN pip install -r requirements.txt
6 | ENV PORT=8080
7 | CMD exec gunicorn --bind :$PORT --workers 1 --threads 8 main:app
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_009_monitoring_applications_in_gcp__python/Dockerfile.
File: /home/cloud_providers/gcp/taskset_gcp_cloud_providers/task_009_monitoring_applications_in_gcp__python/Dockerfile:1-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM python:3.7
2 | WORKDIR /app
3 | COPY . .
4 | RUN pip install gunicorn
5 | RUN pip install -r requirements.txt
6 | ENV PORT=8080
7 | CMD exec gunicorn --bind :$PORT --workers 1 --threads 8 main:app
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_001_nodejs_docker_app/node_project/Dockerfile.
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_001_nodejs_docker_app/node_project/Dockerfile:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM node:10-alpine
2 |
3 | RUN mkdir -p /home/node/app/node_modules && chown -R node:node /home/node/app
4 |
5 | WORKDIR /home/node/app
6 |
7 | COPY package*.json ./
8 |
9 | USER node
10 |
11 | RUN npm install
12 |
13 | COPY --chown=node:node . .
14 |
15 | EXPOSE 8080
16 |
17 | CMD [ "node", "app.js" ]
Check: CKV_DOCKER_9: "Ensure that APT isn't used"
FAILED for resource: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-agent.Dockerfile.RUN
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-agent.Dockerfile:12-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-docker-apt-is-not-used.html
12 | RUN apt update
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-agent.Dockerfile.
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-agent.Dockerfile:1-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /home/containers/docker_compose/taskset_docker_compose_containers/task_008__local__mongodb_metricbeat_elasticsearch_kibana/docker/metricbeat/Dockerfile.
File: /home/containers/docker_compose/taskset_docker_compose_containers/task_008__local__mongodb_metricbeat_elasticsearch_kibana/docker/metricbeat/Dockerfile:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM docker.elastic.co/beats/metricbeat:7.8.1
2 |
3 | # The file to monitor the host is different from the file to monitor docker services.ADD
4 | # So we pass the filename at build time to choose the target (host or services) of the image built.
5 | ARG METRICBEAT_FILE=metricbeat.yml
6 | COPY ${METRICBEAT_FILE} /usr/share/metricbeat/metricbeat.yml
7 |
8 | USER root
9 |
10 | RUN yum -y install nc
11 |
12 | RUN mkdir /var/log/metricbeat \
13 | && chown metricbeat /usr/share/metricbeat/metricbeat.yml \
14 | && chmod go-w /usr/share/metricbeat/metricbeat.yml \
15 | && chown metricbeat /var/log/metricbeat
16 |
17 | COPY entrypoint.sh /usr/local/bin/custom-entrypoint
18 | RUN chmod +x /usr/local/bin/custom-entrypoint
19 |
20 | USER metricbeat
21 |
22 | ENTRYPOINT ["/usr/local/bin/custom-entrypoint"]
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_006_nginx_docker/Dockerfile.
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_006_nginx_docker/Dockerfile:1-6
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM nginx:alpine
2 |
3 | COPY conf.d /etc/nginx/conf.d
4 | COPY html /usr/share/nginx/html
5 |
6 |
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_006_nginx_docker/Dockerfile.
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_006_nginx_docker/Dockerfile:1-6
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM nginx:alpine
2 |
3 | COPY conf.d /etc/nginx/conf.d
4 | COPY html /usr/share/nginx/html
5 |
6 |
Check: CKV2_DOCKER_1: "Ensure that sudo isn't used"
FAILED for resource: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-agent.Dockerfile.RUN
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-agent.Dockerfile:13-13
13 | RUN apt install sudo systemd-container python3 python3-pip ansible apt-transport-https gnupg2 ca-certificates curl zip -y
Check: CKV2_DOCKER_1: "Ensure that sudo isn't used"
FAILED for resource: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-agent.Dockerfile.RUN
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-agent.Dockerfile:14-14
14 | RUN usermod -aG sudo jenkins
secrets scan results:
Passed checks: 0, Failed checks: 24, Skipped checks: 0
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: d814c64538caee0cf5475e4f35c237f538fe0986
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/jenkins-k8s-manifests.yaml:29-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
29 | jenkins-admin-password: "UVdhR2**************************"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: d5ae5026de546d77c70e6ca6ec05209a75a3fa57
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_007__local__jenkins_k8s/values.yaml:52-53
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
52 | passwordKey: jenki*****************
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 8fef8d3132df62068e4b25988d779736848b89dc
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_013__aws__oauth2_proxy/oauth2-proxy/oauth2-manifests.yaml:61-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
61 | cookie-secret: "WTI5dm******************"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 7312c83acf320eb58fad1822f76302f2a74479dd
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_013__aws__oauth2_proxy/oauth2-proxy/oauth2-manifests.yaml:62-63
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
62 | client-secret: "WEkzZl**************************"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: b2ade2eb607f72ff17413f1194759a22b42ef4ae
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_015__aws__lets_encrypt_kops_cluster/k8s-resources.yaml:871-872
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
871 | cert-manager.io/inject-ca-from-secret: "defaul******************************"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 80cf9458c1574379d5089c8444c99dbdb0e16d11
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/kong/values.yaml:722-723
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
722 | session_conf_secret: kong***************
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: d237fbe5aa1dd130155e99d0b8fcd3f4bc96dc2e
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/kong/values.yaml:725-726
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
725 | admin_gui_auth_conf_secret: CHANGE*****************************
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 0a17941f36e29157520c76169c8217fb54d8c17e
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_018_aws__kong_ingress_on_eks/kong/values.yaml:747-748
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
747 | smtp_password_secret: CHANG*****************
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 11f0b6aad889e6e3d00a24835dbbd060fcd0ca4d
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_036__gcp_vm__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5441-5442
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
5441 | cert-manager.io/inject-ca-from-secret: "cert-m******************************"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 11f0b6aad889e6e3d00a24835dbbd060fcd0ca4d
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_037__gcp_k8s__cert_manager_lets_encypt_http_validation/cert-manager.yaml:5441-5442
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
5441 | cert-manager.io/inject-ca-from-secret: "cert-m******************************"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 11f0b6aad889e6e3d00a24835dbbd060fcd0ca4d
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/build/cert_manager_all.yaml:10006-10007
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
10006 | cert-manager.io/inject-ca-from-secret: cert-m******************************
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 11f0b6aad889e6e3d00a24835dbbd060fcd0ca4d
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_042__gcp_k8s__cert_manager_dns_validation___using_41/vendor/cert-manager/cert-manager-vendor.yaml:5597-5598
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
5597 | cert-manager.io/inject-ca-from-secret: "cert-m******************************"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 461873484a1f97a965c0744373aded162149173c
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/build/keycloakx_all.yaml:45-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
45 | password: keyc************
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: f41d2771b781d1ecab5cc6922ea28c752067731d
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/build/keycloakx_all.yaml:122-123
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
122 | checksum/secrets: b2466d**********************************************************
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 461873484a1f97a965c0744373aded162149173c
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/vendor/keycloakx/keycloak-server-manifest-vendor.yaml:32-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
32 | password: "keyc************"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: f41d2771b781d1ecab5cc6922ea28c752067731d
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/vendor/keycloakx/keycloak-server-manifest-vendor.yaml:132-133
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
132 | checksum/secrets: b2466d**********************************************************
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 461873484a1f97a965c0744373aded162149173c
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/vendor/keycloakx/keycloak-server-values.yaml:42-43
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
42 | password: keyc************
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: b3693ec881768e3408fdb0df6feece51c66fb134
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/vendor/postgresql/keycloak-db-manifest-vendor.yaml:15-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
15 | postgres-password: "cG9zdG******************"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: c144f4413b240dc54914c9f0a987027827ec160e
File: /home/containers/kubernetes/tasket_kubernetes_containers/task_043_gcp_k8s__codecentric_keycloak__bitnami_postgres___using_41_42/vendor/postgresql/keycloak-db-manifest-vendor.yaml:16-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
16 | password: "a2V5Y2******************"
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: da19880411eca9df7c34f4f4690fb783e9c38d38
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_004_nodejs_mongo_k8s/secret.yaml:3-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
3 | MONGO_PASSWORD: cGF*********
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: ee7a743a4a0626c2db2297c3a035867dd3f7dc71
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/mongodb-values.yaml:33-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
33 | existingSecret: mon*********
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: da19880411eca9df7c34f4f4690fb783e9c38d38
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/nodeapp/templates/secret.yaml:6-7
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
6 | MONGO_PASSWORD: cGF*********
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: da19880411eca9df7c34f4f4690fb783e9c38d38
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/resources-app.yaml:20-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
20 | MONGO_PASSWORD: cGF*********
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: da19880411eca9df7c34f4f4690fb783e9c38d38
File: /home/interview/coding_assignments/taskset_coding_assignments_interview/task_005_nodejs_mongo_k8s_helm_scale/secret.yaml:3-4
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
3 | MONGO_PASSWORD: cGF*********
ansible scan results:
Passed checks: 34, Failed checks: 10, Skipped checks: 0
Check: CKV_ANSIBLE_6: "Ensure that the force parameter is not used, as it disables signature validation and allows packages to be downgraded which can leave the system in a broken or inconsistent state"
FAILED for resource: tasks.apt.Install pinned datadog-agent package
File: /home/infrastructure_as_code/ansible/taskset_ansible_infrastructure_as_code/task_002_datadog_agent/playbooks/roles/datadog-agent/tasks/pkg-debian/install-pinned.yml:2-12
2 | - name: Install pinned datadog-agent package
3 | apt:
4 | name: "datadog-agent={{ datadog_agent_debian_version }}"
5 | state: present
6 | force: "{{ datadog_agent_allow_downgrade }}"
7 | update_cache: yes
8 | cache_valid_time: "{{ datadog_apt_cache_valid_time }}"
9 | register: datadog_agent_install
10 | when: not ansible_check_mode
Check: CKV2_ANSIBLE_2: "Ensure that HTTPS url is used with get_url"
FAILED for resource: tasks.get_url.Download new RPM key
File: /home/infrastructure_as_code/ansible/taskset_ansible_infrastructure_as_code/task_002_datadog_agent/playbooks/roles/datadog-agent/tasks/pkg-redhat.yml:2-9
2 | - name: Download new RPM key
3 | get_url:
4 | url: "{{ datadog_yum_gpgkey_e09422b3 }}"
5 | dest: /tmp/DATADOG_RPM_KEY_E09422B3.public
6 | checksum: "sha256:{{ datadog_yum_gpgkey_e09422b3_sha256sum }}"
7 |
Check: CKV2_ANSIBLE_2: "Ensure that HTTPS url is used with get_url"
FAILED for resource: tasks.get_url.block.Download RPM key (SLES11)
File: /home/infrastructure_as_code/ansible/taskset_ansible_infrastructure_as_code/task_002_datadog_agent/playbooks/roles/datadog-agent/tasks/pkg-suse.yml:8-14
8 | - name: Download RPM key (SLES11)
9 | get_url:
10 | url: "{{ datadog_zypper_gpgkey }}"
11 | dest: /tmp/DATADOG_RPM_KEY.public
12 | when: not ddkey.stat.exists
13 | when: datadog_agent_major_version|int < 7 and ansible_distribution_version|int == 11
14 |
Check: CKV2_ANSIBLE_2: "Ensure that HTTPS url is used with get_url"
FAILED for resource: tasks.get_url.Download RPM key
File: /home/infrastructure_as_code/ansible/taskset_ansible_infrastructure_as_code/task_002_datadog_agent/playbooks/roles/datadog-agent/tasks/pkg-suse.yml:16-24
16 | - name: Download RPM key
17 | get_url:
18 | url: "{{ datadog_zypper_gpgkey }}"
19 | dest: /tmp/DATADOG_RPM_KEY.public
20 | checksum: "sha256:{{ datadog_zypper_gpgkey_sha256sum }}"
21 | when: datadog_agent_major_version|int < 7 and ansible_distribution_version|int >= 12
22 |
Check: CKV2_ANSIBLE_2: "Ensure that HTTPS url is used with get_url"
FAILED for resource: tasks.get_url.block.Download new RPM key (SLES11)
File: /home/infrastructure_as_code/ansible/taskset_ansible_infrastructure_as_code/task_002_datadog_agent/playbooks/roles/datadog-agent/tasks/pkg-suse.yml:34-40
34 | - name: Download new RPM key (SLES11)
35 | get_url:
36 | url: "{{ datadog_zypper_gpgkey_e09422b3 }}"
37 | dest: /tmp/DATADOG_RPM_KEY_E09422B3.public
38 | when: not ddnewkey.stat.exists
39 | when: ansible_distribution_version|int == 11
40 |
Check: CKV2_ANSIBLE_2: "Ensure that HTTPS url is used with get_url"
FAILED for resource: tasks.get_url.Download new RPM key
File: /home/infrastructure_as_code/ansible/taskset_ansible_infrastructure_as_code/task_002_datadog_agent/playbooks/roles/datadog-agent/tasks/pkg-suse.yml:41-49
41 | - name: Download new RPM key
42 | get_url:
43 | url: "{{ datadog_zypper_gpgkey_e09422b3 }}"
44 | dest: /tmp/DATADOG_RPM_KEY_E09422B3.public
45 | checksum: "sha256:{{ datadog_zypper_gpgkey_e09422b3_sha256sum }}"
46 | when: ansible_distribution_version|int >= 12
47 |
Check: CKV2_ANSIBLE_2: "Ensure that HTTPS url is used with get_url"
FAILED for resource: tasks.get_url.Add Docker repository.
File: /home/infrastructure_as_code/ansible/taskset_ansible_infrastructure_as_code/task_005_docker/playbooks/roles/docker/tasks/setup-RedHat.yml:15-24
15 | - name: Add Docker repository.
16 | get_url:
17 | url: "{{ docker_yum_repo_url }}"
18 | dest: '/etc/yum.repos.d/docker-{{ docker_edition }}.repo'
19 | owner: root
20 | group: root
21 | mode: 0644
22 |
Check: CKV2_ANSIBLE_2: "Ensure that HTTPS url is used with get_url"
FAILED for resource: tasks.get_url.Add Docker repository.
File: /home/infrastructure_as_code/ansible/taskset_ansible_infrastructure_as_code/task_008_kibana_docker/playbooks/roles/docker/tasks/setup-RedHat.yml:15-24
15 | - name: Add Docker repository.
16 | get_url:
17 | url: "{{ docker_yum_repo_url }}"
18 | dest: '/etc/yum.repos.d/docker-{{ docker_edition }}.repo'
19 | owner: root
20 | group: root
21 | mode: 0644
22 |
Check: CKV2_ANSIBLE_3: "Ensure block is handling task errors properly"
FAILED for resource: block.unknown
File: /home/infrastructure_as_code/ansible/taskset_ansible_infrastructure_as_code/task_002_datadog_agent/playbooks/roles/datadog-agent/tasks/pkg-suse.yml:3-17
3 | - block: # Work around due to SNI check for SLES11
4 | - name: Stat if RPM key already exists
5 | stat:
6 | path: /tmp/DATADOG_RPM_KEY.public
7 | register: ddkey
8 | - name: Download RPM key (SLES11)
9 | get_url:
10 | url: "{{ datadog_zypper_gpgkey }}"
11 | dest: /tmp/DATADOG_RPM_KEY.public
12 | when: not ddkey.stat.exists
13 | when: datadog_agent_major_version|int < 7 and ansible_distribution_version|int == 11
14 |
15 | # Do not import old key if installing Agent 7, as all Agent 7 packages are signed with the new key
16 | - name: Download RPM key
17 | get_url:
Check: CKV2_ANSIBLE_3: "Ensure block is handling task errors properly"
FAILED for resource: block.unknown
File: /home/infrastructure_as_code/ansible/taskset_ansible_infrastructure_as_code/task_002_datadog_agent/playbooks/roles/datadog-agent/tasks/pkg-suse.yml:29-42
29 | - block: # Work around due to SNI check for SLES11
30 | - name: Stat if new RPM key already exists
31 | stat:
32 | path: /tmp/DATADOG_RPM_KEY_E09422B3.public
33 | register: ddnewkey
34 | - name: Download new RPM key (SLES11)
35 | get_url:
36 | url: "{{ datadog_zypper_gpgkey_e09422b3 }}"
37 | dest: /tmp/DATADOG_RPM_KEY_E09422B3.public
38 | when: not ddnewkey.stat.exists
39 | when: ansible_distribution_version|int == 11
40 |
41 | - name: Download new RPM key
42 | get_url:
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools