Repository | garutilorenzo / k3s-oci-cluster |
Description | Deploy a Kubernetes cluster for free, using k3s and Oracle always free resources |
Stars | 183 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
terraform scan results:
Passed checks: 9, Failed checks: 8, Skipped checks: 0
Check: CKV_OCI_5: "Ensure OCI Compute Instance has Legacy MetaData service endpoint disabled"
FAILED for resource: module.k3s_cluster.oci_core_instance.k3s_extra_worker_node[0]
File: /k3s-workers.tf:33-95
Calling File: /example/main.tf:28-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/oci-policies/compute/ensure-oci-compute-instance-has-legacy-metadata-service-endpoint-disabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_OCI_4: "Ensure OCI Compute Instance boot volume has in-transit data encryption enabled"
FAILED for resource: module.k3s_cluster.oci_core_instance.k3s_extra_worker_node[0]
File: /k3s-workers.tf:33-95
Calling File: /example/main.tf:28-46
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/oci-policies/compute/ensure-oci-compute-instance-boot-volume-has-in-transit-data-encryption-enabled.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_OCI_21: "Ensure security group has stateless ingress security rules"
FAILED for resource: module.k3s_cluster.oci_core_network_security_group_security_rule.allow_http_from_all
File: /nsg.tf:13-30
Calling File: /example/main.tf:28-46
Guide: https://docs.bridgecrew.io/docs/ensure-oci-security-group-has-stateless-ingress-security-rules
13 | resource "oci_core_network_security_group_security_rule" "allow_http_from_all" {
14 | network_security_group_id = oci_core_network_security_group.public_lb_nsg.id
15 | direction = "INGRESS"
16 | protocol = 6 # tcp
17 |
18 | description = "Allow HTTP from all"
19 |
20 | source = "0.0.0.0/0"
21 | source_type = "CIDR_BLOCK"
22 | stateless = false
23 |
24 | tcp_options {
25 | destination_port_range {
26 | max = var.http_lb_port
27 | min = var.http_lb_port
28 | }
29 | }
30 | }
Check: CKV_OCI_21: "Ensure security group has stateless ingress security rules"
FAILED for resource: module.k3s_cluster.oci_core_network_security_group_security_rule.allow_https_from_all
File: /nsg.tf:32-49
Calling File: /example/main.tf:28-46
Guide: https://docs.bridgecrew.io/docs/ensure-oci-security-group-has-stateless-ingress-security-rules
32 | resource "oci_core_network_security_group_security_rule" "allow_https_from_all" {
33 | network_security_group_id = oci_core_network_security_group.public_lb_nsg.id
34 | direction = "INGRESS"
35 | protocol = 6 # tcp
36 |
37 | description = "Allow HTTPS from all"
38 |
39 | source = "0.0.0.0/0"
40 | source_type = "CIDR_BLOCK"
41 | stateless = false
42 |
43 | tcp_options {
44 | destination_port_range {
45 | max = var.https_lb_port
46 | min = var.https_lb_port
47 | }
48 | }
49 | }
Check: CKV_OCI_21: "Ensure security group has stateless ingress security rules"
FAILED for resource: module.k3s_cluster.oci_core_network_security_group_security_rule.nsg_to_instances_http
File: /nsg.tf:83-100
Calling File: /example/main.tf:28-46
Guide: https://docs.bridgecrew.io/docs/ensure-oci-security-group-has-stateless-ingress-security-rules
83 | resource "oci_core_network_security_group_security_rule" "nsg_to_instances_http" {
84 | network_security_group_id = oci_core_network_security_group.lb_to_instances_http.id
85 | direction = "INGRESS"
86 | protocol = 6 # tcp
87 |
88 | description = "Allow HTTP from all"
89 |
90 | source = oci_core_network_security_group.public_lb_nsg.id
91 | source_type = "NETWORK_SECURITY_GROUP"
92 | stateless = false
93 |
94 | tcp_options {
95 | destination_port_range {
96 | max = var.http_lb_port
97 | min = var.http_lb_port
98 | }
99 | }
100 | }
Check: CKV_OCI_21: "Ensure security group has stateless ingress security rules"
FAILED for resource: module.k3s_cluster.oci_core_network_security_group_security_rule.nsg_to_instances_https
File: /nsg.tf:102-119
Calling File: /example/main.tf:28-46
Guide: https://docs.bridgecrew.io/docs/ensure-oci-security-group-has-stateless-ingress-security-rules
102 | resource "oci_core_network_security_group_security_rule" "nsg_to_instances_https" {
103 | network_security_group_id = oci_core_network_security_group.lb_to_instances_http.id
104 | direction = "INGRESS"
105 | protocol = 6 # tcp
106 |
107 | description = "Allow HTTPS from all"
108 |
109 | source = oci_core_network_security_group.public_lb_nsg.id
110 | source_type = "NETWORK_SECURITY_GROUP"
111 | stateless = false
112 |
113 | tcp_options {
114 | destination_port_range {
115 | max = var.https_lb_port
116 | min = var.https_lb_port
117 | }
118 | }
119 | }
Check: CKV2_OCI_2: "Ensure NSG does not allow all traffic on RDP port (3389)"
FAILED for resource: module.k3s_cluster.oci_core_network_security_group_security_rule.allow_http_from_all
File: /nsg.tf:13-30
13 | resource "oci_core_network_security_group_security_rule" "allow_http_from_all" {
14 | network_security_group_id = oci_core_network_security_group.public_lb_nsg.id
15 | direction = "INGRESS"
16 | protocol = 6 # tcp
17 |
18 | description = "Allow HTTP from all"
19 |
20 | source = "0.0.0.0/0"
21 | source_type = "CIDR_BLOCK"
22 | stateless = false
23 |
24 | tcp_options {
25 | destination_port_range {
26 | max = var.http_lb_port
27 | min = var.http_lb_port
28 | }
29 | }
30 | }
Check: CKV2_OCI_2: "Ensure NSG does not allow all traffic on RDP port (3389)"
FAILED for resource: module.k3s_cluster.oci_core_network_security_group_security_rule.allow_https_from_all
File: /nsg.tf:32-49
32 | resource "oci_core_network_security_group_security_rule" "allow_https_from_all" {
33 | network_security_group_id = oci_core_network_security_group.public_lb_nsg.id
34 | direction = "INGRESS"
35 | protocol = 6 # tcp
36 |
37 | description = "Allow HTTPS from all"
38 |
39 | source = "0.0.0.0/0"
40 | source_type = "CIDR_BLOCK"
41 | stateless = false
42 |
43 | tcp_options {
44 | destination_port_range {
45 | max = var.https_lb_port
46 | min = var.https_lb_port
47 | }
48 | }
49 | }
kubernetes scan results:
Passed checks: 419, Failed checks: 141, Skipped checks: 0
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.mariadb
File: /deployments/mariadb/mariadb-deployment.yml:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: mariadb
6 | name: mariadb
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: mariadb
12 | tier: backend
13 | strategy: {}
14 | template:
15 | metadata:
16 | labels:
17 | app: mariadb
18 | tier: backend
19 | spec:
20 | containers:
21 | - image: mariadb:latest
22 | name: mariadb
23 | env:
24 | - name: MYSQL_ROOT_PASSWORD
25 | value: ro0tP4sSworD
26 | - name: MYSQL_DATABASE
27 | value: wordpress
28 | - name: MYSQL_USER
29 | value: wpuser
30 | - name: MYSQL_PASSWORD
31 | value: W0rd_Pr3sSUs3r.
32 | volumeMounts:
33 | - name: "mariadb-persistent-storage"
34 | mountPath: "/var/lib/mysql/"
35 | volumes:
36 | - name: mariadb-persistent-storage
37 | persistentVolumeClaim:
38 | claimName: mariadb-pvc
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.mariadb
File: /deployments/mariadb/mariadb-deployment.yml:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: mariadb
6 | name: mariadb
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: mariadb
12 | tier: backend
13 | strategy: {}
14 | template:
15 | metadata:
16 | labels:
17 | app: mariadb
18 | tier: backend
19 | spec:
20 | containers:
21 | - image: mariadb:latest
22 | name: mariadb
23 | env:
24 | - name: MYSQL_ROOT_PASSWORD
25 | value: ro0tP4sSworD
26 | - name: MYSQL_DATABASE
27 | value: wordpress
28 | - name: MYSQL_USER
29 | value: wpuser
30 | - name: MYSQL_PASSWORD
31 | value: W0rd_Pr3sSUs3r.
32 | volumeMounts:
33 | - name: "mariadb-persistent-storage"
34 | mountPath: "/var/lib/mysql/"
35 | volumes:
36 | - name: mariadb-persistent-storage
37 | persistentVolumeClaim:
38 | claimName: mariadb-pvc
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.mariadb
File: /deployments/mariadb/mariadb-deployment.yml:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: mariadb
6 | name: mariadb
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: mariadb
12 | tier: backend
13 | strategy: {}
14 | template:
15 | metadata:
16 | labels:
17 | app: mariadb
18 | tier: backend
19 | spec:
20 | containers:
21 | - image: mariadb:latest
22 | name: mariadb
23 | env:
24 | - name: MYSQL_ROOT_PASSWORD
25 | value: ro0tP4sSworD
26 | - name: MYSQL_DATABASE
27 | value: wordpress
28 | - name: MYSQL_USER
29 | value: wpuser
30 | - name: MYSQL_PASSWORD
31 | value: W0rd_Pr3sSUs3r.
32 | volumeMounts:
33 | - name: "mariadb-persistent-storage"
34 | mountPath: "/var/lib/mysql/"
35 | volumes:
36 | - name: mariadb-persistent-storage
37 | persistentVolumeClaim:
38 | claimName: mariadb-pvc
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.mariadb
File: /deployments/mariadb/mariadb-deployment.yml:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: mariadb
6 | name: mariadb
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: mariadb
12 | tier: backend
13 | strategy: {}
14 | template:
15 | metadata:
16 | labels:
17 | app: mariadb
18 | tier: backend
19 | spec:
20 | containers:
21 | - image: mariadb:latest
22 | name: mariadb
23 | env:
24 | - name: MYSQL_ROOT_PASSWORD
25 | value: ro0tP4sSworD
26 | - name: MYSQL_DATABASE
27 | value: wordpress
28 | - name: MYSQL_USER
29 | value: wpuser
30 | - name: MYSQL_PASSWORD
31 | value: W0rd_Pr3sSUs3r.
32 | volumeMounts:
33 | - name: "mariadb-persistent-storage"
34 | mountPath: "/var/lib/mysql/"
35 | volumes:
36 | - name: mariadb-persistent-storage
37 | persistentVolumeClaim:
38 | claimName: mariadb-pvc
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.mariadb
File: /deployments/mariadb/mariadb-deployment.yml:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: mariadb
6 | name: mariadb
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: mariadb
12 | tier: backend
13 | strategy: {}
14 | template:
15 | metadata:
16 | labels:
17 | app: mariadb
18 | tier: backend
19 | spec:
20 | containers:
21 | - image: mariadb:latest
22 | name: mariadb
23 | env:
24 | - name: MYSQL_ROOT_PASSWORD
25 | value: ro0tP4sSworD
26 | - name: MYSQL_DATABASE
27 | value: wordpress
28 | - name: MYSQL_USER
29 | value: wpuser
30 | - name: MYSQL_PASSWORD
31 | value: W0rd_Pr3sSUs3r.
32 | volumeMounts:
33 | - name: "mariadb-persistent-storage"
34 | mountPath: "/var/lib/mysql/"
35 | volumes:
36 | - name: mariadb-persistent-storage
37 | persistentVolumeClaim:
38 | claimName: mariadb-pvc
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.mariadb
File: /deployments/mariadb/mariadb-deployment.yml:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: mariadb
6 | name: mariadb
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: mariadb
12 | tier: backend
13 | strategy: {}
14 | template:
15 | metadata:
16 | labels:
17 | app: mariadb
18 | tier: backend
19 | spec:
20 | containers:
21 | - image: mariadb:latest
22 | name: mariadb
23 | env:
24 | - name: MYSQL_ROOT_PASSWORD
25 | value: ro0tP4sSworD
26 | - name: MYSQL_DATABASE
27 | value: wordpress
28 | - name: MYSQL_USER
29 | value: wpuser
30 | - name: MYSQL_PASSWORD
31 | value: W0rd_Pr3sSUs3r.
32 | volumeMounts:
33 | - name: "mariadb-persistent-storage"
34 | mountPath: "/var/lib/mysql/"
35 | volumes:
36 | - name: mariadb-persistent-storage
37 | persistentVolumeClaim:
38 | claimName: mariadb-pvc
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.mariadb
File: /deployments/mariadb/mariadb-deployment.yml:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: mariadb
6 | name: mariadb
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: mariadb
12 | tier: backend
13 | strategy: {}
14 | template:
15 | metadata:
16 | labels:
17 | app: mariadb
18 | tier: backend
19 | spec:
20 | containers:
21 | - image: mariadb:latest
22 | name: mariadb
23 | env:
24 | - name: MYSQL_ROOT_PASSWORD
25 | value: ro0tP4sSworD
26 | - name: MYSQL_DATABASE
27 | value: wordpress
28 | - name: MYSQL_USER
29 | value: wpuser
30 | - name: MYSQL_PASSWORD
31 | value: W0rd_Pr3sSUs3r.
32 | volumeMounts:
33 | - name: "mariadb-persistent-storage"
34 | mountPath: "/var/lib/mysql/"
35 | volumes:
36 | - name: mariadb-persistent-storage
37 | persistentVolumeClaim:
38 | claimName: mariadb-pvc
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.mariadb
File: /deployments/mariadb/mariadb-deployment.yml:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: mariadb
6 | name: mariadb
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: mariadb
12 | tier: backend
13 | strategy: {}
14 | template:
15 | metadata:
16 | labels:
17 | app: mariadb
18 | tier: backend
19 | spec:
20 | containers:
21 | - image: mariadb:latest
22 | name: mariadb
23 | env:
24 | - name: MYSQL_ROOT_PASSWORD
25 | value: ro0tP4sSworD
26 | - name: MYSQL_DATABASE
27 | value: wordpress
28 | - name: MYSQL_USER
29 | value: wpuser
30 | - name: MYSQL_PASSWORD
31 | value: W0rd_Pr3sSUs3r.
32 | volumeMounts:
33 | - name: "mariadb-persistent-storage"
34 | mountPath: "/var/lib/mysql/"
35 | volumes:
36 | - name: mariadb-persistent-storage
37 | persistentVolumeClaim:
38 | claimName: mariadb-pvc
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.mariadb
File: /deployments/mariadb/mariadb-deployment.yml:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: mariadb
6 | name: mariadb
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: mariadb
12 | tier: backend
13 | strategy: {}
14 | template:
15 | metadata:
16 | labels:
17 | app: mariadb
18 | tier: backend
19 | spec:
20 | containers:
21 | - image: mariadb:latest
22 | name: mariadb
23 | env:
24 | - name: MYSQL_ROOT_PASSWORD
25 | value: ro0tP4sSworD
26 | - name: MYSQL_DATABASE
27 | value: wordpress
28 | - name: MYSQL_USER
29 | value: wpuser
30 | - name: MYSQL_PASSWORD
31 | value: W0rd_Pr3sSUs3r.
32 | volumeMounts:
33 | - name: "mariadb-persistent-storage"
34 | mountPath: "/var/lib/mysql/"
35 | volumes:
36 | - name: mariadb-persistent-storage
37 | persistentVolumeClaim:
38 | claimName: mariadb-pvc
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.mariadb
File: /deployments/mariadb/mariadb-deployment.yml:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: mariadb
6 | name: mariadb
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: mariadb
12 | tier: backend
13 | strategy: {}
14 | template:
15 | metadata:
16 | labels:
17 | app: mariadb
18 | tier: backend
19 | spec:
20 | containers:
21 | - image: mariadb:latest
22 | name: mariadb
23 | env:
24 | - name: MYSQL_ROOT_PASSWORD
25 | value: ro0tP4sSworD
26 | - name: MYSQL_DATABASE
27 | value: wordpress
28 | - name: MYSQL_USER
29 | value: wpuser
30 | - name: MYSQL_PASSWORD
31 | value: W0rd_Pr3sSUs3r.
32 | volumeMounts:
33 | - name: "mariadb-persistent-storage"
34 | mountPath: "/var/lib/mysql/"
35 | volumes:
36 | - name: mariadb-persistent-storage
37 | persistentVolumeClaim:
38 | claimName: mariadb-pvc
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.mariadb
File: /deployments/mariadb/mariadb-deployment.yml:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: mariadb
6 | name: mariadb
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: mariadb
12 | tier: backend
13 | strategy: {}
14 | template:
15 | metadata:
16 | labels:
17 | app: mariadb
18 | tier: backend
19 | spec:
20 | containers:
21 | - image: mariadb:latest
22 | name: mariadb
23 | env:
24 | - name: MYSQL_ROOT_PASSWORD
25 | value: ro0tP4sSworD
26 | - name: MYSQL_DATABASE
27 | value: wordpress
28 | - name: MYSQL_USER
29 | value: wpuser
30 | - name: MYSQL_PASSWORD
31 | value: W0rd_Pr3sSUs3r.
32 | volumeMounts:
33 | - name: "mariadb-persistent-storage"
34 | mountPath: "/var/lib/mysql/"
35 | volumes:
36 | - name: mariadb-persistent-storage
37 | persistentVolumeClaim:
38 | claimName: mariadb-pvc
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.mariadb
File: /deployments/mariadb/mariadb-deployment.yml:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: mariadb
6 | name: mariadb
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: mariadb
12 | tier: backend
13 | strategy: {}
14 | template:
15 | metadata:
16 | labels:
17 | app: mariadb
18 | tier: backend
19 | spec:
20 | containers:
21 | - image: mariadb:latest
22 | name: mariadb
23 | env:
24 | - name: MYSQL_ROOT_PASSWORD
25 | value: ro0tP4sSworD
26 | - name: MYSQL_DATABASE
27 | value: wordpress
28 | - name: MYSQL_USER
29 | value: wpuser
30 | - name: MYSQL_PASSWORD
31 | value: W0rd_Pr3sSUs3r.
32 | volumeMounts:
33 | - name: "mariadb-persistent-storage"
34 | mountPath: "/var/lib/mysql/"
35 | volumes:
36 | - name: mariadb-persistent-storage
37 | persistentVolumeClaim:
38 | claimName: mariadb-pvc
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.mariadb
File: /deployments/mariadb/mariadb-deployment.yml:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: mariadb
6 | name: mariadb
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: mariadb
12 | tier: backend
13 | strategy: {}
14 | template:
15 | metadata:
16 | labels:
17 | app: mariadb
18 | tier: backend
19 | spec:
20 | containers:
21 | - image: mariadb:latest
22 | name: mariadb
23 | env:
24 | - name: MYSQL_ROOT_PASSWORD
25 | value: ro0tP4sSworD
26 | - name: MYSQL_DATABASE
27 | value: wordpress
28 | - name: MYSQL_USER
29 | value: wpuser
30 | - name: MYSQL_PASSWORD
31 | value: W0rd_Pr3sSUs3r.
32 | volumeMounts:
33 | - name: "mariadb-persistent-storage"
34 | mountPath: "/var/lib/mysql/"
35 | volumes:
36 | - name: mariadb-persistent-storage
37 | persistentVolumeClaim:
38 | claimName: mariadb-pvc
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.mariadb
File: /deployments/mariadb/mariadb-deployment.yml:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: mariadb
6 | name: mariadb
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: mariadb
12 | tier: backend
13 | strategy: {}
14 | template:
15 | metadata:
16 | labels:
17 | app: mariadb
18 | tier: backend
19 | spec:
20 | containers:
21 | - image: mariadb:latest
22 | name: mariadb
23 | env:
24 | - name: MYSQL_ROOT_PASSWORD
25 | value: ro0tP4sSworD
26 | - name: MYSQL_DATABASE
27 | value: wordpress
28 | - name: MYSQL_USER
29 | value: wpuser
30 | - name: MYSQL_PASSWORD
31 | value: W0rd_Pr3sSUs3r.
32 | volumeMounts:
33 | - name: "mariadb-persistent-storage"
34 | mountPath: "/var/lib/mysql/"
35 | volumes:
36 | - name: mariadb-persistent-storage
37 | persistentVolumeClaim:
38 | claimName: mariadb-pvc
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.mariadb
File: /deployments/mariadb/mariadb-deployment.yml:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: mariadb
6 | name: mariadb
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: mariadb
12 | tier: backend
13 | strategy: {}
14 | template:
15 | metadata:
16 | labels:
17 | app: mariadb
18 | tier: backend
19 | spec:
20 | containers:
21 | - image: mariadb:latest
22 | name: mariadb
23 | env:
24 | - name: MYSQL_ROOT_PASSWORD
25 | value: ro0tP4sSworD
26 | - name: MYSQL_DATABASE
27 | value: wordpress
28 | - name: MYSQL_USER
29 | value: wpuser
30 | - name: MYSQL_PASSWORD
31 | value: W0rd_Pr3sSUs3r.
32 | volumeMounts:
33 | - name: "mariadb-persistent-storage"
34 | mountPath: "/var/lib/mysql/"
35 | volumes:
36 | - name: mariadb-persistent-storage
37 | persistentVolumeClaim:
38 | claimName: mariadb-pvc
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.mariadb
File: /deployments/mariadb/mariadb-deployment.yml:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: mariadb
6 | name: mariadb
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: mariadb
12 | tier: backend
13 | strategy: {}
14 | template:
15 | metadata:
16 | labels:
17 | app: mariadb
18 | tier: backend
19 | spec:
20 | containers:
21 | - image: mariadb:latest
22 | name: mariadb
23 | env:
24 | - name: MYSQL_ROOT_PASSWORD
25 | value: ro0tP4sSworD
26 | - name: MYSQL_DATABASE
27 | value: wordpress
28 | - name: MYSQL_USER
29 | value: wpuser
30 | - name: MYSQL_PASSWORD
31 | value: W0rd_Pr3sSUs3r.
32 | volumeMounts:
33 | - name: "mariadb-persistent-storage"
34 | mountPath: "/var/lib/mysql/"
35 | volumes:
36 | - name: mariadb-persistent-storage
37 | persistentVolumeClaim:
38 | claimName: mariadb-pvc
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.mariadb
File: /deployments/mariadb/mariadb-deployment.yml:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: mariadb
6 | name: mariadb
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: mariadb
12 | tier: backend
13 | strategy: {}
14 | template:
15 | metadata:
16 | labels:
17 | app: mariadb
18 | tier: backend
19 | spec:
20 | containers:
21 | - image: mariadb:latest
22 | name: mariadb
23 | env:
24 | - name: MYSQL_ROOT_PASSWORD
25 | value: ro0tP4sSworD
26 | - name: MYSQL_DATABASE
27 | value: wordpress
28 | - name: MYSQL_USER
29 | value: wpuser
30 | - name: MYSQL_PASSWORD
31 | value: W0rd_Pr3sSUs3r.
32 | volumeMounts:
33 | - name: "mariadb-persistent-storage"
34 | mountPath: "/var/lib/mysql/"
35 | volumes:
36 | - name: mariadb-persistent-storage
37 | persistentVolumeClaim:
38 | claimName: mariadb-pvc
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.mariadb
File: /deployments/mariadb/mariadb-deployment.yml:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: mariadb
6 | name: mariadb
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: mariadb
12 | tier: backend
13 | strategy: {}
14 | template:
15 | metadata:
16 | labels:
17 | app: mariadb
18 | tier: backend
19 | spec:
20 | containers:
21 | - image: mariadb:latest
22 | name: mariadb
23 | env:
24 | - name: MYSQL_ROOT_PASSWORD
25 | value: ro0tP4sSworD
26 | - name: MYSQL_DATABASE
27 | value: wordpress
28 | - name: MYSQL_USER
29 | value: wpuser
30 | - name: MYSQL_PASSWORD
31 | value: W0rd_Pr3sSUs3r.
32 | volumeMounts:
33 | - name: "mariadb-persistent-storage"
34 | mountPath: "/var/lib/mysql/"
35 | volumes:
36 | - name: mariadb-persistent-storage
37 | persistentVolumeClaim:
38 | claimName: mariadb-pvc
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.mariadb
File: /deployments/mariadb/mariadb-deployment.yml:1-38
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: mariadb
6 | name: mariadb
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: mariadb
12 | tier: backend
13 | strategy: {}
14 | template:
15 | metadata:
16 | labels:
17 | app: mariadb
18 | tier: backend
19 | spec:
20 | containers:
21 | - image: mariadb:latest
22 | name: mariadb
23 | env:
24 | - name: MYSQL_ROOT_PASSWORD
25 | value: ro0tP4sSworD
26 | - name: MYSQL_DATABASE
27 | value: wordpress
28 | - name: MYSQL_USER
29 | value: wpuser
30 | - name: MYSQL_PASSWORD
31 | value: W0rd_Pr3sSUs3r.
32 | volumeMounts:
33 | - name: "mariadb-persistent-storage"
34 | mountPath: "/var/lib/mysql/"
35 | volumes:
36 | - name: mariadb-persistent-storage
37 | persistentVolumeClaim:
38 | claimName: mariadb-pvc
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.mariadb
File: /deployments/mariadb/all-resources.yml:14-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | labels:
18 | app: mariadb
19 | name: mariadb
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: mariadb
25 | tier: backend
26 | strategy: {}
27 | template:
28 | metadata:
29 | labels:
30 | app: mariadb
31 | tier: backend
32 | spec:
33 | containers:
34 | - image: mariadb:latest
35 | name: mariadb
36 | env:
37 | - name: MYSQL_ROOT_PASSWORD
38 | value: ro0tP4sSworD
39 | - name: MYSQL_DATABASE
40 | value: wordpress
41 | - name: MYSQL_USER
42 | value: wpuser
43 | - name: MYSQL_PASSWORD
44 | value: W0rd_Pr3sSUs3r.
45 | volumeMounts:
46 | - name: "mariadb-persistent-storage"
47 | mountPath: "/var/lib/mysql/"
48 | volumes:
49 | - name: mariadb-persistent-storage
50 | persistentVolumeClaim:
51 | claimName: mariadb-pvc
52 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.mariadb
File: /deployments/mariadb/all-resources.yml:14-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | labels:
18 | app: mariadb
19 | name: mariadb
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: mariadb
25 | tier: backend
26 | strategy: {}
27 | template:
28 | metadata:
29 | labels:
30 | app: mariadb
31 | tier: backend
32 | spec:
33 | containers:
34 | - image: mariadb:latest
35 | name: mariadb
36 | env:
37 | - name: MYSQL_ROOT_PASSWORD
38 | value: ro0tP4sSworD
39 | - name: MYSQL_DATABASE
40 | value: wordpress
41 | - name: MYSQL_USER
42 | value: wpuser
43 | - name: MYSQL_PASSWORD
44 | value: W0rd_Pr3sSUs3r.
45 | volumeMounts:
46 | - name: "mariadb-persistent-storage"
47 | mountPath: "/var/lib/mysql/"
48 | volumes:
49 | - name: mariadb-persistent-storage
50 | persistentVolumeClaim:
51 | claimName: mariadb-pvc
52 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.mariadb
File: /deployments/mariadb/all-resources.yml:14-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | labels:
18 | app: mariadb
19 | name: mariadb
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: mariadb
25 | tier: backend
26 | strategy: {}
27 | template:
28 | metadata:
29 | labels:
30 | app: mariadb
31 | tier: backend
32 | spec:
33 | containers:
34 | - image: mariadb:latest
35 | name: mariadb
36 | env:
37 | - name: MYSQL_ROOT_PASSWORD
38 | value: ro0tP4sSworD
39 | - name: MYSQL_DATABASE
40 | value: wordpress
41 | - name: MYSQL_USER
42 | value: wpuser
43 | - name: MYSQL_PASSWORD
44 | value: W0rd_Pr3sSUs3r.
45 | volumeMounts:
46 | - name: "mariadb-persistent-storage"
47 | mountPath: "/var/lib/mysql/"
48 | volumes:
49 | - name: mariadb-persistent-storage
50 | persistentVolumeClaim:
51 | claimName: mariadb-pvc
52 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.mariadb
File: /deployments/mariadb/all-resources.yml:14-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | labels:
18 | app: mariadb
19 | name: mariadb
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: mariadb
25 | tier: backend
26 | strategy: {}
27 | template:
28 | metadata:
29 | labels:
30 | app: mariadb
31 | tier: backend
32 | spec:
33 | containers:
34 | - image: mariadb:latest
35 | name: mariadb
36 | env:
37 | - name: MYSQL_ROOT_PASSWORD
38 | value: ro0tP4sSworD
39 | - name: MYSQL_DATABASE
40 | value: wordpress
41 | - name: MYSQL_USER
42 | value: wpuser
43 | - name: MYSQL_PASSWORD
44 | value: W0rd_Pr3sSUs3r.
45 | volumeMounts:
46 | - name: "mariadb-persistent-storage"
47 | mountPath: "/var/lib/mysql/"
48 | volumes:
49 | - name: mariadb-persistent-storage
50 | persistentVolumeClaim:
51 | claimName: mariadb-pvc
52 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.mariadb
File: /deployments/mariadb/all-resources.yml:14-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | labels:
18 | app: mariadb
19 | name: mariadb
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: mariadb
25 | tier: backend
26 | strategy: {}
27 | template:
28 | metadata:
29 | labels:
30 | app: mariadb
31 | tier: backend
32 | spec:
33 | containers:
34 | - image: mariadb:latest
35 | name: mariadb
36 | env:
37 | - name: MYSQL_ROOT_PASSWORD
38 | value: ro0tP4sSworD
39 | - name: MYSQL_DATABASE
40 | value: wordpress
41 | - name: MYSQL_USER
42 | value: wpuser
43 | - name: MYSQL_PASSWORD
44 | value: W0rd_Pr3sSUs3r.
45 | volumeMounts:
46 | - name: "mariadb-persistent-storage"
47 | mountPath: "/var/lib/mysql/"
48 | volumes:
49 | - name: mariadb-persistent-storage
50 | persistentVolumeClaim:
51 | claimName: mariadb-pvc
52 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.mariadb
File: /deployments/mariadb/all-resources.yml:14-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | labels:
18 | app: mariadb
19 | name: mariadb
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: mariadb
25 | tier: backend
26 | strategy: {}
27 | template:
28 | metadata:
29 | labels:
30 | app: mariadb
31 | tier: backend
32 | spec:
33 | containers:
34 | - image: mariadb:latest
35 | name: mariadb
36 | env:
37 | - name: MYSQL_ROOT_PASSWORD
38 | value: ro0tP4sSworD
39 | - name: MYSQL_DATABASE
40 | value: wordpress
41 | - name: MYSQL_USER
42 | value: wpuser
43 | - name: MYSQL_PASSWORD
44 | value: W0rd_Pr3sSUs3r.
45 | volumeMounts:
46 | - name: "mariadb-persistent-storage"
47 | mountPath: "/var/lib/mysql/"
48 | volumes:
49 | - name: mariadb-persistent-storage
50 | persistentVolumeClaim:
51 | claimName: mariadb-pvc
52 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.mariadb
File: /deployments/mariadb/all-resources.yml:14-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | labels:
18 | app: mariadb
19 | name: mariadb
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: mariadb
25 | tier: backend
26 | strategy: {}
27 | template:
28 | metadata:
29 | labels:
30 | app: mariadb
31 | tier: backend
32 | spec:
33 | containers:
34 | - image: mariadb:latest
35 | name: mariadb
36 | env:
37 | - name: MYSQL_ROOT_PASSWORD
38 | value: ro0tP4sSworD
39 | - name: MYSQL_DATABASE
40 | value: wordpress
41 | - name: MYSQL_USER
42 | value: wpuser
43 | - name: MYSQL_PASSWORD
44 | value: W0rd_Pr3sSUs3r.
45 | volumeMounts:
46 | - name: "mariadb-persistent-storage"
47 | mountPath: "/var/lib/mysql/"
48 | volumes:
49 | - name: mariadb-persistent-storage
50 | persistentVolumeClaim:
51 | claimName: mariadb-pvc
52 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.mariadb
File: /deployments/mariadb/all-resources.yml:14-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | labels:
18 | app: mariadb
19 | name: mariadb
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: mariadb
25 | tier: backend
26 | strategy: {}
27 | template:
28 | metadata:
29 | labels:
30 | app: mariadb
31 | tier: backend
32 | spec:
33 | containers:
34 | - image: mariadb:latest
35 | name: mariadb
36 | env:
37 | - name: MYSQL_ROOT_PASSWORD
38 | value: ro0tP4sSworD
39 | - name: MYSQL_DATABASE
40 | value: wordpress
41 | - name: MYSQL_USER
42 | value: wpuser
43 | - name: MYSQL_PASSWORD
44 | value: W0rd_Pr3sSUs3r.
45 | volumeMounts:
46 | - name: "mariadb-persistent-storage"
47 | mountPath: "/var/lib/mysql/"
48 | volumes:
49 | - name: mariadb-persistent-storage
50 | persistentVolumeClaim:
51 | claimName: mariadb-pvc
52 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.mariadb
File: /deployments/mariadb/all-resources.yml:14-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | labels:
18 | app: mariadb
19 | name: mariadb
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: mariadb
25 | tier: backend
26 | strategy: {}
27 | template:
28 | metadata:
29 | labels:
30 | app: mariadb
31 | tier: backend
32 | spec:
33 | containers:
34 | - image: mariadb:latest
35 | name: mariadb
36 | env:
37 | - name: MYSQL_ROOT_PASSWORD
38 | value: ro0tP4sSworD
39 | - name: MYSQL_DATABASE
40 | value: wordpress
41 | - name: MYSQL_USER
42 | value: wpuser
43 | - name: MYSQL_PASSWORD
44 | value: W0rd_Pr3sSUs3r.
45 | volumeMounts:
46 | - name: "mariadb-persistent-storage"
47 | mountPath: "/var/lib/mysql/"
48 | volumes:
49 | - name: mariadb-persistent-storage
50 | persistentVolumeClaim:
51 | claimName: mariadb-pvc
52 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.mariadb
File: /deployments/mariadb/all-resources.yml:14-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | labels:
18 | app: mariadb
19 | name: mariadb
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: mariadb
25 | tier: backend
26 | strategy: {}
27 | template:
28 | metadata:
29 | labels:
30 | app: mariadb
31 | tier: backend
32 | spec:
33 | containers:
34 | - image: mariadb:latest
35 | name: mariadb
36 | env:
37 | - name: MYSQL_ROOT_PASSWORD
38 | value: ro0tP4sSworD
39 | - name: MYSQL_DATABASE
40 | value: wordpress
41 | - name: MYSQL_USER
42 | value: wpuser
43 | - name: MYSQL_PASSWORD
44 | value: W0rd_Pr3sSUs3r.
45 | volumeMounts:
46 | - name: "mariadb-persistent-storage"
47 | mountPath: "/var/lib/mysql/"
48 | volumes:
49 | - name: mariadb-persistent-storage
50 | persistentVolumeClaim:
51 | claimName: mariadb-pvc
52 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.mariadb
File: /deployments/mariadb/all-resources.yml:14-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | labels:
18 | app: mariadb
19 | name: mariadb
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: mariadb
25 | tier: backend
26 | strategy: {}
27 | template:
28 | metadata:
29 | labels:
30 | app: mariadb
31 | tier: backend
32 | spec:
33 | containers:
34 | - image: mariadb:latest
35 | name: mariadb
36 | env:
37 | - name: MYSQL_ROOT_PASSWORD
38 | value: ro0tP4sSworD
39 | - name: MYSQL_DATABASE
40 | value: wordpress
41 | - name: MYSQL_USER
42 | value: wpuser
43 | - name: MYSQL_PASSWORD
44 | value: W0rd_Pr3sSUs3r.
45 | volumeMounts:
46 | - name: "mariadb-persistent-storage"
47 | mountPath: "/var/lib/mysql/"
48 | volumes:
49 | - name: mariadb-persistent-storage
50 | persistentVolumeClaim:
51 | claimName: mariadb-pvc
52 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.mariadb
File: /deployments/mariadb/all-resources.yml:14-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | labels:
18 | app: mariadb
19 | name: mariadb
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: mariadb
25 | tier: backend
26 | strategy: {}
27 | template:
28 | metadata:
29 | labels:
30 | app: mariadb
31 | tier: backend
32 | spec:
33 | containers:
34 | - image: mariadb:latest
35 | name: mariadb
36 | env:
37 | - name: MYSQL_ROOT_PASSWORD
38 | value: ro0tP4sSworD
39 | - name: MYSQL_DATABASE
40 | value: wordpress
41 | - name: MYSQL_USER
42 | value: wpuser
43 | - name: MYSQL_PASSWORD
44 | value: W0rd_Pr3sSUs3r.
45 | volumeMounts:
46 | - name: "mariadb-persistent-storage"
47 | mountPath: "/var/lib/mysql/"
48 | volumes:
49 | - name: mariadb-persistent-storage
50 | persistentVolumeClaim:
51 | claimName: mariadb-pvc
52 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.mariadb
File: /deployments/mariadb/all-resources.yml:14-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | labels:
18 | app: mariadb
19 | name: mariadb
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: mariadb
25 | tier: backend
26 | strategy: {}
27 | template:
28 | metadata:
29 | labels:
30 | app: mariadb
31 | tier: backend
32 | spec:
33 | containers:
34 | - image: mariadb:latest
35 | name: mariadb
36 | env:
37 | - name: MYSQL_ROOT_PASSWORD
38 | value: ro0tP4sSworD
39 | - name: MYSQL_DATABASE
40 | value: wordpress
41 | - name: MYSQL_USER
42 | value: wpuser
43 | - name: MYSQL_PASSWORD
44 | value: W0rd_Pr3sSUs3r.
45 | volumeMounts:
46 | - name: "mariadb-persistent-storage"
47 | mountPath: "/var/lib/mysql/"
48 | volumes:
49 | - name: mariadb-persistent-storage
50 | persistentVolumeClaim:
51 | claimName: mariadb-pvc
52 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.mariadb
File: /deployments/mariadb/all-resources.yml:14-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | labels:
18 | app: mariadb
19 | name: mariadb
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: mariadb
25 | tier: backend
26 | strategy: {}
27 | template:
28 | metadata:
29 | labels:
30 | app: mariadb
31 | tier: backend
32 | spec:
33 | containers:
34 | - image: mariadb:latest
35 | name: mariadb
36 | env:
37 | - name: MYSQL_ROOT_PASSWORD
38 | value: ro0tP4sSworD
39 | - name: MYSQL_DATABASE
40 | value: wordpress
41 | - name: MYSQL_USER
42 | value: wpuser
43 | - name: MYSQL_PASSWORD
44 | value: W0rd_Pr3sSUs3r.
45 | volumeMounts:
46 | - name: "mariadb-persistent-storage"
47 | mountPath: "/var/lib/mysql/"
48 | volumes:
49 | - name: mariadb-persistent-storage
50 | persistentVolumeClaim:
51 | claimName: mariadb-pvc
52 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.mariadb
File: /deployments/mariadb/all-resources.yml:14-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | labels:
18 | app: mariadb
19 | name: mariadb
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: mariadb
25 | tier: backend
26 | strategy: {}
27 | template:
28 | metadata:
29 | labels:
30 | app: mariadb
31 | tier: backend
32 | spec:
33 | containers:
34 | - image: mariadb:latest
35 | name: mariadb
36 | env:
37 | - name: MYSQL_ROOT_PASSWORD
38 | value: ro0tP4sSworD
39 | - name: MYSQL_DATABASE
40 | value: wordpress
41 | - name: MYSQL_USER
42 | value: wpuser
43 | - name: MYSQL_PASSWORD
44 | value: W0rd_Pr3sSUs3r.
45 | volumeMounts:
46 | - name: "mariadb-persistent-storage"
47 | mountPath: "/var/lib/mysql/"
48 | volumes:
49 | - name: mariadb-persistent-storage
50 | persistentVolumeClaim:
51 | claimName: mariadb-pvc
52 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.mariadb
File: /deployments/mariadb/all-resources.yml:14-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | labels:
18 | app: mariadb
19 | name: mariadb
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: mariadb
25 | tier: backend
26 | strategy: {}
27 | template:
28 | metadata:
29 | labels:
30 | app: mariadb
31 | tier: backend
32 | spec:
33 | containers:
34 | - image: mariadb:latest
35 | name: mariadb
36 | env:
37 | - name: MYSQL_ROOT_PASSWORD
38 | value: ro0tP4sSworD
39 | - name: MYSQL_DATABASE
40 | value: wordpress
41 | - name: MYSQL_USER
42 | value: wpuser
43 | - name: MYSQL_PASSWORD
44 | value: W0rd_Pr3sSUs3r.
45 | volumeMounts:
46 | - name: "mariadb-persistent-storage"
47 | mountPath: "/var/lib/mysql/"
48 | volumes:
49 | - name: mariadb-persistent-storage
50 | persistentVolumeClaim:
51 | claimName: mariadb-pvc
52 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.mariadb
File: /deployments/mariadb/all-resources.yml:14-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | labels:
18 | app: mariadb
19 | name: mariadb
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: mariadb
25 | tier: backend
26 | strategy: {}
27 | template:
28 | metadata:
29 | labels:
30 | app: mariadb
31 | tier: backend
32 | spec:
33 | containers:
34 | - image: mariadb:latest
35 | name: mariadb
36 | env:
37 | - name: MYSQL_ROOT_PASSWORD
38 | value: ro0tP4sSworD
39 | - name: MYSQL_DATABASE
40 | value: wordpress
41 | - name: MYSQL_USER
42 | value: wpuser
43 | - name: MYSQL_PASSWORD
44 | value: W0rd_Pr3sSUs3r.
45 | volumeMounts:
46 | - name: "mariadb-persistent-storage"
47 | mountPath: "/var/lib/mysql/"
48 | volumes:
49 | - name: mariadb-persistent-storage
50 | persistentVolumeClaim:
51 | claimName: mariadb-pvc
52 | ---
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.mariadb
File: /deployments/mariadb/all-resources.yml:14-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | labels:
18 | app: mariadb
19 | name: mariadb
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: mariadb
25 | tier: backend
26 | strategy: {}
27 | template:
28 | metadata:
29 | labels:
30 | app: mariadb
31 | tier: backend
32 | spec:
33 | containers:
34 | - image: mariadb:latest
35 | name: mariadb
36 | env:
37 | - name: MYSQL_ROOT_PASSWORD
38 | value: ro0tP4sSworD
39 | - name: MYSQL_DATABASE
40 | value: wordpress
41 | - name: MYSQL_USER
42 | value: wpuser
43 | - name: MYSQL_PASSWORD
44 | value: W0rd_Pr3sSUs3r.
45 | volumeMounts:
46 | - name: "mariadb-persistent-storage"
47 | mountPath: "/var/lib/mysql/"
48 | volumes:
49 | - name: mariadb-persistent-storage
50 | persistentVolumeClaim:
51 | claimName: mariadb-pvc
52 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.mariadb
File: /deployments/mariadb/all-resources.yml:14-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | labels:
18 | app: mariadb
19 | name: mariadb
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: mariadb
25 | tier: backend
26 | strategy: {}
27 | template:
28 | metadata:
29 | labels:
30 | app: mariadb
31 | tier: backend
32 | spec:
33 | containers:
34 | - image: mariadb:latest
35 | name: mariadb
36 | env:
37 | - name: MYSQL_ROOT_PASSWORD
38 | value: ro0tP4sSworD
39 | - name: MYSQL_DATABASE
40 | value: wordpress
41 | - name: MYSQL_USER
42 | value: wpuser
43 | - name: MYSQL_PASSWORD
44 | value: W0rd_Pr3sSUs3r.
45 | volumeMounts:
46 | - name: "mariadb-persistent-storage"
47 | mountPath: "/var/lib/mysql/"
48 | volumes:
49 | - name: mariadb-persistent-storage
50 | persistentVolumeClaim:
51 | claimName: mariadb-pvc
52 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.mariadb-svc
File: /deployments/mariadb/all-resources.yml:53-68
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
53 | apiVersion: v1
54 | kind: Service
55 | metadata:
56 | labels:
57 | app: mariadb
58 | tier: backend
59 | name: mariadb-svc
60 | spec:
61 | ports:
62 | - port: 3306
63 | protocol: TCP
64 | targetPort: 3306
65 | selector:
66 | app: mariadb
67 | tier: backend
68 | type: ClusterIP
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.mariadb-svc
File: /deployments/mariadb/mariadb-svc.yml:1-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | labels:
5 | app: mariadb
6 | tier: backend
7 | name: mariadb-svc
8 | spec:
9 | ports:
10 | - port: 3306
11 | protocol: TCP
12 | targetPort: 3306
13 | selector:
14 | app: mariadb
15 | tier: backend
16 | type: ClusterIP
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.wordpress
File: /deployments/wordpress/all-resources.yml:14-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | name: wordpress
18 | labels:
19 | app: wordpress
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: wordpress
25 | tier: frontend
26 | strategy: {}
27 | template:
28 | metadata:
29 | labels:
30 | app: wordpress
31 | tier: frontend
32 | spec:
33 | containers:
34 | - image: wordpress:php7.4-fpm
35 | name: wordpress
36 | env:
37 | - name: WORDPRESS_DB_HOST
38 | value: mariadb-svc
39 | - name: WORDPRESS_DB_NAME
40 | value: wordpress
41 | - name: WORDPRESS_DB_USER
42 | value: wpuser
43 | - name: WORDPRESS_DB_PASSWORD
44 | value: W0rd_Pr3sSUs3r.
45 | ports:
46 | - containerPort: 9000
47 | name: php-fpm
48 | volumeMounts:
49 | - name: wordpress-persistent-storage
50 | mountPath: /var/www/html
51 | volumes:
52 | - name: wordpress-persistent-storage
53 | persistentVolumeClaim:
54 | claimName: wordpress-pvc
55 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.wordpress
File: /deployments/wordpress/all-resources.yml:14-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | name: wordpress
18 | labels:
19 | app: wordpress
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: wordpress
25 | tier: frontend
26 | strategy: {}
27 | template:
28 | metadata:
29 | labels:
30 | app: wordpress
31 | tier: frontend
32 | spec:
33 | containers:
34 | - image: wordpress:php7.4-fpm
35 | name: wordpress
36 | env:
37 | - name: WORDPRESS_DB_HOST
38 | value: mariadb-svc
39 | - name: WORDPRESS_DB_NAME
40 | value: wordpress
41 | - name: WORDPRESS_DB_USER
42 | value: wpuser
43 | - name: WORDPRESS_DB_PASSWORD
44 | value: W0rd_Pr3sSUs3r.
45 | ports:
46 | - containerPort: 9000
47 | name: php-fpm
48 | volumeMounts:
49 | - name: wordpress-persistent-storage
50 | mountPath: /var/www/html
51 | volumes:
52 | - name: wordpress-persistent-storage
53 | persistentVolumeClaim:
54 | claimName: wordpress-pvc
55 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.wordpress
File: /deployments/wordpress/all-resources.yml:14-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | name: wordpress
18 | labels:
19 | app: wordpress
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: wordpress
25 | tier: frontend
26 | strategy: {}
27 | template:
28 | metadata:
29 | labels:
30 | app: wordpress
31 | tier: frontend
32 | spec:
33 | containers:
34 | - image: wordpress:php7.4-fpm
35 | name: wordpress
36 | env:
37 | - name: WORDPRESS_DB_HOST
38 | value: mariadb-svc
39 | - name: WORDPRESS_DB_NAME
40 | value: wordpress
41 | - name: WORDPRESS_DB_USER
42 | value: wpuser
43 | - name: WORDPRESS_DB_PASSWORD
44 | value: W0rd_Pr3sSUs3r.
45 | ports:
46 | - containerPort: 9000
47 | name: php-fpm
48 | volumeMounts:
49 | - name: wordpress-persistent-storage
50 | mountPath: /var/www/html
51 | volumes:
52 | - name: wordpress-persistent-storage
53 | persistentVolumeClaim:
54 | claimName: wordpress-pvc
55 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.wordpress
File: /deployments/wordpress/all-resources.yml:14-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | name: wordpress
18 | labels:
19 | app: wordpress
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: wordpress
25 | tier: frontend
26 | strategy: {}
27 | template:
28 | metadata:
29 | labels:
30 | app: wordpress
31 | tier: frontend
32 | spec:
33 | containers:
34 | - image: wordpress:php7.4-fpm
35 | name: wordpress
36 | env:
37 | - name: WORDPRESS_DB_HOST
38 | value: mariadb-svc
39 | - name: WORDPRESS_DB_NAME
40 | value: wordpress
41 | - name: WORDPRESS_DB_USER
42 | value: wpuser
43 | - name: WORDPRESS_DB_PASSWORD
44 | value: W0rd_Pr3sSUs3r.
45 | ports:
46 | - containerPort: 9000
47 | name: php-fpm
48 | volumeMounts:
49 | - name: wordpress-persistent-storage
50 | mountPath: /var/www/html
51 | volumes:
52 | - name: wordpress-persistent-storage
53 | persistentVolumeClaim:
54 | claimName: wordpress-pvc
55 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.wordpress
File: /deployments/wordpress/all-resources.yml:14-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | name: wordpress
18 | labels:
19 | app: wordpress
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: wordpress
25 | tier: frontend
26 | strategy: {}
27 | template:
28 | metadata:
29 | labels:
30 | app: wordpress
31 | tier: frontend
32 | spec:
33 | containers:
34 | - image: wordpress:php7.4-fpm
35 | name: wordpress
36 | env:
37 | - name: WORDPRESS_DB_HOST
38 | value: mariadb-svc
39 | - name: WORDPRESS_DB_NAME
40 | value: wordpress
41 | - name: WORDPRESS_DB_USER
42 | value: wpuser
43 | - name: WORDPRESS_DB_PASSWORD
44 | value: W0rd_Pr3sSUs3r.
45 | ports:
46 | - containerPort: 9000
47 | name: php-fpm
48 | volumeMounts:
49 | - name: wordpress-persistent-storage
50 | mountPath: /var/www/html
51 | volumes:
52 | - name: wordpress-persistent-storage
53 | persistentVolumeClaim:
54 | claimName: wordpress-pvc
55 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.wordpress
File: /deployments/wordpress/all-resources.yml:14-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | name: wordpress
18 | labels:
19 | app: wordpress
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: wordpress
25 | tier: frontend
26 | strategy: {}
27 | template:
28 | metadata:
29 | labels:
30 | app: wordpress
31 | tier: frontend
32 | spec:
33 | containers:
34 | - image: wordpress:php7.4-fpm
35 | name: wordpress
36 | env:
37 | - name: WORDPRESS_DB_HOST
38 | value: mariadb-svc
39 | - name: WORDPRESS_DB_NAME
40 | value: wordpress
41 | - name: WORDPRESS_DB_USER
42 | value: wpuser
43 | - name: WORDPRESS_DB_PASSWORD
44 | value: W0rd_Pr3sSUs3r.
45 | ports:
46 | - containerPort: 9000
47 | name: php-fpm
48 | volumeMounts:
49 | - name: wordpress-persistent-storage
50 | mountPath: /var/www/html
51 | volumes:
52 | - name: wordpress-persistent-storage
53 | persistentVolumeClaim:
54 | claimName: wordpress-pvc
55 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.wordpress
File: /deployments/wordpress/all-resources.yml:14-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | name: wordpress
18 | labels:
19 | app: wordpress
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: wordpress
25 | tier: frontend
26 | strategy: {}
27 | template:
28 | metadata:
29 | labels:
30 | app: wordpress
31 | tier: frontend
32 | spec:
33 | containers:
34 | - image: wordpress:php7.4-fpm
35 | name: wordpress
36 | env:
37 | - name: WORDPRESS_DB_HOST
38 | value: mariadb-svc
39 | - name: WORDPRESS_DB_NAME
40 | value: wordpress
41 | - name: WORDPRESS_DB_USER
42 | value: wpuser
43 | - name: WORDPRESS_DB_PASSWORD
44 | value: W0rd_Pr3sSUs3r.
45 | ports:
46 | - containerPort: 9000
47 | name: php-fpm
48 | volumeMounts:
49 | - name: wordpress-persistent-storage
50 | mountPath: /var/www/html
51 | volumes:
52 | - name: wordpress-persistent-storage
53 | persistentVolumeClaim:
54 | claimName: wordpress-pvc
55 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.wordpress
File: /deployments/wordpress/all-resources.yml:14-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | name: wordpress
18 | labels:
19 | app: wordpress
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: wordpress
25 | tier: frontend
26 | strategy: {}
27 | template:
28 | metadata:
29 | labels:
30 | app: wordpress
31 | tier: frontend
32 | spec:
33 | containers:
34 | - image: wordpress:php7.4-fpm
35 | name: wordpress
36 | env:
37 | - name: WORDPRESS_DB_HOST
38 | value: mariadb-svc
39 | - name: WORDPRESS_DB_NAME
40 | value: wordpress
41 | - name: WORDPRESS_DB_USER
42 | value: wpuser
43 | - name: WORDPRESS_DB_PASSWORD
44 | value: W0rd_Pr3sSUs3r.
45 | ports:
46 | - containerPort: 9000
47 | name: php-fpm
48 | volumeMounts:
49 | - name: wordpress-persistent-storage
50 | mountPath: /var/www/html
51 | volumes:
52 | - name: wordpress-persistent-storage
53 | persistentVolumeClaim:
54 | claimName: wordpress-pvc
55 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.wordpress
File: /deployments/wordpress/all-resources.yml:14-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | name: wordpress
18 | labels:
19 | app: wordpress
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: wordpress
25 | tier: frontend
26 | strategy: {}
27 | template:
28 | metadata:
29 | labels:
30 | app: wordpress
31 | tier: frontend
32 | spec:
33 | containers:
34 | - image: wordpress:php7.4-fpm
35 | name: wordpress
36 | env:
37 | - name: WORDPRESS_DB_HOST
38 | value: mariadb-svc
39 | - name: WORDPRESS_DB_NAME
40 | value: wordpress
41 | - name: WORDPRESS_DB_USER
42 | value: wpuser
43 | - name: WORDPRESS_DB_PASSWORD
44 | value: W0rd_Pr3sSUs3r.
45 | ports:
46 | - containerPort: 9000
47 | name: php-fpm
48 | volumeMounts:
49 | - name: wordpress-persistent-storage
50 | mountPath: /var/www/html
51 | volumes:
52 | - name: wordpress-persistent-storage
53 | persistentVolumeClaim:
54 | claimName: wordpress-pvc
55 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.wordpress
File: /deployments/wordpress/all-resources.yml:14-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | name: wordpress
18 | labels:
19 | app: wordpress
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: wordpress
25 | tier: frontend
26 | strategy: {}
27 | template:
28 | metadata:
29 | labels:
30 | app: wordpress
31 | tier: frontend
32 | spec:
33 | containers:
34 | - image: wordpress:php7.4-fpm
35 | name: wordpress
36 | env:
37 | - name: WORDPRESS_DB_HOST
38 | value: mariadb-svc
39 | - name: WORDPRESS_DB_NAME
40 | value: wordpress
41 | - name: WORDPRESS_DB_USER
42 | value: wpuser
43 | - name: WORDPRESS_DB_PASSWORD
44 | value: W0rd_Pr3sSUs3r.
45 | ports:
46 | - containerPort: 9000
47 | name: php-fpm
48 | volumeMounts:
49 | - name: wordpress-persistent-storage
50 | mountPath: /var/www/html
51 | volumes:
52 | - name: wordpress-persistent-storage
53 | persistentVolumeClaim:
54 | claimName: wordpress-pvc
55 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.wordpress
File: /deployments/wordpress/all-resources.yml:14-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | name: wordpress
18 | labels:
19 | app: wordpress
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: wordpress
25 | tier: frontend
26 | strategy: {}
27 | template:
28 | metadata:
29 | labels:
30 | app: wordpress
31 | tier: frontend
32 | spec:
33 | containers:
34 | - image: wordpress:php7.4-fpm
35 | name: wordpress
36 | env:
37 | - name: WORDPRESS_DB_HOST
38 | value: mariadb-svc
39 | - name: WORDPRESS_DB_NAME
40 | value: wordpress
41 | - name: WORDPRESS_DB_USER
42 | value: wpuser
43 | - name: WORDPRESS_DB_PASSWORD
44 | value: W0rd_Pr3sSUs3r.
45 | ports:
46 | - containerPort: 9000
47 | name: php-fpm
48 | volumeMounts:
49 | - name: wordpress-persistent-storage
50 | mountPath: /var/www/html
51 | volumes:
52 | - name: wordpress-persistent-storage
53 | persistentVolumeClaim:
54 | claimName: wordpress-pvc
55 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.wordpress
File: /deployments/wordpress/all-resources.yml:14-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | name: wordpress
18 | labels:
19 | app: wordpress
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: wordpress
25 | tier: frontend
26 | strategy: {}
27 | template:
28 | metadata:
29 | labels:
30 | app: wordpress
31 | tier: frontend
32 | spec:
33 | containers:
34 | - image: wordpress:php7.4-fpm
35 | name: wordpress
36 | env:
37 | - name: WORDPRESS_DB_HOST
38 | value: mariadb-svc
39 | - name: WORDPRESS_DB_NAME
40 | value: wordpress
41 | - name: WORDPRESS_DB_USER
42 | value: wpuser
43 | - name: WORDPRESS_DB_PASSWORD
44 | value: W0rd_Pr3sSUs3r.
45 | ports:
46 | - containerPort: 9000
47 | name: php-fpm
48 | volumeMounts:
49 | - name: wordpress-persistent-storage
50 | mountPath: /var/www/html
51 | volumes:
52 | - name: wordpress-persistent-storage
53 | persistentVolumeClaim:
54 | claimName: wordpress-pvc
55 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.wordpress
File: /deployments/wordpress/all-resources.yml:14-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | name: wordpress
18 | labels:
19 | app: wordpress
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: wordpress
25 | tier: frontend
26 | strategy: {}
27 | template:
28 | metadata:
29 | labels:
30 | app: wordpress
31 | tier: frontend
32 | spec:
33 | containers:
34 | - image: wordpress:php7.4-fpm
35 | name: wordpress
36 | env:
37 | - name: WORDPRESS_DB_HOST
38 | value: mariadb-svc
39 | - name: WORDPRESS_DB_NAME
40 | value: wordpress
41 | - name: WORDPRESS_DB_USER
42 | value: wpuser
43 | - name: WORDPRESS_DB_PASSWORD
44 | value: W0rd_Pr3sSUs3r.
45 | ports:
46 | - containerPort: 9000
47 | name: php-fpm
48 | volumeMounts:
49 | - name: wordpress-persistent-storage
50 | mountPath: /var/www/html
51 | volumes:
52 | - name: wordpress-persistent-storage
53 | persistentVolumeClaim:
54 | claimName: wordpress-pvc
55 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.wordpress
File: /deployments/wordpress/all-resources.yml:14-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | name: wordpress
18 | labels:
19 | app: wordpress
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: wordpress
25 | tier: frontend
26 | strategy: {}
27 | template:
28 | metadata:
29 | labels:
30 | app: wordpress
31 | tier: frontend
32 | spec:
33 | containers:
34 | - image: wordpress:php7.4-fpm
35 | name: wordpress
36 | env:
37 | - name: WORDPRESS_DB_HOST
38 | value: mariadb-svc
39 | - name: WORDPRESS_DB_NAME
40 | value: wordpress
41 | - name: WORDPRESS_DB_USER
42 | value: wpuser
43 | - name: WORDPRESS_DB_PASSWORD
44 | value: W0rd_Pr3sSUs3r.
45 | ports:
46 | - containerPort: 9000
47 | name: php-fpm
48 | volumeMounts:
49 | - name: wordpress-persistent-storage
50 | mountPath: /var/www/html
51 | volumes:
52 | - name: wordpress-persistent-storage
53 | persistentVolumeClaim:
54 | claimName: wordpress-pvc
55 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.wordpress
File: /deployments/wordpress/all-resources.yml:14-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | name: wordpress
18 | labels:
19 | app: wordpress
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: wordpress
25 | tier: frontend
26 | strategy: {}
27 | template:
28 | metadata:
29 | labels:
30 | app: wordpress
31 | tier: frontend
32 | spec:
33 | containers:
34 | - image: wordpress:php7.4-fpm
35 | name: wordpress
36 | env:
37 | - name: WORDPRESS_DB_HOST
38 | value: mariadb-svc
39 | - name: WORDPRESS_DB_NAME
40 | value: wordpress
41 | - name: WORDPRESS_DB_USER
42 | value: wpuser
43 | - name: WORDPRESS_DB_PASSWORD
44 | value: W0rd_Pr3sSUs3r.
45 | ports:
46 | - containerPort: 9000
47 | name: php-fpm
48 | volumeMounts:
49 | - name: wordpress-persistent-storage
50 | mountPath: /var/www/html
51 | volumes:
52 | - name: wordpress-persistent-storage
53 | persistentVolumeClaim:
54 | claimName: wordpress-pvc
55 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.wordpress
File: /deployments/wordpress/all-resources.yml:14-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | name: wordpress
18 | labels:
19 | app: wordpress
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: wordpress
25 | tier: frontend
26 | strategy: {}
27 | template:
28 | metadata:
29 | labels:
30 | app: wordpress
31 | tier: frontend
32 | spec:
33 | containers:
34 | - image: wordpress:php7.4-fpm
35 | name: wordpress
36 | env:
37 | - name: WORDPRESS_DB_HOST
38 | value: mariadb-svc
39 | - name: WORDPRESS_DB_NAME
40 | value: wordpress
41 | - name: WORDPRESS_DB_USER
42 | value: wpuser
43 | - name: WORDPRESS_DB_PASSWORD
44 | value: W0rd_Pr3sSUs3r.
45 | ports:
46 | - containerPort: 9000
47 | name: php-fpm
48 | volumeMounts:
49 | - name: wordpress-persistent-storage
50 | mountPath: /var/www/html
51 | volumes:
52 | - name: wordpress-persistent-storage
53 | persistentVolumeClaim:
54 | claimName: wordpress-pvc
55 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.wordpress
File: /deployments/wordpress/all-resources.yml:14-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | name: wordpress
18 | labels:
19 | app: wordpress
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: wordpress
25 | tier: frontend
26 | strategy: {}
27 | template:
28 | metadata:
29 | labels:
30 | app: wordpress
31 | tier: frontend
32 | spec:
33 | containers:
34 | - image: wordpress:php7.4-fpm
35 | name: wordpress
36 | env:
37 | - name: WORDPRESS_DB_HOST
38 | value: mariadb-svc
39 | - name: WORDPRESS_DB_NAME
40 | value: wordpress
41 | - name: WORDPRESS_DB_USER
42 | value: wpuser
43 | - name: WORDPRESS_DB_PASSWORD
44 | value: W0rd_Pr3sSUs3r.
45 | ports:
46 | - containerPort: 9000
47 | name: php-fpm
48 | volumeMounts:
49 | - name: wordpress-persistent-storage
50 | mountPath: /var/www/html
51 | volumes:
52 | - name: wordpress-persistent-storage
53 | persistentVolumeClaim:
54 | claimName: wordpress-pvc
55 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.wordpress
File: /deployments/wordpress/all-resources.yml:14-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | name: wordpress
18 | labels:
19 | app: wordpress
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: wordpress
25 | tier: frontend
26 | strategy: {}
27 | template:
28 | metadata:
29 | labels:
30 | app: wordpress
31 | tier: frontend
32 | spec:
33 | containers:
34 | - image: wordpress:php7.4-fpm
35 | name: wordpress
36 | env:
37 | - name: WORDPRESS_DB_HOST
38 | value: mariadb-svc
39 | - name: WORDPRESS_DB_NAME
40 | value: wordpress
41 | - name: WORDPRESS_DB_USER
42 | value: wpuser
43 | - name: WORDPRESS_DB_PASSWORD
44 | value: W0rd_Pr3sSUs3r.
45 | ports:
46 | - containerPort: 9000
47 | name: php-fpm
48 | volumeMounts:
49 | - name: wordpress-persistent-storage
50 | mountPath: /var/www/html
51 | volumes:
52 | - name: wordpress-persistent-storage
53 | persistentVolumeClaim:
54 | claimName: wordpress-pvc
55 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.wordpress
File: /deployments/wordpress/all-resources.yml:14-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | name: wordpress
18 | labels:
19 | app: wordpress
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: wordpress
25 | tier: frontend
26 | strategy: {}
27 | template:
28 | metadata:
29 | labels:
30 | app: wordpress
31 | tier: frontend
32 | spec:
33 | containers:
34 | - image: wordpress:php7.4-fpm
35 | name: wordpress
36 | env:
37 | - name: WORDPRESS_DB_HOST
38 | value: mariadb-svc
39 | - name: WORDPRESS_DB_NAME
40 | value: wordpress
41 | - name: WORDPRESS_DB_USER
42 | value: wpuser
43 | - name: WORDPRESS_DB_PASSWORD
44 | value: W0rd_Pr3sSUs3r.
45 | ports:
46 | - containerPort: 9000
47 | name: php-fpm
48 | volumeMounts:
49 | - name: wordpress-persistent-storage
50 | mountPath: /var/www/html
51 | volumes:
52 | - name: wordpress-persistent-storage
53 | persistentVolumeClaim:
54 | claimName: wordpress-pvc
55 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.wordpress-svc
File: /deployments/wordpress/all-resources.yml:56-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
56 | apiVersion: v1
57 | kind: Service
58 | metadata:
59 | labels:
60 | app: wordpress
61 | tier: frontend
62 | name: wordpress-svc
63 | spec:
64 | ports:
65 | - port: 9000
66 | protocol: TCP
67 | targetPort: 9000
68 | selector:
69 | app: wordpress
70 | tier: frontend
71 | type: ClusterIP
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.wordpress-svc
File: /deployments/wordpress/wordpress-svc.yml:1-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | labels:
5 | app: wordpress
6 | tier: frontend
7 | name: wordpress-svc
8 | spec:
9 | ports:
10 | - port: 9000
11 | protocol: TCP
12 | targetPort: 9000
13 | selector:
14 | app: wordpress
15 | tier: frontend
16 | type: ClusterIP
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.wordpress
File: /deployments/wordpress/wordpress-deployment.yml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: wordpress
5 | labels:
6 | app: wordpress
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: wordpress
12 | tier: frontend
13 | strategy: {}
14 | template:
15 | metadata:
16 | labels:
17 | app: wordpress
18 | tier: frontend
19 | spec:
20 | containers:
21 | - image: wordpress:php7.4-fpm
22 | name: wordpress
23 | env:
24 | - name: WORDPRESS_DB_HOST
25 | value: mariadb-svc
26 | - name: WORDPRESS_DB_NAME
27 | value: wordpress
28 | - name: WORDPRESS_DB_USER
29 | value: wpuser
30 | - name: WORDPRESS_DB_PASSWORD
31 | value: W0rd_Pr3sSUs3r.
32 | ports:
33 | - containerPort: 9000
34 | name: php-fpm
35 | volumeMounts:
36 | - name: wordpress-persistent-storage
37 | mountPath: /var/www/html
38 | volumes:
39 | - name: wordpress-persistent-storage
40 | persistentVolumeClaim:
41 | claimName: wordpress-pvc
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.wordpress
File: /deployments/wordpress/wordpress-deployment.yml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: wordpress
5 | labels:
6 | app: wordpress
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: wordpress
12 | tier: frontend
13 | strategy: {}
14 | template:
15 | metadata:
16 | labels:
17 | app: wordpress
18 | tier: frontend
19 | spec:
20 | containers:
21 | - image: wordpress:php7.4-fpm
22 | name: wordpress
23 | env:
24 | - name: WORDPRESS_DB_HOST
25 | value: mariadb-svc
26 | - name: WORDPRESS_DB_NAME
27 | value: wordpress
28 | - name: WORDPRESS_DB_USER
29 | value: wpuser
30 | - name: WORDPRESS_DB_PASSWORD
31 | value: W0rd_Pr3sSUs3r.
32 | ports:
33 | - containerPort: 9000
34 | name: php-fpm
35 | volumeMounts:
36 | - name: wordpress-persistent-storage
37 | mountPath: /var/www/html
38 | volumes:
39 | - name: wordpress-persistent-storage
40 | persistentVolumeClaim:
41 | claimName: wordpress-pvc
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.wordpress
File: /deployments/wordpress/wordpress-deployment.yml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: wordpress
5 | labels:
6 | app: wordpress
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: wordpress
12 | tier: frontend
13 | strategy: {}
14 | template:
15 | metadata:
16 | labels:
17 | app: wordpress
18 | tier: frontend
19 | spec:
20 | containers:
21 | - image: wordpress:php7.4-fpm
22 | name: wordpress
23 | env:
24 | - name: WORDPRESS_DB_HOST
25 | value: mariadb-svc
26 | - name: WORDPRESS_DB_NAME
27 | value: wordpress
28 | - name: WORDPRESS_DB_USER
29 | value: wpuser
30 | - name: WORDPRESS_DB_PASSWORD
31 | value: W0rd_Pr3sSUs3r.
32 | ports:
33 | - containerPort: 9000
34 | name: php-fpm
35 | volumeMounts:
36 | - name: wordpress-persistent-storage
37 | mountPath: /var/www/html
38 | volumes:
39 | - name: wordpress-persistent-storage
40 | persistentVolumeClaim:
41 | claimName: wordpress-pvc
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.wordpress
File: /deployments/wordpress/wordpress-deployment.yml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: wordpress
5 | labels:
6 | app: wordpress
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: wordpress
12 | tier: frontend
13 | strategy: {}
14 | template:
15 | metadata:
16 | labels:
17 | app: wordpress
18 | tier: frontend
19 | spec:
20 | containers:
21 | - image: wordpress:php7.4-fpm
22 | name: wordpress
23 | env:
24 | - name: WORDPRESS_DB_HOST
25 | value: mariadb-svc
26 | - name: WORDPRESS_DB_NAME
27 | value: wordpress
28 | - name: WORDPRESS_DB_USER
29 | value: wpuser
30 | - name: WORDPRESS_DB_PASSWORD
31 | value: W0rd_Pr3sSUs3r.
32 | ports:
33 | - containerPort: 9000
34 | name: php-fpm
35 | volumeMounts:
36 | - name: wordpress-persistent-storage
37 | mountPath: /var/www/html
38 | volumes:
39 | - name: wordpress-persistent-storage
40 | persistentVolumeClaim:
41 | claimName: wordpress-pvc
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.wordpress
File: /deployments/wordpress/wordpress-deployment.yml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: wordpress
5 | labels:
6 | app: wordpress
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: wordpress
12 | tier: frontend
13 | strategy: {}
14 | template:
15 | metadata:
16 | labels:
17 | app: wordpress
18 | tier: frontend
19 | spec:
20 | containers:
21 | - image: wordpress:php7.4-fpm
22 | name: wordpress
23 | env:
24 | - name: WORDPRESS_DB_HOST
25 | value: mariadb-svc
26 | - name: WORDPRESS_DB_NAME
27 | value: wordpress
28 | - name: WORDPRESS_DB_USER
29 | value: wpuser
30 | - name: WORDPRESS_DB_PASSWORD
31 | value: W0rd_Pr3sSUs3r.
32 | ports:
33 | - containerPort: 9000
34 | name: php-fpm
35 | volumeMounts:
36 | - name: wordpress-persistent-storage
37 | mountPath: /var/www/html
38 | volumes:
39 | - name: wordpress-persistent-storage
40 | persistentVolumeClaim:
41 | claimName: wordpress-pvc
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.wordpress
File: /deployments/wordpress/wordpress-deployment.yml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: wordpress
5 | labels:
6 | app: wordpress
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: wordpress
12 | tier: frontend
13 | strategy: {}
14 | template:
15 | metadata:
16 | labels:
17 | app: wordpress
18 | tier: frontend
19 | spec:
20 | containers:
21 | - image: wordpress:php7.4-fpm
22 | name: wordpress
23 | env:
24 | - name: WORDPRESS_DB_HOST
25 | value: mariadb-svc
26 | - name: WORDPRESS_DB_NAME
27 | value: wordpress
28 | - name: WORDPRESS_DB_USER
29 | value: wpuser
30 | - name: WORDPRESS_DB_PASSWORD
31 | value: W0rd_Pr3sSUs3r.
32 | ports:
33 | - containerPort: 9000
34 | name: php-fpm
35 | volumeMounts:
36 | - name: wordpress-persistent-storage
37 | mountPath: /var/www/html
38 | volumes:
39 | - name: wordpress-persistent-storage
40 | persistentVolumeClaim:
41 | claimName: wordpress-pvc
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.wordpress
File: /deployments/wordpress/wordpress-deployment.yml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: wordpress
5 | labels:
6 | app: wordpress
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: wordpress
12 | tier: frontend
13 | strategy: {}
14 | template:
15 | metadata:
16 | labels:
17 | app: wordpress
18 | tier: frontend
19 | spec:
20 | containers:
21 | - image: wordpress:php7.4-fpm
22 | name: wordpress
23 | env:
24 | - name: WORDPRESS_DB_HOST
25 | value: mariadb-svc
26 | - name: WORDPRESS_DB_NAME
27 | value: wordpress
28 | - name: WORDPRESS_DB_USER
29 | value: wpuser
30 | - name: WORDPRESS_DB_PASSWORD
31 | value: W0rd_Pr3sSUs3r.
32 | ports:
33 | - containerPort: 9000
34 | name: php-fpm
35 | volumeMounts:
36 | - name: wordpress-persistent-storage
37 | mountPath: /var/www/html
38 | volumes:
39 | - name: wordpress-persistent-storage
40 | persistentVolumeClaim:
41 | claimName: wordpress-pvc
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.wordpress
File: /deployments/wordpress/wordpress-deployment.yml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: wordpress
5 | labels:
6 | app: wordpress
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: wordpress
12 | tier: frontend
13 | strategy: {}
14 | template:
15 | metadata:
16 | labels:
17 | app: wordpress
18 | tier: frontend
19 | spec:
20 | containers:
21 | - image: wordpress:php7.4-fpm
22 | name: wordpress
23 | env:
24 | - name: WORDPRESS_DB_HOST
25 | value: mariadb-svc
26 | - name: WORDPRESS_DB_NAME
27 | value: wordpress
28 | - name: WORDPRESS_DB_USER
29 | value: wpuser
30 | - name: WORDPRESS_DB_PASSWORD
31 | value: W0rd_Pr3sSUs3r.
32 | ports:
33 | - containerPort: 9000
34 | name: php-fpm
35 | volumeMounts:
36 | - name: wordpress-persistent-storage
37 | mountPath: /var/www/html
38 | volumes:
39 | - name: wordpress-persistent-storage
40 | persistentVolumeClaim:
41 | claimName: wordpress-pvc
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.wordpress
File: /deployments/wordpress/wordpress-deployment.yml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: wordpress
5 | labels:
6 | app: wordpress
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: wordpress
12 | tier: frontend
13 | strategy: {}
14 | template:
15 | metadata:
16 | labels:
17 | app: wordpress
18 | tier: frontend
19 | spec:
20 | containers:
21 | - image: wordpress:php7.4-fpm
22 | name: wordpress
23 | env:
24 | - name: WORDPRESS_DB_HOST
25 | value: mariadb-svc
26 | - name: WORDPRESS_DB_NAME
27 | value: wordpress
28 | - name: WORDPRESS_DB_USER
29 | value: wpuser
30 | - name: WORDPRESS_DB_PASSWORD
31 | value: W0rd_Pr3sSUs3r.
32 | ports:
33 | - containerPort: 9000
34 | name: php-fpm
35 | volumeMounts:
36 | - name: wordpress-persistent-storage
37 | mountPath: /var/www/html
38 | volumes:
39 | - name: wordpress-persistent-storage
40 | persistentVolumeClaim:
41 | claimName: wordpress-pvc
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.wordpress
File: /deployments/wordpress/wordpress-deployment.yml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: wordpress
5 | labels:
6 | app: wordpress
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: wordpress
12 | tier: frontend
13 | strategy: {}
14 | template:
15 | metadata:
16 | labels:
17 | app: wordpress
18 | tier: frontend
19 | spec:
20 | containers:
21 | - image: wordpress:php7.4-fpm
22 | name: wordpress
23 | env:
24 | - name: WORDPRESS_DB_HOST
25 | value: mariadb-svc
26 | - name: WORDPRESS_DB_NAME
27 | value: wordpress
28 | - name: WORDPRESS_DB_USER
29 | value: wpuser
30 | - name: WORDPRESS_DB_PASSWORD
31 | value: W0rd_Pr3sSUs3r.
32 | ports:
33 | - containerPort: 9000
34 | name: php-fpm
35 | volumeMounts:
36 | - name: wordpress-persistent-storage
37 | mountPath: /var/www/html
38 | volumes:
39 | - name: wordpress-persistent-storage
40 | persistentVolumeClaim:
41 | claimName: wordpress-pvc
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.wordpress
File: /deployments/wordpress/wordpress-deployment.yml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: wordpress
5 | labels:
6 | app: wordpress
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: wordpress
12 | tier: frontend
13 | strategy: {}
14 | template:
15 | metadata:
16 | labels:
17 | app: wordpress
18 | tier: frontend
19 | spec:
20 | containers:
21 | - image: wordpress:php7.4-fpm
22 | name: wordpress
23 | env:
24 | - name: WORDPRESS_DB_HOST
25 | value: mariadb-svc
26 | - name: WORDPRESS_DB_NAME
27 | value: wordpress
28 | - name: WORDPRESS_DB_USER
29 | value: wpuser
30 | - name: WORDPRESS_DB_PASSWORD
31 | value: W0rd_Pr3sSUs3r.
32 | ports:
33 | - containerPort: 9000
34 | name: php-fpm
35 | volumeMounts:
36 | - name: wordpress-persistent-storage
37 | mountPath: /var/www/html
38 | volumes:
39 | - name: wordpress-persistent-storage
40 | persistentVolumeClaim:
41 | claimName: wordpress-pvc
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.wordpress
File: /deployments/wordpress/wordpress-deployment.yml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: wordpress
5 | labels:
6 | app: wordpress
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: wordpress
12 | tier: frontend
13 | strategy: {}
14 | template:
15 | metadata:
16 | labels:
17 | app: wordpress
18 | tier: frontend
19 | spec:
20 | containers:
21 | - image: wordpress:php7.4-fpm
22 | name: wordpress
23 | env:
24 | - name: WORDPRESS_DB_HOST
25 | value: mariadb-svc
26 | - name: WORDPRESS_DB_NAME
27 | value: wordpress
28 | - name: WORDPRESS_DB_USER
29 | value: wpuser
30 | - name: WORDPRESS_DB_PASSWORD
31 | value: W0rd_Pr3sSUs3r.
32 | ports:
33 | - containerPort: 9000
34 | name: php-fpm
35 | volumeMounts:
36 | - name: wordpress-persistent-storage
37 | mountPath: /var/www/html
38 | volumes:
39 | - name: wordpress-persistent-storage
40 | persistentVolumeClaim:
41 | claimName: wordpress-pvc
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.wordpress
File: /deployments/wordpress/wordpress-deployment.yml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: wordpress
5 | labels:
6 | app: wordpress
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: wordpress
12 | tier: frontend
13 | strategy: {}
14 | template:
15 | metadata:
16 | labels:
17 | app: wordpress
18 | tier: frontend
19 | spec:
20 | containers:
21 | - image: wordpress:php7.4-fpm
22 | name: wordpress
23 | env:
24 | - name: WORDPRESS_DB_HOST
25 | value: mariadb-svc
26 | - name: WORDPRESS_DB_NAME
27 | value: wordpress
28 | - name: WORDPRESS_DB_USER
29 | value: wpuser
30 | - name: WORDPRESS_DB_PASSWORD
31 | value: W0rd_Pr3sSUs3r.
32 | ports:
33 | - containerPort: 9000
34 | name: php-fpm
35 | volumeMounts:
36 | - name: wordpress-persistent-storage
37 | mountPath: /var/www/html
38 | volumes:
39 | - name: wordpress-persistent-storage
40 | persistentVolumeClaim:
41 | claimName: wordpress-pvc
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.wordpress
File: /deployments/wordpress/wordpress-deployment.yml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: wordpress
5 | labels:
6 | app: wordpress
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: wordpress
12 | tier: frontend
13 | strategy: {}
14 | template:
15 | metadata:
16 | labels:
17 | app: wordpress
18 | tier: frontend
19 | spec:
20 | containers:
21 | - image: wordpress:php7.4-fpm
22 | name: wordpress
23 | env:
24 | - name: WORDPRESS_DB_HOST
25 | value: mariadb-svc
26 | - name: WORDPRESS_DB_NAME
27 | value: wordpress
28 | - name: WORDPRESS_DB_USER
29 | value: wpuser
30 | - name: WORDPRESS_DB_PASSWORD
31 | value: W0rd_Pr3sSUs3r.
32 | ports:
33 | - containerPort: 9000
34 | name: php-fpm
35 | volumeMounts:
36 | - name: wordpress-persistent-storage
37 | mountPath: /var/www/html
38 | volumes:
39 | - name: wordpress-persistent-storage
40 | persistentVolumeClaim:
41 | claimName: wordpress-pvc
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.wordpress
File: /deployments/wordpress/wordpress-deployment.yml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: wordpress
5 | labels:
6 | app: wordpress
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: wordpress
12 | tier: frontend
13 | strategy: {}
14 | template:
15 | metadata:
16 | labels:
17 | app: wordpress
18 | tier: frontend
19 | spec:
20 | containers:
21 | - image: wordpress:php7.4-fpm
22 | name: wordpress
23 | env:
24 | - name: WORDPRESS_DB_HOST
25 | value: mariadb-svc
26 | - name: WORDPRESS_DB_NAME
27 | value: wordpress
28 | - name: WORDPRESS_DB_USER
29 | value: wpuser
30 | - name: WORDPRESS_DB_PASSWORD
31 | value: W0rd_Pr3sSUs3r.
32 | ports:
33 | - containerPort: 9000
34 | name: php-fpm
35 | volumeMounts:
36 | - name: wordpress-persistent-storage
37 | mountPath: /var/www/html
38 | volumes:
39 | - name: wordpress-persistent-storage
40 | persistentVolumeClaim:
41 | claimName: wordpress-pvc
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.wordpress
File: /deployments/wordpress/wordpress-deployment.yml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: wordpress
5 | labels:
6 | app: wordpress
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: wordpress
12 | tier: frontend
13 | strategy: {}
14 | template:
15 | metadata:
16 | labels:
17 | app: wordpress
18 | tier: frontend
19 | spec:
20 | containers:
21 | - image: wordpress:php7.4-fpm
22 | name: wordpress
23 | env:
24 | - name: WORDPRESS_DB_HOST
25 | value: mariadb-svc
26 | - name: WORDPRESS_DB_NAME
27 | value: wordpress
28 | - name: WORDPRESS_DB_USER
29 | value: wpuser
30 | - name: WORDPRESS_DB_PASSWORD
31 | value: W0rd_Pr3sSUs3r.
32 | ports:
33 | - containerPort: 9000
34 | name: php-fpm
35 | volumeMounts:
36 | - name: wordpress-persistent-storage
37 | mountPath: /var/www/html
38 | volumes:
39 | - name: wordpress-persistent-storage
40 | persistentVolumeClaim:
41 | claimName: wordpress-pvc
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.wordpress
File: /deployments/wordpress/wordpress-deployment.yml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: wordpress
5 | labels:
6 | app: wordpress
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: wordpress
12 | tier: frontend
13 | strategy: {}
14 | template:
15 | metadata:
16 | labels:
17 | app: wordpress
18 | tier: frontend
19 | spec:
20 | containers:
21 | - image: wordpress:php7.4-fpm
22 | name: wordpress
23 | env:
24 | - name: WORDPRESS_DB_HOST
25 | value: mariadb-svc
26 | - name: WORDPRESS_DB_NAME
27 | value: wordpress
28 | - name: WORDPRESS_DB_USER
29 | value: wpuser
30 | - name: WORDPRESS_DB_PASSWORD
31 | value: W0rd_Pr3sSUs3r.
32 | ports:
33 | - containerPort: 9000
34 | name: php-fpm
35 | volumeMounts:
36 | - name: wordpress-persistent-storage
37 | mountPath: /var/www/html
38 | volumes:
39 | - name: wordpress-persistent-storage
40 | persistentVolumeClaim:
41 | claimName: wordpress-pvc
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.default.wordpress
File: /deployments/wordpress/wordpress-deployment.yml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: wordpress
5 | labels:
6 | app: wordpress
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: wordpress
12 | tier: frontend
13 | strategy: {}
14 | template:
15 | metadata:
16 | labels:
17 | app: wordpress
18 | tier: frontend
19 | spec:
20 | containers:
21 | - image: wordpress:php7.4-fpm
22 | name: wordpress
23 | env:
24 | - name: WORDPRESS_DB_HOST
25 | value: mariadb-svc
26 | - name: WORDPRESS_DB_NAME
27 | value: wordpress
28 | - name: WORDPRESS_DB_USER
29 | value: wpuser
30 | - name: WORDPRESS_DB_PASSWORD
31 | value: W0rd_Pr3sSUs3r.
32 | ports:
33 | - containerPort: 9000
34 | name: php-fpm
35 | volumeMounts:
36 | - name: wordpress-persistent-storage
37 | mountPath: /var/www/html
38 | volumes:
39 | - name: wordpress-persistent-storage
40 | persistentVolumeClaim:
41 | claimName: wordpress-pvc
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.wordpress
File: /deployments/wordpress/wordpress-deployment.yml:1-41
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: wordpress
5 | labels:
6 | app: wordpress
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: wordpress
12 | tier: frontend
13 | strategy: {}
14 | template:
15 | metadata:
16 | labels:
17 | app: wordpress
18 | tier: frontend
19 | spec:
20 | containers:
21 | - image: wordpress:php7.4-fpm
22 | name: wordpress
23 | env:
24 | - name: WORDPRESS_DB_HOST
25 | value: mariadb-svc
26 | - name: WORDPRESS_DB_NAME
27 | value: wordpress
28 | - name: WORDPRESS_DB_USER
29 | value: wpuser
30 | - name: WORDPRESS_DB_PASSWORD
31 | value: W0rd_Pr3sSUs3r.
32 | ports:
33 | - containerPort: 9000
34 | name: php-fpm
35 | volumeMounts:
36 | - name: wordpress-persistent-storage
37 | mountPath: /var/www/html
38 | volumes:
39 | - name: wordpress-persistent-storage
40 | persistentVolumeClaim:
41 | claimName: wordpress-pvc
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.nginx-conf
File: /deployments/nginx/all-resources.yml:1-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.wordpress-conf-tpl
File: /deployments/nginx/all-resources.yml:63-162
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.nginx-custom-conf
File: /deployments/nginx/all-resources.yml:163-286
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.wp-hardening
File: /deployments/nginx/all-resources.yml:287-424
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nginx
File: /deployments/nginx/all-resources.yml:425-499
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx
File: /deployments/nginx/all-resources.yml:425-499
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.nginx
File: /deployments/nginx/all-resources.yml:425-499
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx
File: /deployments/nginx/all-resources.yml:425-499
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx
File: /deployments/nginx/all-resources.yml:425-499
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx
File: /deployments/nginx/all-resources.yml:425-499
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /deployments/nginx/all-resources.yml:425-499
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx
File: /deployments/nginx/all-resources.yml:425-499
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx
File: /deployments/nginx/all-resources.yml:425-499
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx
File: /deployments/nginx/all-resources.yml:425-499
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /deployments/nginx/all-resources.yml:425-499
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx
File: /deployments/nginx/all-resources.yml:425-499
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nginx
File: /deployments/nginx/all-resources.yml:425-499
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx
File: /deployments/nginx/all-resources.yml:425-499
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx
File: /deployments/nginx/all-resources.yml:425-499
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx
File: /deployments/nginx/all-resources.yml:425-499
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.nginx
File: /deployments/nginx/all-resources.yml:425-499
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.nginx
File: /deployments/nginx/all-resources.yml:425-499
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx
File: /deployments/nginx/all-resources.yml:425-499
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.nginx-svc
File: /deployments/nginx/all-resources.yml:500-516
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
500 | apiVersion: v1
501 | kind: Service
502 | metadata:
503 | labels:
504 | app: nginx
505 | tier: frontend
506 | name: nginx-svc
507 | spec:
508 | ports:
509 | - port: 80
510 | protocol: TCP
511 | targetPort: 80
512 | selector:
513 | app: nginx
514 | tier: frontend
515 | type: ClusterIP
516 | ---
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.nginx-wp-ingress
File: /deployments/nginx/all-resources.yml:517-532
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
517 | apiVersion: networking.k8s.io/v1
518 | kind: Ingress
519 | metadata:
520 | name: nginx-wp-ingress
521 | spec:
522 | ingressClassName: nginx
523 | rules:
524 | - http:
525 | paths:
526 | - path: /
527 | pathType: Prefix
528 | backend:
529 | service:
530 | name: nginx-svc
531 | port:
532 | number: 80
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.default.nginx
File: /deployments/nginx/nginx-deployment.yml:1-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.default.nginx
File: /deployments/nginx/nginx-deployment.yml:1-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.default.nginx
File: /deployments/nginx/nginx-deployment.yml:1-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Deployment.default.nginx
File: /deployments/nginx/nginx-deployment.yml:1-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.default.nginx
File: /deployments/nginx/nginx-deployment.yml:1-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.default.nginx
File: /deployments/nginx/nginx-deployment.yml:1-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /deployments/nginx/nginx-deployment.yml:1-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.default.nginx
File: /deployments/nginx/nginx-deployment.yml:1-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.default.nginx
File: /deployments/nginx/nginx-deployment.yml:1-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.default.nginx
File: /deployments/nginx/nginx-deployment.yml:1-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.default.nginx
File: /deployments/nginx/nginx-deployment.yml:1-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.default.nginx
File: /deployments/nginx/nginx-deployment.yml:1-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.default.nginx
File: /deployments/nginx/nginx-deployment.yml:1-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.nginx
File: /deployments/nginx/nginx-deployment.yml:1-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.default.nginx
File: /deployments/nginx/nginx-deployment.yml:1-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.default.nginx
File: /deployments/nginx/nginx-deployment.yml:1-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.default.nginx
File: /deployments/nginx/nginx-deployment.yml:1-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.default.nginx
File: /deployments/nginx/nginx-deployment.yml:1-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.default.nginx
File: /deployments/nginx/nginx-deployment.yml:1-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.nginx-conf
File: /deployments/nginx/nginx-configmap.yml:1-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.wordpress-conf-tpl
File: /deployments/nginx/nginx-configmap.yml:63-162
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.nginx-custom-conf
File: /deployments/nginx/nginx-configmap.yml:163-286
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.wp-hardening
File: /deployments/nginx/nginx-configmap.yml:287-423
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.nginx-conf
File: /deployments/nginx/nginx-configmap-cert-manager.yml:1-62
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.wordpress-conf-tpl
File: /deployments/nginx/nginx-configmap-cert-manager.yml:63-162
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.nginx-custom-conf
File: /deployments/nginx/nginx-configmap-cert-manager.yml:163-286
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.wp-hardening
File: /deployments/nginx/nginx-configmap-cert-manager.yml:287-423
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.nginx-wp-ingress
File: /deployments/nginx/nginx-ingress.yml:1-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: networking.k8s.io/v1
2 | kind: Ingress
3 | metadata:
4 | name: nginx-wp-ingress
5 | spec:
6 | ingressClassName: nginx
7 | rules:
8 | - http:
9 | paths:
10 | - path: /
11 | pathType: Prefix
12 | backend:
13 | service:
14 | name: nginx-svc
15 | port:
16 | number: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.nginx-svc
File: /deployments/nginx/nginx-svc.yml:1-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | labels:
5 | app: nginx
6 | tier: frontend
7 | name: nginx-svc
8 | spec:
9 | ports:
10 | - port: 80
11 | protocol: TCP
12 | targetPort: 80
13 | selector:
14 | app: nginx
15 | tier: frontend
16 | type: ClusterIP
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.nginx-wp-ingress
File: /deployments/nginx/nginx-ingress-cert-manager.yml:1-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: networking.k8s.io/v1
2 | kind: Ingress
3 | metadata:
4 | name: nginx-wp-ingress
5 | annotations:
6 | cert-manager.io/cluster-issuer: "letsencrypt-staging" # or "letsencrypt-prod"
7 | spec:
8 | ingressClassName: nginx
9 | tls:
10 | - hosts:
11 | - example.com
12 | - example1.com
13 | secretName: example-tls
14 | rules:
15 | - host: example.com
16 | http:
17 | paths:
18 | - pathType: Prefix
19 | path: "/"
20 | backend:
21 | service:
22 | name: nginx-svc
23 | port:
24 | number: 80
25 | - host: example1.com
26 | http:
27 | paths:
28 | - pathType: Prefix
29 | path: "/"
30 | backend:
31 | service:
32 | name: nginx-svc
33 | port:
34 | number: 80
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.mariadb.app-mariadb.tier-backend
File: /deployments/mariadb/mariadb-deployment.yml:1-38
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: mariadb
6 | name: mariadb
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: mariadb
12 | tier: backend
13 | strategy: {}
14 | template:
15 | metadata:
16 | labels:
17 | app: mariadb
18 | tier: backend
19 | spec:
20 | containers:
21 | - image: mariadb:latest
22 | name: mariadb
23 | env:
24 | - name: MYSQL_ROOT_PASSWORD
25 | value: ro0tP4sSworD
26 | - name: MYSQL_DATABASE
27 | value: wordpress
28 | - name: MYSQL_USER
29 | value: wpuser
30 | - name: MYSQL_PASSWORD
31 | value: W0rd_Pr3sSUs3r.
32 | volumeMounts:
33 | - name: "mariadb-persistent-storage"
34 | mountPath: "/var/lib/mysql/"
35 | volumes:
36 | - name: mariadb-persistent-storage
37 | persistentVolumeClaim:
38 | claimName: mariadb-pvc
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.mariadb.app-mariadb.tier-backend
File: /deployments/mariadb/all-resources.yml:14-52
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | labels:
18 | app: mariadb
19 | name: mariadb
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: mariadb
25 | tier: backend
26 | strategy: {}
27 | template:
28 | metadata:
29 | labels:
30 | app: mariadb
31 | tier: backend
32 | spec:
33 | containers:
34 | - image: mariadb:latest
35 | name: mariadb
36 | env:
37 | - name: MYSQL_ROOT_PASSWORD
38 | value: ro0tP4sSworD
39 | - name: MYSQL_DATABASE
40 | value: wordpress
41 | - name: MYSQL_USER
42 | value: wpuser
43 | - name: MYSQL_PASSWORD
44 | value: W0rd_Pr3sSUs3r.
45 | volumeMounts:
46 | - name: "mariadb-persistent-storage"
47 | mountPath: "/var/lib/mysql/"
48 | volumes:
49 | - name: mariadb-persistent-storage
50 | persistentVolumeClaim:
51 | claimName: mariadb-pvc
52 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.wordpress.app-wordpress.tier-frontend
File: /deployments/wordpress/all-resources.yml:14-55
14 | apiVersion: apps/v1
15 | kind: Deployment
16 | metadata:
17 | name: wordpress
18 | labels:
19 | app: wordpress
20 | spec:
21 | replicas: 1
22 | selector:
23 | matchLabels:
24 | app: wordpress
25 | tier: frontend
26 | strategy: {}
27 | template:
28 | metadata:
29 | labels:
30 | app: wordpress
31 | tier: frontend
32 | spec:
33 | containers:
34 | - image: wordpress:php7.4-fpm
35 | name: wordpress
36 | env:
37 | - name: WORDPRESS_DB_HOST
38 | value: mariadb-svc
39 | - name: WORDPRESS_DB_NAME
40 | value: wordpress
41 | - name: WORDPRESS_DB_USER
42 | value: wpuser
43 | - name: WORDPRESS_DB_PASSWORD
44 | value: W0rd_Pr3sSUs3r.
45 | ports:
46 | - containerPort: 9000
47 | name: php-fpm
48 | volumeMounts:
49 | - name: wordpress-persistent-storage
50 | mountPath: /var/www/html
51 | volumes:
52 | - name: wordpress-persistent-storage
53 | persistentVolumeClaim:
54 | claimName: wordpress-pvc
55 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.wordpress.app-wordpress.tier-frontend
File: /deployments/wordpress/wordpress-deployment.yml:1-41
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: wordpress
5 | labels:
6 | app: wordpress
7 | spec:
8 | replicas: 1
9 | selector:
10 | matchLabels:
11 | app: wordpress
12 | tier: frontend
13 | strategy: {}
14 | template:
15 | metadata:
16 | labels:
17 | app: wordpress
18 | tier: frontend
19 | spec:
20 | containers:
21 | - image: wordpress:php7.4-fpm
22 | name: wordpress
23 | env:
24 | - name: WORDPRESS_DB_HOST
25 | value: mariadb-svc
26 | - name: WORDPRESS_DB_NAME
27 | value: wordpress
28 | - name: WORDPRESS_DB_USER
29 | value: wpuser
30 | - name: WORDPRESS_DB_PASSWORD
31 | value: W0rd_Pr3sSUs3r.
32 | ports:
33 | - containerPort: 9000
34 | name: php-fpm
35 | volumeMounts:
36 | - name: wordpress-persistent-storage
37 | mountPath: /var/www/html
38 | volumes:
39 | - name: wordpress-persistent-storage
40 | persistentVolumeClaim:
41 | claimName: wordpress-pvc
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.nginx.app-nginx.tier-frontend
File: /deployments/nginx/all-resources.yml:425-499
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.nginx.app-nginx.tier-frontend
File: /deployments/nginx/nginx-deployment.yml:1-74
Code lines for this resource are too many. Please use IDE of your choice to review the file.
github_actions scan results:
Passed checks: 23, Failed checks: 1, Skipped checks: 0
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Terraform CI)
File: /.github/workflows/ci.yml:0-1