Repository | kube-hetzner / terraform-hcloud-kube-hetzner |
Description | Optimized and Maintenance-free Kubernetes on Hetzner Cloud in one command! |
Stars | 1356 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
terraform scan results:
Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1
kubernetes scan results:
Passed checks: 138, Failed checks: 42, Skipped checks: 0
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.system-upgrade.system-upgrade-controller
File: /kustomize/system-upgrade-controller.yaml:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: system-upgrade-controller
5 | namespace: system-upgrade
6 | spec:
7 | template:
8 | spec:
9 | containers:
10 | - name: system-upgrade-controller
11 | volumeMounts:
12 | - name: ca-certificates
13 | mountPath: /var/lib/ca-certificates
14 | volumes:
15 | - name: ca-certificates
16 | hostPath:
17 | path: /var/lib/ca-certificates
18 | type: Directory
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.system-upgrade.system-upgrade-controller
File: /kustomize/system-upgrade-controller.yaml:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: system-upgrade-controller
5 | namespace: system-upgrade
6 | spec:
7 | template:
8 | spec:
9 | containers:
10 | - name: system-upgrade-controller
11 | volumeMounts:
12 | - name: ca-certificates
13 | mountPath: /var/lib/ca-certificates
14 | volumes:
15 | - name: ca-certificates
16 | hostPath:
17 | path: /var/lib/ca-certificates
18 | type: Directory
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.system-upgrade.system-upgrade-controller
File: /kustomize/system-upgrade-controller.yaml:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: system-upgrade-controller
5 | namespace: system-upgrade
6 | spec:
7 | template:
8 | spec:
9 | containers:
10 | - name: system-upgrade-controller
11 | volumeMounts:
12 | - name: ca-certificates
13 | mountPath: /var/lib/ca-certificates
14 | volumes:
15 | - name: ca-certificates
16 | hostPath:
17 | path: /var/lib/ca-certificates
18 | type: Directory
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.system-upgrade.system-upgrade-controller
File: /kustomize/system-upgrade-controller.yaml:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: system-upgrade-controller
5 | namespace: system-upgrade
6 | spec:
7 | template:
8 | spec:
9 | containers:
10 | - name: system-upgrade-controller
11 | volumeMounts:
12 | - name: ca-certificates
13 | mountPath: /var/lib/ca-certificates
14 | volumes:
15 | - name: ca-certificates
16 | hostPath:
17 | path: /var/lib/ca-certificates
18 | type: Directory
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.system-upgrade.system-upgrade-controller
File: /kustomize/system-upgrade-controller.yaml:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: system-upgrade-controller
5 | namespace: system-upgrade
6 | spec:
7 | template:
8 | spec:
9 | containers:
10 | - name: system-upgrade-controller
11 | volumeMounts:
12 | - name: ca-certificates
13 | mountPath: /var/lib/ca-certificates
14 | volumes:
15 | - name: ca-certificates
16 | hostPath:
17 | path: /var/lib/ca-certificates
18 | type: Directory
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.system-upgrade.system-upgrade-controller
File: /kustomize/system-upgrade-controller.yaml:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: system-upgrade-controller
5 | namespace: system-upgrade
6 | spec:
7 | template:
8 | spec:
9 | containers:
10 | - name: system-upgrade-controller
11 | volumeMounts:
12 | - name: ca-certificates
13 | mountPath: /var/lib/ca-certificates
14 | volumes:
15 | - name: ca-certificates
16 | hostPath:
17 | path: /var/lib/ca-certificates
18 | type: Directory
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.system-upgrade.system-upgrade-controller
File: /kustomize/system-upgrade-controller.yaml:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: system-upgrade-controller
5 | namespace: system-upgrade
6 | spec:
7 | template:
8 | spec:
9 | containers:
10 | - name: system-upgrade-controller
11 | volumeMounts:
12 | - name: ca-certificates
13 | mountPath: /var/lib/ca-certificates
14 | volumes:
15 | - name: ca-certificates
16 | hostPath:
17 | path: /var/lib/ca-certificates
18 | type: Directory
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.system-upgrade.system-upgrade-controller
File: /kustomize/system-upgrade-controller.yaml:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: system-upgrade-controller
5 | namespace: system-upgrade
6 | spec:
7 | template:
8 | spec:
9 | containers:
10 | - name: system-upgrade-controller
11 | volumeMounts:
12 | - name: ca-certificates
13 | mountPath: /var/lib/ca-certificates
14 | volumes:
15 | - name: ca-certificates
16 | hostPath:
17 | path: /var/lib/ca-certificates
18 | type: Directory
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.system-upgrade.system-upgrade-controller
File: /kustomize/system-upgrade-controller.yaml:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: system-upgrade-controller
5 | namespace: system-upgrade
6 | spec:
7 | template:
8 | spec:
9 | containers:
10 | - name: system-upgrade-controller
11 | volumeMounts:
12 | - name: ca-certificates
13 | mountPath: /var/lib/ca-certificates
14 | volumes:
15 | - name: ca-certificates
16 | hostPath:
17 | path: /var/lib/ca-certificates
18 | type: Directory
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.system-upgrade.system-upgrade-controller
File: /kustomize/system-upgrade-controller.yaml:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: system-upgrade-controller
5 | namespace: system-upgrade
6 | spec:
7 | template:
8 | spec:
9 | containers:
10 | - name: system-upgrade-controller
11 | volumeMounts:
12 | - name: ca-certificates
13 | mountPath: /var/lib/ca-certificates
14 | volumes:
15 | - name: ca-certificates
16 | hostPath:
17 | path: /var/lib/ca-certificates
18 | type: Directory
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.system-upgrade.system-upgrade-controller
File: /kustomize/system-upgrade-controller.yaml:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: system-upgrade-controller
5 | namespace: system-upgrade
6 | spec:
7 | template:
8 | spec:
9 | containers:
10 | - name: system-upgrade-controller
11 | volumeMounts:
12 | - name: ca-certificates
13 | mountPath: /var/lib/ca-certificates
14 | volumes:
15 | - name: ca-certificates
16 | hostPath:
17 | path: /var/lib/ca-certificates
18 | type: Directory
Check: CKV_K8S_33: "Ensure the Kubernetes dashboard is not deployed"
FAILED for resource: Deployment.system-upgrade.system-upgrade-controller
File: /kustomize/system-upgrade-controller.yaml:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-31.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: system-upgrade-controller
5 | namespace: system-upgrade
6 | spec:
7 | template:
8 | spec:
9 | containers:
10 | - name: system-upgrade-controller
11 | volumeMounts:
12 | - name: ca-certificates
13 | mountPath: /var/lib/ca-certificates
14 | volumes:
15 | - name: ca-certificates
16 | hostPath:
17 | path: /var/lib/ca-certificates
18 | type: Directory
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.system-upgrade.system-upgrade-controller
File: /kustomize/system-upgrade-controller.yaml:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: system-upgrade-controller
5 | namespace: system-upgrade
6 | spec:
7 | template:
8 | spec:
9 | containers:
10 | - name: system-upgrade-controller
11 | volumeMounts:
12 | - name: ca-certificates
13 | mountPath: /var/lib/ca-certificates
14 | volumes:
15 | - name: ca-certificates
16 | hostPath:
17 | path: /var/lib/ca-certificates
18 | type: Directory
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.system-upgrade.system-upgrade-controller
File: /kustomize/system-upgrade-controller.yaml:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: system-upgrade-controller
5 | namespace: system-upgrade
6 | spec:
7 | template:
8 | spec:
9 | containers:
10 | - name: system-upgrade-controller
11 | volumeMounts:
12 | - name: ca-certificates
13 | mountPath: /var/lib/ca-certificates
14 | volumes:
15 | - name: ca-certificates
16 | hostPath:
17 | path: /var/lib/ca-certificates
18 | type: Directory
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.system-upgrade.system-upgrade-controller
File: /kustomize/system-upgrade-controller.yaml:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: system-upgrade-controller
5 | namespace: system-upgrade
6 | spec:
7 | template:
8 | spec:
9 | containers:
10 | - name: system-upgrade-controller
11 | volumeMounts:
12 | - name: ca-certificates
13 | mountPath: /var/lib/ca-certificates
14 | volumes:
15 | - name: ca-certificates
16 | hostPath:
17 | path: /var/lib/ca-certificates
18 | type: Directory
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.system-upgrade.system-upgrade-controller
File: /kustomize/system-upgrade-controller.yaml:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: system-upgrade-controller
5 | namespace: system-upgrade
6 | spec:
7 | template:
8 | spec:
9 | containers:
10 | - name: system-upgrade-controller
11 | volumeMounts:
12 | - name: ca-certificates
13 | mountPath: /var/lib/ca-certificates
14 | volumes:
15 | - name: ca-certificates
16 | hostPath:
17 | path: /var/lib/ca-certificates
18 | type: Directory
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.system-upgrade.system-upgrade-controller
File: /kustomize/system-upgrade-controller.yaml:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: system-upgrade-controller
5 | namespace: system-upgrade
6 | spec:
7 | template:
8 | spec:
9 | containers:
10 | - name: system-upgrade-controller
11 | volumeMounts:
12 | - name: ca-certificates
13 | mountPath: /var/lib/ca-certificates
14 | volumes:
15 | - name: ca-certificates
16 | hostPath:
17 | path: /var/lib/ca-certificates
18 | type: Directory
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.system-upgrade.system-upgrade-controller
File: /kustomize/system-upgrade-controller.yaml:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: system-upgrade-controller
5 | namespace: system-upgrade
6 | spec:
7 | template:
8 | spec:
9 | containers:
10 | - name: system-upgrade-controller
11 | volumeMounts:
12 | - name: ca-certificates
13 | mountPath: /var/lib/ca-certificates
14 | volumes:
15 | - name: ca-certificates
16 | hostPath:
17 | path: /var/lib/ca-certificates
18 | type: Directory
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.system-upgrade.system-upgrade-controller
File: /kustomize/system-upgrade-controller.yaml:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: system-upgrade-controller
5 | namespace: system-upgrade
6 | spec:
7 | template:
8 | spec:
9 | containers:
10 | - name: system-upgrade-controller
11 | volumeMounts:
12 | - name: ca-certificates
13 | mountPath: /var/lib/ca-certificates
14 | volumes:
15 | - name: ca-certificates
16 | hostPath:
17 | path: /var/lib/ca-certificates
18 | type: Directory
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.system-upgrade.system-upgrade-controller
File: /kustomize/system-upgrade-controller.yaml:1-18
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: system-upgrade-controller
5 | namespace: system-upgrade
6 | spec:
7 | template:
8 | spec:
9 | containers:
10 | - name: system-upgrade-controller
11 | volumeMounts:
12 | - name: ca-certificates
13 | mountPath: /var/lib/ca-certificates
14 | volumes:
15 | - name: ca-certificates
16 | hostPath:
17 | path: /var/lib/ca-certificates
18 | type: Directory
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.default.nginx
File: /examples/tls/pod.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | labels:
5 | run: nginx
6 | name: nginx
7 | spec:
8 | containers:
9 | - image: nginx
10 | name: nginx
11 | ports:
12 | - containerPort: 80
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Pod.default.nginx
File: /examples/tls/pod.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | labels:
5 | run: nginx
6 | name: nginx
7 | spec:
8 | containers:
9 | - image: nginx
10 | name: nginx
11 | ports:
12 | - containerPort: 80
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Pod.default.nginx
File: /examples/tls/pod.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | labels:
5 | run: nginx
6 | name: nginx
7 | spec:
8 | containers:
9 | - image: nginx
10 | name: nginx
11 | ports:
12 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Pod.default.nginx
File: /examples/tls/pod.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | labels:
5 | run: nginx
6 | name: nginx
7 | spec:
8 | containers:
9 | - image: nginx
10 | name: nginx
11 | ports:
12 | - containerPort: 80
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.default.nginx
File: /examples/tls/pod.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | labels:
5 | run: nginx
6 | name: nginx
7 | spec:
8 | containers:
9 | - image: nginx
10 | name: nginx
11 | ports:
12 | - containerPort: 80
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Pod.default.nginx
File: /examples/tls/pod.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | labels:
5 | run: nginx
6 | name: nginx
7 | spec:
8 | containers:
9 | - image: nginx
10 | name: nginx
11 | ports:
12 | - containerPort: 80
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.default.nginx
File: /examples/tls/pod.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | labels:
5 | run: nginx
6 | name: nginx
7 | spec:
8 | containers:
9 | - image: nginx
10 | name: nginx
11 | ports:
12 | - containerPort: 80
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.default.nginx
File: /examples/tls/pod.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | labels:
5 | run: nginx
6 | name: nginx
7 | spec:
8 | containers:
9 | - image: nginx
10 | name: nginx
11 | ports:
12 | - containerPort: 80
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.default.nginx
File: /examples/tls/pod.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | labels:
5 | run: nginx
6 | name: nginx
7 | spec:
8 | containers:
9 | - image: nginx
10 | name: nginx
11 | ports:
12 | - containerPort: 80
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Pod.default.nginx
File: /examples/tls/pod.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | labels:
5 | run: nginx
6 | name: nginx
7 | spec:
8 | containers:
9 | - image: nginx
10 | name: nginx
11 | ports:
12 | - containerPort: 80
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.default.nginx
File: /examples/tls/pod.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | labels:
5 | run: nginx
6 | name: nginx
7 | spec:
8 | containers:
9 | - image: nginx
10 | name: nginx
11 | ports:
12 | - containerPort: 80
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Pod.default.nginx
File: /examples/tls/pod.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | labels:
5 | run: nginx
6 | name: nginx
7 | spec:
8 | containers:
9 | - image: nginx
10 | name: nginx
11 | ports:
12 | - containerPort: 80
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.default.nginx
File: /examples/tls/pod.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | labels:
5 | run: nginx
6 | name: nginx
7 | spec:
8 | containers:
9 | - image: nginx
10 | name: nginx
11 | ports:
12 | - containerPort: 80
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.default.nginx
File: /examples/tls/pod.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | labels:
5 | run: nginx
6 | name: nginx
7 | spec:
8 | containers:
9 | - image: nginx
10 | name: nginx
11 | ports:
12 | - containerPort: 80
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.default.nginx
File: /examples/tls/pod.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | labels:
5 | run: nginx
6 | name: nginx
7 | spec:
8 | containers:
9 | - image: nginx
10 | name: nginx
11 | ports:
12 | - containerPort: 80
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.default.nginx
File: /examples/tls/pod.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | labels:
5 | run: nginx
6 | name: nginx
7 | spec:
8 | containers:
9 | - image: nginx
10 | name: nginx
11 | ports:
12 | - containerPort: 80
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Pod.default.nginx
File: /examples/tls/pod.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | labels:
5 | run: nginx
6 | name: nginx
7 | spec:
8 | containers:
9 | - image: nginx
10 | name: nginx
11 | ports:
12 | - containerPort: 80
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.default.nginx
File: /examples/tls/pod.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | labels:
5 | run: nginx
6 | name: nginx
7 | spec:
8 | containers:
9 | - image: nginx
10 | name: nginx
11 | ports:
12 | - containerPort: 80
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.default.nginx
File: /examples/tls/pod.yaml:1-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | labels:
5 | run: nginx
6 | name: nginx
7 | spec:
8 | containers:
9 | - image: nginx
10 | name: nginx
11 | ports:
12 | - containerPort: 80
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Service.default.nginx-service
File: /examples/tls/service.yaml:1-11
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: nginx-service
5 | spec:
6 | ports:
7 | - port: 80
8 | protocol: TCP
9 | targetPort: 80
10 | selector:
11 | run: nginx
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Ingress.default.nginx-ingress
File: /examples/tls/ingress.yaml:1-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | apiVersion: networking.k8s.io/v1
2 | kind: Ingress
3 | metadata:
4 | name: nginx-ingress
5 | annotations:
6 | traefik.ingress.kubernetes.io/router.tls: "true"
7 | traefik.ingress.kubernetes.io/router.tls.certresolver: le
8 | spec:
9 | tls:
10 | - hosts:
11 | - example.com
12 | rules:
13 | - host: example.com
14 | http:
15 | paths:
16 | - path: /
17 | pathType: Prefix
18 | backend:
19 | service:
20 | name: nginx-service
21 | port:
22 | number: 80
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.nginx
File: /examples/tls/pod.yaml:1-12
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | labels:
5 | run: nginx
6 | name: nginx
7 | spec:
8 | containers:
9 | - image: nginx
10 | name: nginx
11 | ports:
12 | - containerPort: 80
github_actions scan results:
Passed checks: 57, Failed checks: 3, Skipped checks: 0
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Publish a new Github Release)
File: /.github/workflows/publish-release.yaml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Validate Terraform)
File: /.github/workflows/validate-terraform.yaml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Generate terraform docs)
File: /.github/workflows/generate-docs.yaml:0-1
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools