Repository | onedr0p / home-ops |
Description | A mono repository for my home infrastructure and Kubernetes cluster which adheres to Infrastructure as Code (IaC) and GitOps practices where possible |
Stars | 1311 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:41:23,959 [MainThread ] [WARNI] Failed to download module github.com/bjw-s/terraform-1password-item?ref=main:None (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 10, Failed checks: 12, Skipped checks: 0
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_secret_v1.kopia
File: /terraform/storage/apps/app_kopia.tf:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | resource "kubernetes_secret_v1" "kopia" {
2 | metadata {
3 | name = "kopia"
4 | namespace = "default"
5 | labels = {
6 | "app.arpa.home/name" = "kopia"
7 | }
8 | }
9 | data = {
10 | "repository.config" = "${templatefile(
11 | "${path.module}/templates/repository.config.tftpl", {
12 | b2_app_key = data.sops_file.secrets.data["kopia_b2_app_key"],
13 | b2_app_key_id = data.sops_file.secrets.data["kopia_b2_app_key_id"]
14 | }
15 | )}"
16 | }
17 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_stateful_set_v1.kopia
File: /terraform/storage/apps/app_kopia.tf:19-197
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.kopia
File: /terraform/storage/apps/app_kopia.tf:199-224
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
199 | resource "kubernetes_service_v1" "kopia" {
200 | metadata {
201 | name = "kopia"
202 | namespace = "default"
203 | labels = {
204 | "app.arpa.home/name" = "kopia"
205 | }
206 | }
207 | spec {
208 | selector = {
209 | "app.arpa.home/name" = "kopia"
210 | }
211 | port {
212 | name = "http"
213 | port = 51515
214 | target_port = 51515
215 | protocol = "TCP"
216 | }
217 | port {
218 | name = "metrics"
219 | port = 51516
220 | target_port = 51516
221 | protocol = "TCP"
222 | }
223 | }
224 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_ingress_v1.kopia
File: /terraform/storage/apps/app_kopia.tf:226-257
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
226 | resource "kubernetes_ingress_v1" "kopia" {
227 | metadata {
228 | name = "kopia"
229 | namespace = "default"
230 | annotations = {
231 | "traefik.ingress.kubernetes.io/router.entrypoints" = "web"
232 | }
233 | labels = {
234 | "app.arpa.home/name" = "kopia"
235 | }
236 | }
237 | spec {
238 | ingress_class_name = "traefik"
239 | rule {
240 | host = "kopia.turbo.ac"
241 | http {
242 | path {
243 | path = "/"
244 | path_type = "Prefix"
245 | backend {
246 | service {
247 | name = "kopia"
248 | port {
249 | number = 51515
250 | }
251 | }
252 | }
253 | }
254 | }
255 | }
256 | }
257 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_stateful_set_v1.minio
File: /terraform/storage/apps/app_minio.tf:1-143
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_service_v1.minio
File: /terraform/storage/apps/app_minio.tf:145-170
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
145 | resource "kubernetes_service_v1" "minio" {
146 | metadata {
147 | name = "minio"
148 | namespace = "default"
149 | labels = {
150 | "app.arpa.home/name" = "minio"
151 | }
152 | }
153 | spec {
154 | selector = {
155 | "app.arpa.home/name" = "minio"
156 | }
157 | port {
158 | name = "console"
159 | port = 9001
160 | target_port = 9001
161 | protocol = "TCP"
162 | }
163 | port {
164 | name = "s3"
165 | port = 9000
166 | target_port = 9000
167 | protocol = "TCP"
168 | }
169 | }
170 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_ingress_v1.minio
File: /terraform/storage/apps/app_minio.tf:172-203
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
172 | resource "kubernetes_ingress_v1" "minio" {
173 | metadata {
174 | name = "minio-console"
175 | namespace = "default"
176 | annotations = {
177 | "traefik.ingress.kubernetes.io/router.entrypoints" = "web"
178 | }
179 | labels = {
180 | "app.arpa.home/name" = "minio"
181 | }
182 | }
183 | spec {
184 | ingress_class_name = "traefik"
185 | rule {
186 | host = "minio.turbo.ac"
187 | http {
188 | path {
189 | path = "/"
190 | path_type = "Prefix"
191 | backend {
192 | service {
193 | name = "minio"
194 | port {
195 | number = 9001
196 | }
197 | }
198 | }
199 | }
200 | }
201 | }
202 | }
203 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_ingress_v1.s3
File: /terraform/storage/apps/app_minio.tf:205-236
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
205 | resource "kubernetes_ingress_v1" "s3" {
206 | metadata {
207 | name = "minio-s3"
208 | namespace = "default"
209 | annotations = {
210 | "traefik.ingress.kubernetes.io/router.entrypoints" = "web"
211 | }
212 | labels = {
213 | "app.arpa.home/name" = "minio"
214 | }
215 | }
216 | spec {
217 | ingress_class_name = "traefik"
218 | rule {
219 | host = "s3.turbo.ac"
220 | http {
221 | path {
222 | path = "/"
223 | path_type = "Prefix"
224 | backend {
225 | service {
226 | name = "minio"
227 | port {
228 | number = 9000
229 | }
230 | }
231 | }
232 | }
233 | }
234 | }
235 | }
236 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_daemon_set_v1.node_exporter
File: /terraform/storage/apps/app_node_exporter.tf:1-83
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_daemon_set_v1.smartctl_exporter
File: /terraform/storage/apps/app_smartctl_exporter.tf:1-60
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_config_map_v1.vector_agent
File: /terraform/storage/apps/app_vector_agent.tf:1-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
1 | resource "kubernetes_config_map_v1" "vector_agent" {
2 | metadata {
3 | name = "vector-agent"
4 | namespace = "default"
5 | labels = {
6 | "app.arpa.home/name" = "vector-agent"
7 | }
8 | }
9 | data = {
10 | "vector.yaml" = "${templatefile(
11 | "${path.module}/templates/vector.yaml.tftpl", {
12 | host = var.vector_agent_host,
13 | port = var.vector_agent_port
14 | }
15 | )}"
16 | }
17 | }
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: kubernetes_daemon_set_v1.vector_agent
File: /terraform/storage/apps/app_vector_agent.tf:19-94
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
kubernetes scan results:
Passed checks: 85, Failed checks: 35, Skipped checks: 0
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.slskd-gatus-ep
File: /kubernetes/apps/default/slskd/app/gatus.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: slskd-gatus-ep
6 | namespace: default
7 | labels:
8 | gatus.io/enabled: "true"
9 | data:
10 | config.yaml: |
11 | endpoints:
12 | - name: slskd
13 | group: guarded
14 | url: 1.1.1.1
15 | interval: 1m
16 | ui:
17 | hide-hostname: true
18 | hide-url: true
19 | dns:
20 | query-name: slskd.devbu.io
21 | query-type: A
22 | conditions:
23 | - "len([BODY]) == 0"
24 | alerts:
25 | - type: pushover
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.overseerr-gatus-ep
File: /kubernetes/apps/default/overseerr/app/gatus.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: overseerr-gatus-ep
6 | namespace: default
7 | labels:
8 | gatus.io/enabled: "true"
9 | data:
10 | config.yaml: |
11 | endpoints:
12 | - name: overseerr
13 | group: external
14 | url: https://requests.devbu.io
15 | interval: 1m
16 | client:
17 | dns-resolver: tcp://1.1.1.1:53
18 | conditions:
19 | - "[STATUS] == 200"
20 | alerts:
21 | - type: pushover
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.authelia-gatus-ep
File: /kubernetes/apps/default/authelia/app/gatus.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: authelia-gatus-ep
6 | namespace: default
7 | labels:
8 | gatus.io/enabled: "true"
9 | data:
10 | config.yaml: |
11 | endpoints:
12 | - name: authelia
13 | group: external
14 | url: https://auth.devbu.io
15 | interval: 1m
16 | client:
17 | dns-resolver: tcp://1.1.1.1:53
18 | conditions:
19 | - "[STATUS] == 200"
20 | alerts:
21 | - type: pushover
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.tautulli-gatus-ep
File: /kubernetes/apps/default/tautulli/app/gatus.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: tautulli-gatus-ep
6 | namespace: default
7 | labels:
8 | gatus.io/enabled: "true"
9 | data:
10 | config.yaml: |
11 | endpoints:
12 | - name: tautulli
13 | group: guarded
14 | url: 1.1.1.1
15 | interval: 1m
16 | ui:
17 | hide-hostname: true
18 | hide-url: true
19 | dns:
20 | query-name: tautulli.devbu.io
21 | query-type: A
22 | conditions:
23 | - "len([BODY]) == 0"
24 | alerts:
25 | - type: pushover
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.miniflux-gatus-ep
File: /kubernetes/apps/default/miniflux/app/gatus.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: miniflux-gatus-ep
6 | namespace: default
7 | labels:
8 | gatus.io/enabled: "true"
9 | data:
10 | config.yaml: |
11 | endpoints:
12 | - name: miniflux
13 | group: external
14 | url: https://miniflux.devbu.io/healthcheck
15 | interval: 1m
16 | client:
17 | dns-resolver: tcp://1.1.1.1:53
18 | conditions:
19 | - "[STATUS] == 200"
20 | - "[BODY] == OK"
21 | alerts:
22 | - type: pushover
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.prowlarr-gatus-ep
File: /kubernetes/apps/default/prowlarr/app/gatus.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: prowlarr-gatus-ep
6 | namespace: default
7 | labels:
8 | gatus.io/enabled: "true"
9 | data:
10 | config.yaml: |
11 | endpoints:
12 | - name: prowlarr
13 | group: guarded
14 | url: 1.1.1.1
15 | interval: 1m
16 | ui:
17 | hide-hostname: true
18 | hide-url: true
19 | dns:
20 | query-name: prowlarr.devbu.io
21 | query-type: A
22 | conditions:
23 | - "len([BODY]) == 0"
24 | alerts:
25 | - type: pushover
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.kubernetes-schemas-gatus-ep
File: /kubernetes/apps/default/kubernetes-schemas/app/gatus.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: kubernetes-schemas-gatus-ep
6 | namespace: default
7 | labels:
8 | gatus.io/enabled: "true"
9 | data:
10 | config.yaml: |
11 | endpoints:
12 | - name: kubernetes-schemas
13 | group: external
14 | url: https://kubernetes-schemas.devbu.io
15 | interval: 1m
16 | client:
17 | dns-resolver: tcp://1.1.1.1:53
18 | conditions:
19 | - "[STATUS] == 200"
20 | alerts:
21 | - type: pushover
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.jellyfin-gatus-ep
File: /kubernetes/apps/default/jellyfin/app/gatus.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: jellyfin-gatus-ep
6 | namespace: default
7 | labels:
8 | gatus.io/enabled: "true"
9 | data:
10 | config.yaml: |
11 | endpoints:
12 | - name: jellyfin
13 | group: guarded
14 | url: 1.1.1.1
15 | interval: 1m
16 | ui:
17 | hide-hostname: true
18 | hide-url: true
19 | dns:
20 | query-name: jellyfin.devbu.io
21 | query-type: A
22 | conditions:
23 | - "len([BODY]) == 0"
24 | alerts:
25 | - type: pushover
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.zwave-js-ui-gatus-ep
File: /kubernetes/apps/default/zwave-js-ui/app/gatus.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: zwave-js-ui-gatus-ep
6 | namespace: default
7 | labels:
8 | gatus.io/enabled: "true"
9 | data:
10 | config.yaml: |
11 | endpoints:
12 | - name: zwave-js-ui
13 | group: guarded
14 | url: 1.1.1.1
15 | interval: 1m
16 | ui:
17 | hide-hostname: true
18 | hide-url: true
19 | dns:
20 | query-name: zwave.devbu.io
21 | query-type: A
22 | conditions:
23 | - "len([BODY]) == 0"
24 | alerts:
25 | - type: pushover
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.thelounge-gatus-ep
File: /kubernetes/apps/default/thelounge/app/gatus.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: thelounge-gatus-ep
6 | namespace: default
7 | labels:
8 | gatus.io/enabled: "true"
9 | data:
10 | config.yaml: |
11 | endpoints:
12 | - name: thelounge
13 | group: guarded
14 | url: 1.1.1.1
15 | interval: 1m
16 | ui:
17 | hide-hostname: true
18 | hide-url: true
19 | dns:
20 | query-name: thelounge.devbu.io
21 | query-type: A
22 | conditions:
23 | - "len([BODY]) == 0"
24 | alerts:
25 | - type: pushover
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.plex-gatus-ep
File: /kubernetes/apps/default/plex/app/gatus.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: plex-gatus-ep
6 | namespace: default
7 | labels:
8 | gatus.io/enabled: "true"
9 | data:
10 | config.yaml: |
11 | endpoints:
12 | - name: plex
13 | group: external
14 | url: https://plex.devbu.io/web/index.html
15 | interval: 1m
16 | client:
17 | dns-resolver: tcp://1.1.1.1:53
18 | conditions:
19 | - "[STATUS] == 200"
20 | alerts:
21 | - type: pushover
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.qbittorrent-gatus-ep
File: /kubernetes/apps/default/qbittorrent/app/gatus.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: qbittorrent-gatus-ep
6 | namespace: default
7 | labels:
8 | gatus.io/enabled: "true"
9 | data:
10 | config.yaml: |
11 | endpoints:
12 | - name: qbittorrent
13 | group: guarded
14 | url: 1.1.1.1
15 | interval: 1m
16 | ui:
17 | hide-hostname: true
18 | hide-url: true
19 | dns:
20 | query-name: qb.devbu.io
21 | query-type: A
22 | conditions:
23 | - "len([BODY]) == 0"
24 | alerts:
25 | - type: pushover
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.zigbee2mqtt-gatus-ep
File: /kubernetes/apps/default/zigbee2mqtt/app/gatus.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: zigbee2mqtt-gatus-ep
6 | namespace: default
7 | labels:
8 | gatus.io/enabled: "true"
9 | data:
10 | config.yaml: |
11 | endpoints:
12 | - name: zigbee2mqtt
13 | group: guarded
14 | url: 1.1.1.1
15 | interval: 1m
16 | ui:
17 | hide-hostname: true
18 | hide-url: true
19 | dns:
20 | query-name: zigbee.devbu.io
21 | query-type: A
22 | conditions:
23 | - "len([BODY]) == 0"
24 | alerts:
25 | - type: pushover
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.media-browser-gatus-ep
File: /kubernetes/apps/default/media-browser/app/gatus.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: media-browser-gatus-ep
6 | namespace: default
7 | labels:
8 | gatus.io/enabled: "true"
9 | data:
10 | config.yaml: |
11 | endpoints:
12 | - name: media-browser
13 | group: guarded
14 | url: 1.1.1.1
15 | interval: 1m
16 | ui:
17 | hide-hostname: true
18 | hide-url: true
19 | dns:
20 | query-name: media-browser.devbu.io
21 | query-type: A
22 | conditions:
23 | - "len([BODY]) == 0"
24 | alerts:
25 | - type: pushover
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.sabnzbd-gatus-ep
File: /kubernetes/apps/default/sabnzbd/app/gatus.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: sabnzbd-gatus-ep
6 | namespace: default
7 | labels:
8 | gatus.io/enabled: "true"
9 | data:
10 | config.yaml: |
11 | endpoints:
12 | - name: sabnzbd
13 | group: guarded
14 | url: 1.1.1.1
15 | interval: 1m
16 | ui:
17 | hide-hostname: true
18 | hide-url: true
19 | dns:
20 | query-name: sabnzbd.devbu.io
21 | query-type: A
22 | conditions:
23 | - "len([BODY]) == 0"
24 | alerts:
25 | - type: pushover
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.sonarr-gatus-ep
File: /kubernetes/apps/default/sonarr/app/gatus.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: sonarr-gatus-ep
6 | namespace: default
7 | labels:
8 | gatus.io/enabled: "true"
9 | data:
10 | config.yaml: |
11 | endpoints:
12 | - name: sonarr
13 | group: guarded
14 | url: 1.1.1.1
15 | interval: 1m
16 | ui:
17 | hide-hostname: true
18 | hide-url: true
19 | dns:
20 | query-name: sonarr.devbu.io
21 | query-type: A
22 | conditions:
23 | - "len([BODY]) == 0"
24 | alerts:
25 | - type: pushover
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.shlink-gatus-ep
File: /kubernetes/apps/default/shlink/app/gatus.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: shlink-gatus-ep
6 | namespace: default
7 | labels:
8 | gatus.io/enabled: "true"
9 | data:
10 | config.yaml: |
11 | endpoints:
12 | - name: shlink
13 | group: external
14 | url: https://ln.devbu.io/rest/health
15 | interval: 1m
16 | client:
17 | dns-resolver: tcp://1.1.1.1:53
18 | conditions:
19 | - "[STATUS] == 200"
20 | alerts:
21 | - type: pushover
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.home-assistant-gatus-ep
File: /kubernetes/apps/default/home-assistant/app/gatus.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: home-assistant-gatus-ep
6 | namespace: default
7 | labels:
8 | gatus.io/enabled: "true"
9 | data:
10 | config.yaml: |
11 | endpoints:
12 | - name: home-assistant
13 | group: external
14 | url: https://hass.devbu.io
15 | interval: 1m
16 | client:
17 | dns-resolver: tcp://1.1.1.1:53
18 | conditions:
19 | - "[STATUS] == 200"
20 | alerts:
21 | - type: pushover
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.autobrr-gatus-ep
File: /kubernetes/apps/default/autobrr/app/gatus.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: autobrr-gatus-ep
6 | namespace: default
7 | labels:
8 | gatus.io/enabled: "true"
9 | data:
10 | config.yaml: |
11 | endpoints:
12 | - name: autobrr
13 | group: guarded
14 | url: 1.1.1.1
15 | interval: 1m
16 | ui:
17 | hide-hostname: true
18 | hide-url: true
19 | dns:
20 | query-name: autobrr.devbu.io
21 | query-type: A
22 | conditions:
23 | - "len([BODY]) == 0"
24 | alerts:
25 | - type: pushover
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.lldap-gatus-ep
File: /kubernetes/apps/default/lldap/app/gatus.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: lldap-gatus-ep
6 | namespace: default
7 | labels:
8 | gatus.io/enabled: "true"
9 | data:
10 | config.yaml: |
11 | endpoints:
12 | - name: lldap
13 | group: guarded
14 | url: 1.1.1.1
15 | interval: 1m
16 | ui:
17 | hide-hostname: true
18 | hide-url: true
19 | dns:
20 | query-name: lldap.devbu.io
21 | query-type: A
22 | conditions:
23 | - "len([BODY]) == 0"
24 | alerts:
25 | - type: pushover
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.radarr-gatus-ep
File: /kubernetes/apps/default/radarr/app/gatus.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: radarr-gatus-ep
6 | namespace: default
7 | labels:
8 | gatus.io/enabled: "true"
9 | data:
10 | config.yaml: |
11 | endpoints:
12 | - name: radarr
13 | group: guarded
14 | url: 1.1.1.1
15 | interval: 1m
16 | ui:
17 | hide-hostname: true
18 | hide-url: true
19 | dns:
20 | query-name: radarr.devbu.io
21 | query-type: A
22 | conditions:
23 | - "len([BODY]) == 0"
24 | alerts:
25 | - type: pushover
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.immich-configmap
File: /kubernetes/apps/default/immich/app/configmap.yaml:2-16
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: immich-configmap
6 | namespace: default
7 | data:
8 | DB_PORT: "5432"
9 | IMMICH_MACHINE_LEARNING_URL: http://immich-machine-learning.default.svc.cluster.local:3003
10 | IMMICH_SERVER_URL: http://immich-server.default.svc.cluster.local:3001
11 | IMMICH_WEB_URL: http://immich-web.default.svc.cluster.local:3000
12 | LOG_LEVEL: verbose
13 | REDIS_URL: ioredis://eyJkYiI6MTUsInNlbnRpbmVscyI6W3siaG9zdCI6InJlZGlzLW5vZGUtMC5yZWRpcy1oZWFkbGVzcy5kYXRhYmFzZS5zdmMuY2x1c3Rlci5sb2NhbCIsInBvcnQiOjI2Mzc5fSx7Imhvc3QiOiJyZWRpcy1ub2RlLTEucmVkaXMtaGVhZGxlc3MuZGF0YWJhc2Uuc3ZjLmNsdXN0ZXIubG9jYWwiLCJwb3J0IjoyNjM3OX0seyJob3N0IjoicmVkaXMtbm9kZS0yLnJlZGlzLWhlYWRsZXNzLmRhdGFiYXNlLnN2Yy5jbHVzdGVyLmxvY2FsIiwicG9ydCI6MjYzNzl9XSwibmFtZSI6InJlZGlzLW1hc3RlciJ9
14 | TRANSFORMERS_CACHE: /usr/src/app/.transformers_cache
15 | TYPESENSE_DATA_DIR: /config
16 | TYPESENSE_HOST: immich-typesense.default.svc.cluster.local
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.immich-gatus-ep
File: /kubernetes/apps/default/immich/app/gatus.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: immich-gatus-ep
6 | namespace: default
7 | labels:
8 | gatus.io/enabled: "true"
9 | data:
10 | config.yaml: |
11 | endpoints:
12 | - name: immich
13 | group: external
14 | url: https://photos.devbu.io
15 | interval: 1m
16 | client:
17 | dns-resolver: tcp://1.1.1.1:53
18 | conditions:
19 | - "[STATUS] == 200"
20 | alerts:
21 | - type: pushover
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.frigate-gatus-ep
File: /kubernetes/apps/default/frigate/app/gatus.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: frigate-gatus-ep
6 | namespace: default
7 | labels:
8 | gatus.io/enabled: "true"
9 | data:
10 | config.yaml: |
11 | endpoints:
12 | - name: frigate
13 | group: guarded
14 | url: 1.1.1.1
15 | interval: 1m
16 | ui:
17 | hide-hostname: true
18 | hide-url: true
19 | dns:
20 | query-name: frigate.devbu.io
21 | query-type: A
22 | conditions:
23 | - "len([BODY]) == 0"
24 | alerts:
25 | - type: pushover
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.libreddit-gatus-ep
File: /archive/kubernetes/apps/default/libreddit/app/gatus.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: libreddit-gatus-ep
6 | namespace: default
7 | labels:
8 | gatus.io/enabled: "true"
9 | data:
10 | config.yaml: |
11 | endpoints:
12 | - name: libreddit
13 | group: external
14 | url: https://fuckspez.devbu.io/settings
15 | interval: 1m
16 | client:
17 | dns-resolver: tcp://1.1.1.1:53
18 | conditions:
19 | - "[STATUS] == 200"
20 | alerts:
21 | - type: pushover
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.scrypted-gatus-ep
File: /archive/kubernetes/apps/default/scrypted/app/gatus.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: scrypted-gatus-ep
6 | namespace: default
7 | labels:
8 | gatus.io/enabled: "true"
9 | data:
10 | config.yaml: |
11 | endpoints:
12 | - name: scrypted
13 | group: guarded
14 | url: 1.1.1.1
15 | interval: 1m
16 | dns:
17 | query-name: scrypted.devbu.io
18 | query-type: A
19 | conditions:
20 | - "len([BODY]) == 0"
21 | alerts:
22 | - type: pushover
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.hajimari-gatus-ep
File: /archive/kubernetes/apps/default/hajimari/app/gatus.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: hajimari-gatus-ep
6 | namespace: default
7 | labels:
8 | gatus.io/enabled: "true"
9 | data:
10 | config.yaml: |
11 | endpoints:
12 | - name: hajimari
13 | group: guarded
14 | url: 1.1.1.1
15 | interval: 1m
16 | dns:
17 | query-name: apps.devbu.io
18 | query-type: A
19 | conditions:
20 | - "len([BODY]) == 0"
21 | alerts:
22 | - type: pushover
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.midarr-gatus-ep
File: /archive/kubernetes/apps/default/midarr/app/gatus.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: midarr-gatus-ep
6 | namespace: default
7 | labels:
8 | gatus.io/enabled: "true"
9 | data:
10 | config.yaml: |
11 | endpoints:
12 | - name: midarr
13 | group: guarded
14 | url: 1.1.1.1
15 | interval: 1m
16 | dns:
17 | query-name: midarr.devbu.io
18 | query-type: A
19 | conditions:
20 | - "len([BODY]) == 0"
21 | alerts:
22 | - type: pushover
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.theme-park-gatus-ep
File: /archive/kubernetes/apps/default/theme-park/app/gatus.yaml:2-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: theme-park-gatus-ep
6 | namespace: default
7 | labels:
8 | gatus.io/enabled: "true"
9 | data:
10 | config.yaml: |
11 | endpoints:
12 | - name: theme-park
13 | group: external
14 | url: https://theme-park.devbu.io
15 | interval: 1m
16 | client:
17 | dns-resolver: tcp://1.1.1.1:53
18 | conditions:
19 | - "[STATUS] == 200"
20 | alerts:
21 | - type: pushover
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.bazarr-gatus-ep
File: /archive/kubernetes/apps/default/bazarr/app/gatus.yaml:2-25
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: bazarr-gatus-ep
6 | namespace: default
7 | labels:
8 | gatus.io/enabled: "true"
9 | data:
10 | config.yaml: |
11 | endpoints:
12 | - name: bazarr
13 | group: guarded
14 | url: 1.1.1.1
15 | interval: 1m
16 | ui:
17 | hide-hostname: true
18 | hide-url: true
19 | dns:
20 | query-name: bazarr.devbu.io
21 | query-type: A
22 | conditions:
23 | - "len([BODY]) == 0"
24 | alerts:
25 | - type: pushover
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: Secret.default.nextcloud
File: /archive/kubernetes/apps/default/nextcloud/app/secret.sops.yaml:2-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: Secret
4 | metadata:
5 | name: nextcloud
6 | namespace: default
7 | stringData:
8 | nextcloud-username: ENC[AES256_GCM,data:mynIfWd7qiN/,iv:bLr3SOIGs1XK36y/7DGAsGtDfDeiycJpnjLkR91y3Cg=,tag:S8Uro4BWwLjdYti1v0cZ+Q==,type:str]
9 | nextcloud-password: ENC[AES256_GCM,data:AJ6lRDRsGU3mcXYNi8YBbIyKpvn4tsZm8ELG,iv:kPS2pdaR89A73Lc6F65eBPgC5+wICe5K499OS0nM4Ao=,tag:44z9yIWSUqu8avWQTMvpBQ==,type:str]
10 | database-username: ENC[AES256_GCM,data:oGGs07QmPVMX,iv:qLiHnEg0K2MKMBcx2NQq1ZEFIXdzVxyC4urNV+qJ04U=,tag:EhV4Epsb/Obk3uZeHW+zZw==,type:str]
11 | database-password: ENC[AES256_GCM,data:FvtbLXRRNCvh4utcMO02U1QDyK0Y2Vt8GD3Jyj4=,iv:kbQ7c7YutVK5vTLsh6rCoM4lwiI60AeH2uItVsIl3kg=,tag:ljPXPKhgQbwuBXK3zxYc0g==,type:str]
12 | smtp-username: ""
13 | smtp-password: ""
14 | sops:
15 | kms: []
16 | gcp_kms: []
17 | azure_kv: []
18 | hc_vault: []
19 | age:
20 | - recipient: age15uzrw396e67z9wdzsxzdk7ka0g2gr3l460e0slaea563zll3hdfqwqxdta
21 | enc: |
22 | -----BEGIN AGE ENCRYPTED FILE-----
23 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaUldTSWdlcmpJNjlpblNP
24 | K2x0RGVsZ0RXcWRCSXhsUThoaW5rbWljNndzClFFU2MzYUtnR3RNb1NteWRZZDRS
25 | SmJNdUtVRnc5MnJPR3hlcXlTZXpBU3cKLS0tIC9vSWhVUDJid3BOZXVNZTNJZ2Y4
26 | cEFRVkdHbzdJcVQzSzQ1UmNVWGROSjAKh10HB7vKq9RTQEDxNnFZYX+gUSJESSMf
27 | fw53wQznjr3vpn8/xOisTSW5SsiI1GeUY5nhjtuCKjBq9Rzu4qCmJQ==
28 | -----END AGE ENCRYPTED FILE-----
29 | lastmodified: "2022-08-28T13:18:51Z"
30 | mac: ENC[AES256_GCM,data:G3c7mkd40hgdD2EXWON4aKUDX3iQ43kjdNJd1xprs9yPDOi26qBHtk0XkhkEbh4sD0ijkBem7cV2kqgGEK2fUB0OjdYosc8NrFLhSp433Hnclhh15yziexNlEYgXn1zGTy6o3y8ZIj+zMwpKhwbhV1UQsJ+LiBVKhYLHw/+ioWs=,iv:u+XdfFXOYdhBeS8Ds9BHoxxPO4pr5m2jdv0jaVB1A10=,tag:Nn7csoiV8v8e5BG9njTSzA==,type:str]
31 | pgp: []
32 | encrypted_regex: ^(data|stringData)$
33 | version: 3.7.3
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.paperless-gatus-ep
File: /archive/kubernetes/apps/default/paperless/app/gatus.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: paperless-gatus-ep
6 | namespace: default
7 | labels:
8 | gatus.io/enabled: "true"
9 | data:
10 | config.yaml: |
11 | endpoints:
12 | - name: paperless
13 | group: guarded
14 | url: 1.1.1.1
15 | interval: 1m
16 | dns:
17 | query-name: paperless.devbu.io
18 | query-type: A
19 | conditions:
20 | - "len([BODY]) == 0"
21 | alerts:
22 | - type: pushover
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.letsblockit-gatus-ep
File: /archive/kubernetes/apps/default/letsblockit/app/gatus.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: letsblockit-gatus-ep
6 | namespace: default
7 | labels:
8 | gatus.io/enabled: "true"
9 | data:
10 | config.yaml: |
11 | endpoints:
12 | - name: letsblockit
13 | group: external
14 | url: https://letsblockit.devbu.io/lists
15 | interval: 1m
16 | client:
17 | dns-resolver: tcp://1.1.1.1:53
18 | conditions:
19 | - "[STATUS] == 401"
20 | - "[BODY] == Unauthorized"
21 | alerts:
22 | - type: pushover
Check: CKV_K8S_21: "The default namespace should not be used"
FAILED for resource: ConfigMap.default.changedetection-gatus-ep
File: /archive/kubernetes/apps/default/changedetection/app/gatus.yaml:2-22
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20.html
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | name: changedetection-gatus-ep
6 | namespace: default
7 | labels:
8 | gatus.io/enabled: "true"
9 | data:
10 | config.yaml: |
11 | endpoints:
12 | - name: changedetection
13 | group: guarded
14 | url: 1.1.1.1
15 | interval: 1m
16 | dns:
17 | query-name: changedetection.devbu.io
18 | query-type: A
19 | conditions:
20 | - "len([BODY]) == 0"
21 | alerts:
22 | - type: pushover
Check: CKV2_K8S_5: "No ServiceAccount/Node should be able to read all secrets"
FAILED for resource: ClusterRoleBinding.monitoring.gatus
File: /kubernetes/apps/monitoring/gatus/app/rbac.yaml:38-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/no-serviceaccountnode-should-be-able-to-read-all-secrets.html
38 | apiVersion: rbac.authorization.k8s.io/v1
39 | kind: ClusterRoleBinding
40 | metadata:
41 | name: gatus
42 | namespace: monitoring
43 | roleRef:
44 | kind: ClusterRole
45 | name: gatus
46 | apiGroup: rbac.authorization.k8s.io
47 | subjects:
48 | - kind: ServiceAccount
49 | name: gatus
50 | namespace: monitoring
secrets scan results:
Passed checks: 0, Failed checks: 6, Skipped checks: 0
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 3820f03104befbac319cee75080642e0a5befaf3
File: /archive/kubernetes/apps/monitoring/victoria-metrics/app/helmrelease.yaml:103-104
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
103 | configSecret: aler***************
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: bf239b9331935fc82646bbac77e7cdbe93eaabcb
File: /kubernetes/apps/database/cloudnative-pg/app/externalsecret.yaml:29-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
29 | - secretKey: aws-*************
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 717d58724c635c14634f020f465f29c17bb47009
File: /kubernetes/apps/database/cloudnative-pg/app/externalsecret.yaml:33-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
33 | - secretKey: aws-s****************
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 3820f03104befbac319cee75080642e0a5befaf3
File: /kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml:51-52
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
51 | configSecret: aler***************
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: da6a38f3c7f7b1ded62a865a7f89ce25a3c0ed00
File: /kubernetes/apps/monitoring/unpoller/app/helmrelease.yaml:38-39
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
38 | UP_UNIFI_DEFAULT_PASS: 1nt************
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: 04e6ca783dd36c969a78027b47593ee47213dcd4
File: /kubernetes/apps/networking/external-dns/app/bind/externalsecret.yaml:16-17
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
16 | - secretKey: rnd***********
github_actions scan results:
Passed checks: 308, Failed checks: 12, Skipped checks: 0
Check: CKV_GHA_7: "The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. "
FAILED for resource: on(HelmRepository Sync)
File: /.github/workflows/helmrepository-sync.yaml:7-15
7 | repoName:
8 | description: Flux HelmRepository Name
9 | required: true
10 | repoNamespace:
11 | description: Flux HelmRepository Namespace
12 | default: flux-system
13 | required: true
14 | pull_request:
15 | branches: ["main"]
Check: CKV_GHA_7: "The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. "
FAILED for resource: on(Renovate)
File: /.github/workflows/renovate.yaml:7-16
7 | dryRun:
8 | description: Dry-Run
9 | default: "false"
10 | required: false
11 | logLevel:
12 | description: Log-Level
13 | default: debug
14 | required: false
15 | schedule:
16 | - cron: "0 * * * *"
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Kubeconform)
File: /.github/workflows/kubeconform.yaml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Meta Labeler)
File: /.github/workflows/meta-labeler.yaml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Publish Schemas)
File: /.github/workflows/publish-schemas.yaml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Meta Sync labels)
File: /.github/workflows/meta-sync-labels.yaml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Publish Docs)
File: /.github/workflows/publish-docs.yaml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Publish Terraform)
File: /.github/workflows/publish-terraform.yaml:14-15
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(HelmRepository Sync)
File: /.github/workflows/helmrepository-sync.yaml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Broken Link Check)
File: /.github/workflows/broken-link-check.yaml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Flux Diff)
File: /.github/workflows/flux-diff.yaml:13-14
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(Renovate)
File: /.github/workflows/renovate.yaml:0-1
ansible scan results:
Passed checks: 6, Failed checks: 14, Skipped checks: 0
Check: CKV2_ANSIBLE_3: "Ensure block is handling task errors properly"
FAILED for resource: block.Update
File: /ansible/kubernetes/playbooks/cluster-update-rollout.yaml:21-77
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_ANSIBLE_3: "Ensure block is handling task errors properly"
FAILED for resource: block.Reset Ceph Drives
File: /ansible/kubernetes/playbooks/cluster-ceph-reset.yaml:12-41
12 | - name: Reset Ceph Drives # noqa: ignore-errors
13 | ignore_errors: true
14 | when: ceph_drives | default([]) | length > 0
15 | block:
16 | - name: Delete (/var/lib/rook)
17 | ansible.builtin.file:
18 | state: absent
19 | path: /var/lib/rook
20 | - name: Delete (/dev/mapper/ceph-*) # noqa: no-changed-when
21 | ansible.builtin.shell: |
22 | set -o pipefail
23 | ls /dev/mapper/ceph-* | xargs -I% -- dmsetup remove_all --force % || true
24 | - name: Delete (/dev/ceph-*) # noqa: no-changed-when
25 | ansible.builtin.command: rm -rf /dev/ceph-*
26 | - name: Delete (/dev/mapper/ceph--*) # noqa: no-changed-when
27 | ansible.builtin.command: rm -rf /dev/mapper/ceph--*
28 | - name: Wipe (sgdisk) # noqa: no-changed-when
29 | ansible.builtin.command: "sgdisk --zap-all {{ item }}"
30 | loop: "{{ ceph_drives }}"
31 | - name: Wipe (dd) # noqa: no-changed-when
32 | ansible.builtin.command: "dd if=/dev/zero of={{ item }} bs=1M count=100 oflag=direct,dsync"
33 | loop: "{{ ceph_drives }}"
34 | - name: Wipe (blkdiscard) # noqa: no-changed-when
35 | ansible.builtin.command: "blkdiscard {{ item }}"
36 | loop: "{{ ceph_drives }}"
37 | - name: Wipe (partprobe) # noqa: no-changed-when
38 | ansible.builtin.command: "partprobe {{ item }}"
39 | loop: "{{ ceph_drives }}"
Check: CKV2_ANSIBLE_3: "Ensure block is handling task errors properly"
FAILED for resource: block.Locale
File: /ansible/kubernetes/playbooks/cluster-prepare.yaml:12-19
12 | - name: Locale
13 | block:
14 | - name: Locale | Set timezone
15 | community.general.timezone:
16 | name: "{{ timezone | default('Etc/UTC') }}"
17 |
18 | - name: Packages
19 | block:
Check: CKV2_ANSIBLE_3: "Ensure block is handling task errors properly"
FAILED for resource: block.Packages
File: /ansible/kubernetes/playbooks/cluster-prepare.yaml:18-47
18 | - name: Packages
19 | block:
20 | - name: Packages | Add fish key
21 | ansible.builtin.get_url:
22 | url: https://download.opensuse.org/repositories/shells:fish:release:3/Debian_12/Release.key
23 | dest: /etc/apt/trusted.gpg.d/fish.asc
24 | owner: root
25 | group: root
26 | mode: "0644"
27 | - name: Packages | Add fish repository
28 | ansible.builtin.apt_repository:
29 | repo: deb [signed-by=/etc/apt/trusted.gpg.d/fish.asc] http://download.opensuse.org/repositories/shells:/fish:/release:/3/Debian_12/ /
30 | filename: fish
31 | update_cache: true
32 | - name: Packages | Add non-free repository
33 | ansible.builtin.apt_repository:
34 | repo: deb http://deb.debian.org/debian/ stable main contrib non-free
35 | filename: non-free
36 | update_cache: true
37 | - name: Packages | Install
38 | ansible.builtin.apt:
39 | name: i965-va-driver-shaders,apt-transport-https,ca-certificates,conntrack,curl,dirmngr,fish,gdisk,
40 | gnupg,hdparm,htop,intel-gpu-tools,intel-media-va-driver-non-free,iperf3,iptables,iputils-ping,ipvsadm,
41 | libseccomp2,lm-sensors,neofetch,net-tools,nfs-common,nvme-cli,open-iscsi,parted,psmisc,python3,
42 | python3-apt,python3-openshift,python3-kubernetes,python3-yaml,smartmontools,socat,software-properties-common,
43 | unzip,util-linux
44 | install_recommends: false
45 |
46 | - name: User Configuration
47 | block:
Check: CKV2_ANSIBLE_3: "Ensure block is handling task errors properly"
FAILED for resource: block.User Configuration
File: /ansible/kubernetes/playbooks/cluster-prepare.yaml:46-99
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_ANSIBLE_3: "Ensure block is handling task errors properly"
FAILED for resource: block.Network Configuration
File: /ansible/kubernetes/playbooks/cluster-prepare.yaml:98-140
98 | - name: Network Configuration
99 | notify: Reboot
100 | block:
101 | - name: Network Configuration | Set hostname
102 | ansible.builtin.hostname:
103 | name: "{{ inventory_hostname }}"
104 | - name: Network Configuration | Update hosts
105 | ansible.builtin.copy:
106 | dest: /etc/hosts
107 | content: |
108 | 127.0.0.1 localhost
109 | 127.0.1.1 {{ inventory_hostname }}
110 |
111 | # The following lines are desirable for IPv6 capable hosts
112 | ::1 localhost ip6-localhost ip6-loopback
113 | ff02::1 ip6-allnodes
114 | ff02::2 ip6-allrouters
115 | mode: preserve
116 | # https://github.com/cilium/cilium/issues/18706
117 | - name: Network Configuration | Cilium (1)
118 | ansible.builtin.lineinfile:
119 | dest: /etc/systemd/networkd.conf
120 | regexp: ManageForeignRoutingPolicyRules
121 | line: ManageForeignRoutingPolicyRules=no
122 | - name: Network Configuration | Cilium (2)
123 | ansible.builtin.lineinfile:
124 | dest: /etc/systemd/networkd.conf
125 | regexp: ManageForeignRoutes
126 | line: ManageForeignRoutes=no
127 | - name: Network Configuration | Set NIC
128 | ansible.builtin.copy:
129 | dest: /etc/network/interfaces.d/enp7s0
130 | content: |
131 | auto enp7s0
132 | allow-hotplug enp7s0
133 | iface enp7s0 inet dhcp
134 | post-up ifconfig enp7s0 mtu 9000
135 | owner: root
136 | group: root
137 | mode: "0644"
138 |
139 | - name: System Configuration
140 | notify: Reboot
Check: CKV2_ANSIBLE_3: "Ensure block is handling task errors properly"
FAILED for resource: block.System Configuration
File: /ansible/kubernetes/playbooks/cluster-prepare.yaml:139-205
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_ANSIBLE_3: "Ensure block is handling task errors properly"
FAILED for resource: block.Stop Kubernetes
File: /ansible/kubernetes/playbooks/cluster-nuke.yaml:12-24
12 | - name: Stop Kubernetes # noqa: ignore-errors
13 | ignore_errors: true
14 | block:
15 | - name: Stop Kubernetes
16 | ansible.builtin.include_role:
17 | name: xanmanning.k3s
18 | public: true
19 | vars:
20 | k3s_state: stopped
21 |
22 | # https://github.com/k3s-io/docs/blob/main/docs/installation/network-options.md
23 | - name: Networking
24 | block:
Check: CKV2_ANSIBLE_3: "Ensure block is handling task errors properly"
FAILED for resource: block.Networking
File: /ansible/kubernetes/playbooks/cluster-nuke.yaml:23-47
23 | - name: Networking
24 | block:
25 | - name: Networking | Delete Cilium links
26 | ansible.builtin.command:
27 | cmd: "ip link delete {{ item }}"
28 | removes: "/sys/class/net/{{ item }}"
29 | loop: ["cilium_host", "cilium_net", "cilium_vxlan"]
30 | - name: Networking | Flush iptables
31 | ansible.builtin.iptables:
32 | table: "{{ item }}"
33 | flush: true
34 | loop: ["filter", "nat", "mangle", "raw"]
35 | - name: Networking | Flush ip6tables
36 | ansible.builtin.iptables:
37 | table: "{{ item }}"
38 | flush: true
39 | ip_version: ipv6
40 | loop: ["filter", "nat", "mangle", "raw"]
41 | - name: Networking | Delete CNI directory
42 | ansible.builtin.file:
43 | path: /etc/cni/net.d
44 | state: absent
45 |
46 | - name: Uninstall Kubernetes
47 | ansible.builtin.include_role:
Check: CKV2_ANSIBLE_3: "Ensure block is handling task errors properly"
FAILED for resource: block.Coredns
File: /ansible/kubernetes/playbooks/tasks/coredns.yaml:2-58
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_ANSIBLE_3: "Ensure block is handling task errors properly"
FAILED for resource: block.Enabled Stale containers
File: /ansible/kubernetes/playbooks/tasks/stale_containers.yaml:3-31
3 | - name: Enabled Stale containers
4 | when: stale_containers_state == "enabled"
5 | block:
6 | - name: Stale containers | Create systemd unit
7 | ansible.builtin.copy:
8 | src: files/stale-containers.service
9 | dest: /etc/systemd/system/stale-containers.service
10 | owner: root
11 | group: root
12 | mode: "0644"
13 |
14 | - name: Stale containers | Create systemd timer
15 | ansible.builtin.copy:
16 | src: files/stale-containers.timer
17 | dest: /etc/systemd/system/stale-containers.timer
18 | owner: root
19 | group: root
20 | mode: "0644"
21 |
22 | - name: Stale containers | Start the systemd timer
23 | ansible.builtin.systemd:
24 | name: stale-containers.timer
25 | enabled: true
26 | daemon_reload: true
27 | masked: false
28 | state: started
29 |
30 | - name: Disable Stale containers
31 | when: stale_containers_state == "disabled"
Check: CKV2_ANSIBLE_3: "Ensure block is handling task errors properly"
FAILED for resource: block.Disable Stale containers
File: /ansible/kubernetes/playbooks/tasks/stale_containers.yaml:30-38
30 | - name: Disable Stale containers
31 | when: stale_containers_state == "disabled"
32 | block:
33 | - name: Stale containers | Mask the systemd timer
34 | ansible.builtin.systemd:
35 | name: stale-containers.timer
36 | masked: true
Check: CKV2_ANSIBLE_3: "Ensure block is handling task errors properly"
FAILED for resource: block.Cruft
File: /ansible/kubernetes/playbooks/tasks/cruft.yaml:3-34
3 | - name: Cruft
4 | block:
5 | - name: Cruft | Get list of custom mantifests
6 | ansible.builtin.find:
7 | paths: "{{ k3s_server_manifests_dir }}"
8 | file_type: file
9 | use_regex: true
10 | patterns: ["^custom-.*"]
11 | register: custom_manifest
12 |
13 | - name: Cruft | Delete custom mantifests
14 | ansible.builtin.file:
15 | path: "{{ item.path }}"
16 | state: absent
17 | loop: "{{ custom_manifest.files }}"
18 |
19 | - name: Cruft | Get list of custom addons
20 | kubernetes.core.k8s_info:
21 | kubeconfig: /etc/rancher/k3s/k3s.yaml
22 | kind: Addon
23 | register: addons_list
24 |
25 | - name: Cruft | Delete addons
26 | kubernetes.core.k8s:
27 | kubeconfig: /etc/rancher/k3s/k3s.yaml
28 | name: "{{ item.metadata.name }}"
29 | kind: Addon
30 | namespace: kube-system
31 | state: absent
32 | loop: "{{ addons_list.resources | selectattr('metadata.name', 'match', '^custom-.*') | list }}"
Check: CKV2_ANSIBLE_3: "Ensure block is handling task errors properly"
FAILED for resource: block.Cilium
File: /ansible/kubernetes/playbooks/tasks/cilium.yaml:2-58
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools