Repository | poseidon / terraform-render-bootstrap |
Description | Low-level bootstrap a Kubernetes control plane with Terraform (part of Typhoon) |
Stars | 101 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
kubernetes scan results:
Passed checks: 472, Failed checks: 89, Skipped checks: 0
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /resources/static-manifests/kube-apiserver.yaml:1-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_82: "Ensure that the admission control plugin ServiceAccount is set"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /resources/static-manifests/kube-apiserver.yaml:1-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-admission-control-plugin-serviceaccount-is-set.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /resources/static-manifests/kube-apiserver.yaml:1-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /resources/static-manifests/kube-apiserver.yaml:1-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_90: "Ensure that the --profiling argument is set to false"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /resources/static-manifests/kube-apiserver.yaml:1-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-profiling-argument-is-set-to-false-2.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_91: "Ensure that the --audit-log-path argument is set"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /resources/static-manifests/kube-apiserver.yaml:1-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-audit-log-path-argument-is-set.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_80: "Ensure that the admission control plugin AlwaysPullImages is set"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /resources/static-manifests/kube-apiserver.yaml:1-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-admission-control-plugin-alwayspullimages-is-set.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_19: "Containers should not share the host network namespace"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /resources/static-manifests/kube-apiserver.yaml:1-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-18.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /resources/static-manifests/kube-apiserver.yaml:1-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /resources/static-manifests/kube-apiserver.yaml:1-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_88: "Ensure that the --insecure-port argument is set to 0"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /resources/static-manifests/kube-apiserver.yaml:1-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-insecure-port-argument-is-set-to-0.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_73: "Ensure that the --kubelet-certificate-authority argument is set as appropriate"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /resources/static-manifests/kube-apiserver.yaml:1-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-kubelet-certificate-authority-argument-is-set-as-appropriate.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /resources/static-manifests/kube-apiserver.yaml:1-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_84: "Ensure that the admission control plugin PodSecurityPolicy is set"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /resources/static-manifests/kube-apiserver.yaml:1-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-admission-control-plugin-podsecuritypolicy-is-set.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_94: "Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /resources/static-manifests/kube-apiserver.yaml:1-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-audit-log-maxsize-argument-is-set-to-100-or-as-appropriate.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_96: "Ensure that the --service-account-lookup argument is set to true"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /resources/static-manifests/kube-apiserver.yaml:1-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-service-account-lookup-argument-is-set-to-true.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_97: "Ensure that the --service-account-key-file argument is set as appropriate"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /resources/static-manifests/kube-apiserver.yaml:1-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-service-account-key-file-argument-is-set-as-appropriate.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_81: "Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /resources/static-manifests/kube-apiserver.yaml:1-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-admission-control-plugin-securitycontextdeny-is-set-if-podsecuritypolicy-is-not-used.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_92: "Ensure that the --audit-log-maxage argument is set to 30 or as appropriate"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /resources/static-manifests/kube-apiserver.yaml:1-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-audit-log-maxage-argument-is-set-to-30-or-as-appropriate.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_104: "Ensure that encryption providers are appropriately configured"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /resources/static-manifests/kube-apiserver.yaml:1-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-etcd-cafile-argument-is-set-as-appropriate.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /resources/static-manifests/kube-apiserver.yaml:1-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /resources/static-manifests/kube-apiserver.yaml:1-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /resources/static-manifests/kube-apiserver.yaml:1-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /resources/static-manifests/kube-apiserver.yaml:1-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /resources/static-manifests/kube-apiserver.yaml:1-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_93: "Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /resources/static-manifests/kube-apiserver.yaml:1-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /resources/static-manifests/kube-apiserver.yaml:1-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_83: "Ensure that the admission control plugin NamespaceLifecycle is set"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /resources/static-manifests/kube-apiserver.yaml:1-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-admission-control-plugin-namespacelifecycle-is-set.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /resources/static-manifests/kube-apiserver.yaml:1-71
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.kube-system.kube-scheduler
File: /resources/static-manifests/kube-scheduler.yaml:1-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: kube-scheduler
5 | namespace: kube-system
6 | labels:
7 | k8s-app: kube-scheduler
8 | tier: control-plane
9 | spec:
10 | hostNetwork: true
11 | priorityClassName: system-cluster-critical
12 | securityContext:
13 | runAsNonRoot: true
14 | runAsUser: 65534
15 | seccompProfile:
16 | type: RuntimeDefault
17 | containers:
18 | - name: kube-scheduler
19 | image: ${kube_scheduler_image}
20 | command:
21 | - kube-scheduler
22 | - --authentication-kubeconfig=/etc/kubernetes/pki/scheduler.conf
23 | - --authorization-kubeconfig=/etc/kubernetes/pki/scheduler.conf
24 | - --kubeconfig=/etc/kubernetes/pki/scheduler.conf
25 | - --leader-elect=true
26 | livenessProbe:
27 | httpGet:
28 | scheme: HTTPS
29 | host: 127.0.0.1
30 | path: /healthz
31 | port: 10259
32 | initialDelaySeconds: 15
33 | timeoutSeconds: 15
34 | resources:
35 | requests:
36 | cpu: 100m
37 | volumeMounts:
38 | - name: secrets
39 | mountPath: /etc/kubernetes/pki/scheduler.conf
40 | readOnly: true
41 | volumes:
42 | - name: secrets
43 | hostPath:
44 | path: /etc/kubernetes/pki/scheduler.conf
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.kube-system.kube-scheduler
File: /resources/static-manifests/kube-scheduler.yaml:1-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: kube-scheduler
5 | namespace: kube-system
6 | labels:
7 | k8s-app: kube-scheduler
8 | tier: control-plane
9 | spec:
10 | hostNetwork: true
11 | priorityClassName: system-cluster-critical
12 | securityContext:
13 | runAsNonRoot: true
14 | runAsUser: 65534
15 | seccompProfile:
16 | type: RuntimeDefault
17 | containers:
18 | - name: kube-scheduler
19 | image: ${kube_scheduler_image}
20 | command:
21 | - kube-scheduler
22 | - --authentication-kubeconfig=/etc/kubernetes/pki/scheduler.conf
23 | - --authorization-kubeconfig=/etc/kubernetes/pki/scheduler.conf
24 | - --kubeconfig=/etc/kubernetes/pki/scheduler.conf
25 | - --leader-elect=true
26 | livenessProbe:
27 | httpGet:
28 | scheme: HTTPS
29 | host: 127.0.0.1
30 | path: /healthz
31 | port: 10259
32 | initialDelaySeconds: 15
33 | timeoutSeconds: 15
34 | resources:
35 | requests:
36 | cpu: 100m
37 | volumeMounts:
38 | - name: secrets
39 | mountPath: /etc/kubernetes/pki/scheduler.conf
40 | readOnly: true
41 | volumes:
42 | - name: secrets
43 | hostPath:
44 | path: /etc/kubernetes/pki/scheduler.conf
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.kube-system.kube-scheduler
File: /resources/static-manifests/kube-scheduler.yaml:1-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: kube-scheduler
5 | namespace: kube-system
6 | labels:
7 | k8s-app: kube-scheduler
8 | tier: control-plane
9 | spec:
10 | hostNetwork: true
11 | priorityClassName: system-cluster-critical
12 | securityContext:
13 | runAsNonRoot: true
14 | runAsUser: 65534
15 | seccompProfile:
16 | type: RuntimeDefault
17 | containers:
18 | - name: kube-scheduler
19 | image: ${kube_scheduler_image}
20 | command:
21 | - kube-scheduler
22 | - --authentication-kubeconfig=/etc/kubernetes/pki/scheduler.conf
23 | - --authorization-kubeconfig=/etc/kubernetes/pki/scheduler.conf
24 | - --kubeconfig=/etc/kubernetes/pki/scheduler.conf
25 | - --leader-elect=true
26 | livenessProbe:
27 | httpGet:
28 | scheme: HTTPS
29 | host: 127.0.0.1
30 | path: /healthz
31 | port: 10259
32 | initialDelaySeconds: 15
33 | timeoutSeconds: 15
34 | resources:
35 | requests:
36 | cpu: 100m
37 | volumeMounts:
38 | - name: secrets
39 | mountPath: /etc/kubernetes/pki/scheduler.conf
40 | readOnly: true
41 | volumes:
42 | - name: secrets
43 | hostPath:
44 | path: /etc/kubernetes/pki/scheduler.conf
Check: CKV_K8S_19: "Containers should not share the host network namespace"
FAILED for resource: Pod.kube-system.kube-scheduler
File: /resources/static-manifests/kube-scheduler.yaml:1-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-18.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: kube-scheduler
5 | namespace: kube-system
6 | labels:
7 | k8s-app: kube-scheduler
8 | tier: control-plane
9 | spec:
10 | hostNetwork: true
11 | priorityClassName: system-cluster-critical
12 | securityContext:
13 | runAsNonRoot: true
14 | runAsUser: 65534
15 | seccompProfile:
16 | type: RuntimeDefault
17 | containers:
18 | - name: kube-scheduler
19 | image: ${kube_scheduler_image}
20 | command:
21 | - kube-scheduler
22 | - --authentication-kubeconfig=/etc/kubernetes/pki/scheduler.conf
23 | - --authorization-kubeconfig=/etc/kubernetes/pki/scheduler.conf
24 | - --kubeconfig=/etc/kubernetes/pki/scheduler.conf
25 | - --leader-elect=true
26 | livenessProbe:
27 | httpGet:
28 | scheme: HTTPS
29 | host: 127.0.0.1
30 | path: /healthz
31 | port: 10259
32 | initialDelaySeconds: 15
33 | timeoutSeconds: 15
34 | resources:
35 | requests:
36 | cpu: 100m
37 | volumeMounts:
38 | - name: secrets
39 | mountPath: /etc/kubernetes/pki/scheduler.conf
40 | readOnly: true
41 | volumes:
42 | - name: secrets
43 | hostPath:
44 | path: /etc/kubernetes/pki/scheduler.conf
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.kube-system.kube-scheduler
File: /resources/static-manifests/kube-scheduler.yaml:1-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: kube-scheduler
5 | namespace: kube-system
6 | labels:
7 | k8s-app: kube-scheduler
8 | tier: control-plane
9 | spec:
10 | hostNetwork: true
11 | priorityClassName: system-cluster-critical
12 | securityContext:
13 | runAsNonRoot: true
14 | runAsUser: 65534
15 | seccompProfile:
16 | type: RuntimeDefault
17 | containers:
18 | - name: kube-scheduler
19 | image: ${kube_scheduler_image}
20 | command:
21 | - kube-scheduler
22 | - --authentication-kubeconfig=/etc/kubernetes/pki/scheduler.conf
23 | - --authorization-kubeconfig=/etc/kubernetes/pki/scheduler.conf
24 | - --kubeconfig=/etc/kubernetes/pki/scheduler.conf
25 | - --leader-elect=true
26 | livenessProbe:
27 | httpGet:
28 | scheme: HTTPS
29 | host: 127.0.0.1
30 | path: /healthz
31 | port: 10259
32 | initialDelaySeconds: 15
33 | timeoutSeconds: 15
34 | resources:
35 | requests:
36 | cpu: 100m
37 | volumeMounts:
38 | - name: secrets
39 | mountPath: /etc/kubernetes/pki/scheduler.conf
40 | readOnly: true
41 | volumes:
42 | - name: secrets
43 | hostPath:
44 | path: /etc/kubernetes/pki/scheduler.conf
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.kube-system.kube-scheduler
File: /resources/static-manifests/kube-scheduler.yaml:1-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: kube-scheduler
5 | namespace: kube-system
6 | labels:
7 | k8s-app: kube-scheduler
8 | tier: control-plane
9 | spec:
10 | hostNetwork: true
11 | priorityClassName: system-cluster-critical
12 | securityContext:
13 | runAsNonRoot: true
14 | runAsUser: 65534
15 | seccompProfile:
16 | type: RuntimeDefault
17 | containers:
18 | - name: kube-scheduler
19 | image: ${kube_scheduler_image}
20 | command:
21 | - kube-scheduler
22 | - --authentication-kubeconfig=/etc/kubernetes/pki/scheduler.conf
23 | - --authorization-kubeconfig=/etc/kubernetes/pki/scheduler.conf
24 | - --kubeconfig=/etc/kubernetes/pki/scheduler.conf
25 | - --leader-elect=true
26 | livenessProbe:
27 | httpGet:
28 | scheme: HTTPS
29 | host: 127.0.0.1
30 | path: /healthz
31 | port: 10259
32 | initialDelaySeconds: 15
33 | timeoutSeconds: 15
34 | resources:
35 | requests:
36 | cpu: 100m
37 | volumeMounts:
38 | - name: secrets
39 | mountPath: /etc/kubernetes/pki/scheduler.conf
40 | readOnly: true
41 | volumes:
42 | - name: secrets
43 | hostPath:
44 | path: /etc/kubernetes/pki/scheduler.conf
Check: CKV_K8S_115: "Ensure that the --bind-address argument is set to 127.0.0.1"
FAILED for resource: Pod.kube-system.kube-scheduler
File: /resources/static-manifests/kube-scheduler.yaml:1-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-bind-address-argument-is-set-to-127001-1.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: kube-scheduler
5 | namespace: kube-system
6 | labels:
7 | k8s-app: kube-scheduler
8 | tier: control-plane
9 | spec:
10 | hostNetwork: true
11 | priorityClassName: system-cluster-critical
12 | securityContext:
13 | runAsNonRoot: true
14 | runAsUser: 65534
15 | seccompProfile:
16 | type: RuntimeDefault
17 | containers:
18 | - name: kube-scheduler
19 | image: ${kube_scheduler_image}
20 | command:
21 | - kube-scheduler
22 | - --authentication-kubeconfig=/etc/kubernetes/pki/scheduler.conf
23 | - --authorization-kubeconfig=/etc/kubernetes/pki/scheduler.conf
24 | - --kubeconfig=/etc/kubernetes/pki/scheduler.conf
25 | - --leader-elect=true
26 | livenessProbe:
27 | httpGet:
28 | scheme: HTTPS
29 | host: 127.0.0.1
30 | path: /healthz
31 | port: 10259
32 | initialDelaySeconds: 15
33 | timeoutSeconds: 15
34 | resources:
35 | requests:
36 | cpu: 100m
37 | volumeMounts:
38 | - name: secrets
39 | mountPath: /etc/kubernetes/pki/scheduler.conf
40 | readOnly: true
41 | volumes:
42 | - name: secrets
43 | hostPath:
44 | path: /etc/kubernetes/pki/scheduler.conf
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.kube-system.kube-scheduler
File: /resources/static-manifests/kube-scheduler.yaml:1-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: kube-scheduler
5 | namespace: kube-system
6 | labels:
7 | k8s-app: kube-scheduler
8 | tier: control-plane
9 | spec:
10 | hostNetwork: true
11 | priorityClassName: system-cluster-critical
12 | securityContext:
13 | runAsNonRoot: true
14 | runAsUser: 65534
15 | seccompProfile:
16 | type: RuntimeDefault
17 | containers:
18 | - name: kube-scheduler
19 | image: ${kube_scheduler_image}
20 | command:
21 | - kube-scheduler
22 | - --authentication-kubeconfig=/etc/kubernetes/pki/scheduler.conf
23 | - --authorization-kubeconfig=/etc/kubernetes/pki/scheduler.conf
24 | - --kubeconfig=/etc/kubernetes/pki/scheduler.conf
25 | - --leader-elect=true
26 | livenessProbe:
27 | httpGet:
28 | scheme: HTTPS
29 | host: 127.0.0.1
30 | path: /healthz
31 | port: 10259
32 | initialDelaySeconds: 15
33 | timeoutSeconds: 15
34 | resources:
35 | requests:
36 | cpu: 100m
37 | volumeMounts:
38 | - name: secrets
39 | mountPath: /etc/kubernetes/pki/scheduler.conf
40 | readOnly: true
41 | volumes:
42 | - name: secrets
43 | hostPath:
44 | path: /etc/kubernetes/pki/scheduler.conf
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.kube-system.kube-scheduler
File: /resources/static-manifests/kube-scheduler.yaml:1-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: kube-scheduler
5 | namespace: kube-system
6 | labels:
7 | k8s-app: kube-scheduler
8 | tier: control-plane
9 | spec:
10 | hostNetwork: true
11 | priorityClassName: system-cluster-critical
12 | securityContext:
13 | runAsNonRoot: true
14 | runAsUser: 65534
15 | seccompProfile:
16 | type: RuntimeDefault
17 | containers:
18 | - name: kube-scheduler
19 | image: ${kube_scheduler_image}
20 | command:
21 | - kube-scheduler
22 | - --authentication-kubeconfig=/etc/kubernetes/pki/scheduler.conf
23 | - --authorization-kubeconfig=/etc/kubernetes/pki/scheduler.conf
24 | - --kubeconfig=/etc/kubernetes/pki/scheduler.conf
25 | - --leader-elect=true
26 | livenessProbe:
27 | httpGet:
28 | scheme: HTTPS
29 | host: 127.0.0.1
30 | path: /healthz
31 | port: 10259
32 | initialDelaySeconds: 15
33 | timeoutSeconds: 15
34 | resources:
35 | requests:
36 | cpu: 100m
37 | volumeMounts:
38 | - name: secrets
39 | mountPath: /etc/kubernetes/pki/scheduler.conf
40 | readOnly: true
41 | volumes:
42 | - name: secrets
43 | hostPath:
44 | path: /etc/kubernetes/pki/scheduler.conf
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.kube-system.kube-scheduler
File: /resources/static-manifests/kube-scheduler.yaml:1-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: kube-scheduler
5 | namespace: kube-system
6 | labels:
7 | k8s-app: kube-scheduler
8 | tier: control-plane
9 | spec:
10 | hostNetwork: true
11 | priorityClassName: system-cluster-critical
12 | securityContext:
13 | runAsNonRoot: true
14 | runAsUser: 65534
15 | seccompProfile:
16 | type: RuntimeDefault
17 | containers:
18 | - name: kube-scheduler
19 | image: ${kube_scheduler_image}
20 | command:
21 | - kube-scheduler
22 | - --authentication-kubeconfig=/etc/kubernetes/pki/scheduler.conf
23 | - --authorization-kubeconfig=/etc/kubernetes/pki/scheduler.conf
24 | - --kubeconfig=/etc/kubernetes/pki/scheduler.conf
25 | - --leader-elect=true
26 | livenessProbe:
27 | httpGet:
28 | scheme: HTTPS
29 | host: 127.0.0.1
30 | path: /healthz
31 | port: 10259
32 | initialDelaySeconds: 15
33 | timeoutSeconds: 15
34 | resources:
35 | requests:
36 | cpu: 100m
37 | volumeMounts:
38 | - name: secrets
39 | mountPath: /etc/kubernetes/pki/scheduler.conf
40 | readOnly: true
41 | volumes:
42 | - name: secrets
43 | hostPath:
44 | path: /etc/kubernetes/pki/scheduler.conf
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.kube-system.kube-scheduler
File: /resources/static-manifests/kube-scheduler.yaml:1-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: kube-scheduler
5 | namespace: kube-system
6 | labels:
7 | k8s-app: kube-scheduler
8 | tier: control-plane
9 | spec:
10 | hostNetwork: true
11 | priorityClassName: system-cluster-critical
12 | securityContext:
13 | runAsNonRoot: true
14 | runAsUser: 65534
15 | seccompProfile:
16 | type: RuntimeDefault
17 | containers:
18 | - name: kube-scheduler
19 | image: ${kube_scheduler_image}
20 | command:
21 | - kube-scheduler
22 | - --authentication-kubeconfig=/etc/kubernetes/pki/scheduler.conf
23 | - --authorization-kubeconfig=/etc/kubernetes/pki/scheduler.conf
24 | - --kubeconfig=/etc/kubernetes/pki/scheduler.conf
25 | - --leader-elect=true
26 | livenessProbe:
27 | httpGet:
28 | scheme: HTTPS
29 | host: 127.0.0.1
30 | path: /healthz
31 | port: 10259
32 | initialDelaySeconds: 15
33 | timeoutSeconds: 15
34 | resources:
35 | requests:
36 | cpu: 100m
37 | volumeMounts:
38 | - name: secrets
39 | mountPath: /etc/kubernetes/pki/scheduler.conf
40 | readOnly: true
41 | volumes:
42 | - name: secrets
43 | hostPath:
44 | path: /etc/kubernetes/pki/scheduler.conf
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Pod.kube-system.kube-scheduler
File: /resources/static-manifests/kube-scheduler.yaml:1-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: kube-scheduler
5 | namespace: kube-system
6 | labels:
7 | k8s-app: kube-scheduler
8 | tier: control-plane
9 | spec:
10 | hostNetwork: true
11 | priorityClassName: system-cluster-critical
12 | securityContext:
13 | runAsNonRoot: true
14 | runAsUser: 65534
15 | seccompProfile:
16 | type: RuntimeDefault
17 | containers:
18 | - name: kube-scheduler
19 | image: ${kube_scheduler_image}
20 | command:
21 | - kube-scheduler
22 | - --authentication-kubeconfig=/etc/kubernetes/pki/scheduler.conf
23 | - --authorization-kubeconfig=/etc/kubernetes/pki/scheduler.conf
24 | - --kubeconfig=/etc/kubernetes/pki/scheduler.conf
25 | - --leader-elect=true
26 | livenessProbe:
27 | httpGet:
28 | scheme: HTTPS
29 | host: 127.0.0.1
30 | path: /healthz
31 | port: 10259
32 | initialDelaySeconds: 15
33 | timeoutSeconds: 15
34 | resources:
35 | requests:
36 | cpu: 100m
37 | volumeMounts:
38 | - name: secrets
39 | mountPath: /etc/kubernetes/pki/scheduler.conf
40 | readOnly: true
41 | volumes:
42 | - name: secrets
43 | hostPath:
44 | path: /etc/kubernetes/pki/scheduler.conf
Check: CKV_K8S_114: "Ensure that the --profiling argument is set to false"
FAILED for resource: Pod.kube-system.kube-scheduler
File: /resources/static-manifests/kube-scheduler.yaml:1-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-profiling-argument-is-set-to-false-1.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: kube-scheduler
5 | namespace: kube-system
6 | labels:
7 | k8s-app: kube-scheduler
8 | tier: control-plane
9 | spec:
10 | hostNetwork: true
11 | priorityClassName: system-cluster-critical
12 | securityContext:
13 | runAsNonRoot: true
14 | runAsUser: 65534
15 | seccompProfile:
16 | type: RuntimeDefault
17 | containers:
18 | - name: kube-scheduler
19 | image: ${kube_scheduler_image}
20 | command:
21 | - kube-scheduler
22 | - --authentication-kubeconfig=/etc/kubernetes/pki/scheduler.conf
23 | - --authorization-kubeconfig=/etc/kubernetes/pki/scheduler.conf
24 | - --kubeconfig=/etc/kubernetes/pki/scheduler.conf
25 | - --leader-elect=true
26 | livenessProbe:
27 | httpGet:
28 | scheme: HTTPS
29 | host: 127.0.0.1
30 | path: /healthz
31 | port: 10259
32 | initialDelaySeconds: 15
33 | timeoutSeconds: 15
34 | resources:
35 | requests:
36 | cpu: 100m
37 | volumeMounts:
38 | - name: secrets
39 | mountPath: /etc/kubernetes/pki/scheduler.conf
40 | readOnly: true
41 | volumes:
42 | - name: secrets
43 | hostPath:
44 | path: /etc/kubernetes/pki/scheduler.conf
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.kube-system.kube-scheduler
File: /resources/static-manifests/kube-scheduler.yaml:1-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: kube-scheduler
5 | namespace: kube-system
6 | labels:
7 | k8s-app: kube-scheduler
8 | tier: control-plane
9 | spec:
10 | hostNetwork: true
11 | priorityClassName: system-cluster-critical
12 | securityContext:
13 | runAsNonRoot: true
14 | runAsUser: 65534
15 | seccompProfile:
16 | type: RuntimeDefault
17 | containers:
18 | - name: kube-scheduler
19 | image: ${kube_scheduler_image}
20 | command:
21 | - kube-scheduler
22 | - --authentication-kubeconfig=/etc/kubernetes/pki/scheduler.conf
23 | - --authorization-kubeconfig=/etc/kubernetes/pki/scheduler.conf
24 | - --kubeconfig=/etc/kubernetes/pki/scheduler.conf
25 | - --leader-elect=true
26 | livenessProbe:
27 | httpGet:
28 | scheme: HTTPS
29 | host: 127.0.0.1
30 | path: /healthz
31 | port: 10259
32 | initialDelaySeconds: 15
33 | timeoutSeconds: 15
34 | resources:
35 | requests:
36 | cpu: 100m
37 | volumeMounts:
38 | - name: secrets
39 | mountPath: /etc/kubernetes/pki/scheduler.conf
40 | readOnly: true
41 | volumes:
42 | - name: secrets
43 | hostPath:
44 | path: /etc/kubernetes/pki/scheduler.conf
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.kube-system.kube-scheduler
File: /resources/static-manifests/kube-scheduler.yaml:1-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: kube-scheduler
5 | namespace: kube-system
6 | labels:
7 | k8s-app: kube-scheduler
8 | tier: control-plane
9 | spec:
10 | hostNetwork: true
11 | priorityClassName: system-cluster-critical
12 | securityContext:
13 | runAsNonRoot: true
14 | runAsUser: 65534
15 | seccompProfile:
16 | type: RuntimeDefault
17 | containers:
18 | - name: kube-scheduler
19 | image: ${kube_scheduler_image}
20 | command:
21 | - kube-scheduler
22 | - --authentication-kubeconfig=/etc/kubernetes/pki/scheduler.conf
23 | - --authorization-kubeconfig=/etc/kubernetes/pki/scheduler.conf
24 | - --kubeconfig=/etc/kubernetes/pki/scheduler.conf
25 | - --leader-elect=true
26 | livenessProbe:
27 | httpGet:
28 | scheme: HTTPS
29 | host: 127.0.0.1
30 | path: /healthz
31 | port: 10259
32 | initialDelaySeconds: 15
33 | timeoutSeconds: 15
34 | resources:
35 | requests:
36 | cpu: 100m
37 | volumeMounts:
38 | - name: secrets
39 | mountPath: /etc/kubernetes/pki/scheduler.conf
40 | readOnly: true
41 | volumes:
42 | - name: secrets
43 | hostPath:
44 | path: /etc/kubernetes/pki/scheduler.conf
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Pod.kube-system.kube-controller-manager
File: /resources/static-manifests/kube-controller-manager.yaml:1-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_110: "Ensure that the --service-account-private-key-file argument is set as appropriate"
FAILED for resource: Pod.kube-system.kube-controller-manager
File: /resources/static-manifests/kube-controller-manager.yaml:1-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-service-account-private-key-file-argument-is-set-as-appropriate.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Pod.kube-system.kube-controller-manager
File: /resources/static-manifests/kube-controller-manager.yaml:1-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Pod.kube-system.kube-controller-manager
File: /resources/static-manifests/kube-controller-manager.yaml:1-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_106: "Ensure that the --terminated-pod-gc-threshold argument is set as appropriate"
FAILED for resource: Pod.kube-system.kube-controller-manager
File: /resources/static-manifests/kube-controller-manager.yaml:1-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-terminated-pod-gc-threshold-argument-is-set-as-appropriate.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_19: "Containers should not share the host network namespace"
FAILED for resource: Pod.kube-system.kube-controller-manager
File: /resources/static-manifests/kube-controller-manager.yaml:1-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-18.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Pod.kube-system.kube-controller-manager
File: /resources/static-manifests/kube-controller-manager.yaml:1-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Pod.kube-system.kube-controller-manager
File: /resources/static-manifests/kube-controller-manager.yaml:1-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Pod.kube-system.kube-controller-manager
File: /resources/static-manifests/kube-controller-manager.yaml:1-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Pod.kube-system.kube-controller-manager
File: /resources/static-manifests/kube-controller-manager.yaml:1-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_111: "Ensure that the --root-ca-file argument is set as appropriate"
FAILED for resource: Pod.kube-system.kube-controller-manager
File: /resources/static-manifests/kube-controller-manager.yaml:1-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-root-ca-file-argument-is-set-as-appropriate.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_113: "Ensure that the --bind-address argument is set to 127.0.0.1"
FAILED for resource: Pod.kube-system.kube-controller-manager
File: /resources/static-manifests/kube-controller-manager.yaml:1-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-bind-address-argument-is-set-to-127001.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Pod.kube-system.kube-controller-manager
File: /resources/static-manifests/kube-controller-manager.yaml:1-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Pod.kube-system.kube-controller-manager
File: /resources/static-manifests/kube-controller-manager.yaml:1-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Pod.kube-system.kube-controller-manager
File: /resources/static-manifests/kube-controller-manager.yaml:1-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Pod.kube-system.kube-controller-manager
File: /resources/static-manifests/kube-controller-manager.yaml:1-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_107: "Ensure that the --profiling argument is set to false"
FAILED for resource: Pod.kube-system.kube-controller-manager
File: /resources/static-manifests/kube-controller-manager.yaml:1-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-that-the-profiling-argument-is-set-to-false.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Pod.kube-system.kube-controller-manager
File: /resources/static-manifests/kube-controller-manager.yaml:1-75
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.kube-system.coredns
File: /resources/manifests/coredns/deployment.yaml:1-109
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_25: "Minimize the admission of containers with added capability"
FAILED for resource: Deployment.kube-system.coredns
File: /resources/manifests/coredns/deployment.yaml:1-109
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-24.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.kube-system.coredns
File: /resources/manifests/coredns/deployment.yaml:1-109
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.kube-system.coredns
File: /resources/manifests/coredns/deployment.yaml:1-109
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.kube-system.coredns
File: /resources/manifests/coredns/deployment.yaml:1-109
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.kube-system.coredns
File: /resources/manifests/coredns/deployment.yaml:1-109
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.kube-system.coredns
File: /resources/manifests/coredns/deployment.yaml:1-109
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.kube-system.cilium-operator
File: /resources/cilium/deployment.yaml:1-93
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.kube-system.cilium-operator
File: /resources/cilium/deployment.yaml:1-93
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.kube-system.cilium-operator
File: /resources/cilium/deployment.yaml:1-93
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_19: "Containers should not share the host network namespace"
FAILED for resource: Deployment.kube-system.cilium-operator
File: /resources/cilium/deployment.yaml:1-93
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-18.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.kube-system.cilium-operator
File: /resources/cilium/deployment.yaml:1-93
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.kube-system.cilium-operator
File: /resources/cilium/deployment.yaml:1-93
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.kube-system.cilium-operator
File: /resources/cilium/deployment.yaml:1-93
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.kube-system.cilium-operator
File: /resources/cilium/deployment.yaml:1-93
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.kube-system.cilium-operator
File: /resources/cilium/deployment.yaml:1-93
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.kube-system.cilium-operator
File: /resources/cilium/deployment.yaml:1-93
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.kube-system.cilium-operator
File: /resources/cilium/deployment.yaml:1-93
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.kube-system.cilium-operator
File: /resources/cilium/deployment.yaml:1-93
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.kube-system.cilium-operator
File: /resources/cilium/deployment.yaml:1-93
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_14: "Image Tag should be fixed - not latest or blank"
FAILED for resource: Deployment.kube-system.cilium-operator
File: /resources/cilium/deployment.yaml:1-93
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-13.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.kube-system.cilium-operator
File: /resources/cilium/deployment.yaml:1-93
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.kube-system.kube-apiserver
File: /resources/static-manifests/kube-apiserver.yaml:1-71
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.kube-system.kube-scheduler
File: /resources/static-manifests/kube-scheduler.yaml:1-44
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: kube-scheduler
5 | namespace: kube-system
6 | labels:
7 | k8s-app: kube-scheduler
8 | tier: control-plane
9 | spec:
10 | hostNetwork: true
11 | priorityClassName: system-cluster-critical
12 | securityContext:
13 | runAsNonRoot: true
14 | runAsUser: 65534
15 | seccompProfile:
16 | type: RuntimeDefault
17 | containers:
18 | - name: kube-scheduler
19 | image: ${kube_scheduler_image}
20 | command:
21 | - kube-scheduler
22 | - --authentication-kubeconfig=/etc/kubernetes/pki/scheduler.conf
23 | - --authorization-kubeconfig=/etc/kubernetes/pki/scheduler.conf
24 | - --kubeconfig=/etc/kubernetes/pki/scheduler.conf
25 | - --leader-elect=true
26 | livenessProbe:
27 | httpGet:
28 | scheme: HTTPS
29 | host: 127.0.0.1
30 | path: /healthz
31 | port: 10259
32 | initialDelaySeconds: 15
33 | timeoutSeconds: 15
34 | resources:
35 | requests:
36 | cpu: 100m
37 | volumeMounts:
38 | - name: secrets
39 | mountPath: /etc/kubernetes/pki/scheduler.conf
40 | readOnly: true
41 | volumes:
42 | - name: secrets
43 | hostPath:
44 | path: /etc/kubernetes/pki/scheduler.conf
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.kube-system.kube-controller-manager
File: /resources/static-manifests/kube-controller-manager.yaml:1-75
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.coredns.tier-control-plane.k8s-app-coredns
File: /resources/manifests/coredns/deployment.yaml:1-109
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.cilium-operator.name-cilium-operator
File: /resources/cilium/deployment.yaml:1-93
Code lines for this resource are too many. Please use IDE of your choice to review the file.
github_actions scan results:
Passed checks: 19, Failed checks: 1, Skipped checks: 0
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
FAILED for resource: on(test)
File: /.github/workflows/test.yaml:0-1