Repository | scholzj / terraform-aws-kubernetes |
Description | Terraform module for Kubernetes setup on AWS |
Stars | 193 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 14:51:52,314 [MainThread ] [WARNI] Failed to download module scholzj/kubeadm-token/random:None (for external modules, the --download-external-modules flag is required)
2023-10-05 14:51:52,315 [MainThread ] [WARNI] Failed to download module scholzj/kubernetes/aws:None (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 40, Failed checks: 12, Skipped checks: 0
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group.kubernetes
File: /main.tf:113-124
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
113 | resource "aws_security_group" "kubernetes" {
114 | vpc_id = data.aws_subnet.cluster_subnet.vpc_id
115 | name = var.cluster_name
116 |
117 | tags = merge(
118 | {
119 | "Name" = var.cluster_name
120 | format("kubernetes.io/cluster/%v", var.cluster_name) = "owned"
121 | },
122 | var.tags,
123 | )
124 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.allow_all_outbound_from_kubernetes
File: /main.tf:127-134
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
127 | resource "aws_security_group_rule" "allow_all_outbound_from_kubernetes" {
128 | type = "egress"
129 | from_port = 0
130 | to_port = 0
131 | protocol = "-1"
132 | cidr_blocks = ["0.0.0.0/0"]
133 | security_group_id = aws_security_group.kubernetes.id
134 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.allow_ssh_from_cidr[0]
File: /main.tf:137-153
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
137 | resource "aws_security_group_rule" "allow_ssh_from_cidr" {
138 | count = length(var.ssh_access_cidr)
139 | type = "ingress"
140 | from_port = 22
141 | to_port = 22
142 | protocol = "tcp"
143 | # TF-UPGRADE-TODO: In Terraform v0.10 and earlier, it was sometimes necessary to
144 | # force an interpolation expression to be interpreted as a list by wrapping it
145 | # in an extra set of list brackets. That form was supported for compatibilty in
146 | # v0.11, but is no longer supported in Terraform v0.12.
147 | #
148 | # If the expression in the following list itself returns a list, remove the
149 | # brackets to avoid interpretation as a list of lists. If the expression
150 | # returns a single list item then leave it as-is and remove this TODO comment.
151 | cidr_blocks = [var.ssh_access_cidr[count.index]]
152 | security_group_id = aws_security_group.kubernetes.id
153 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.allow_cluster_crosstalk
File: /main.tf:156-163
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
156 | resource "aws_security_group_rule" "allow_cluster_crosstalk" {
157 | type = "ingress"
158 | from_port = 0
159 | to_port = 0
160 | protocol = "-1"
161 | source_security_group_id = aws_security_group.kubernetes.id
162 | security_group_id = aws_security_group.kubernetes.id
163 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.allow_api_from_cidr[0]
File: /main.tf:166-182
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
166 | resource "aws_security_group_rule" "allow_api_from_cidr" {
167 | count = length(var.api_access_cidr)
168 | type = "ingress"
169 | from_port = 6443
170 | to_port = 6443
171 | protocol = "tcp"
172 | # TF-UPGRADE-TODO: In Terraform v0.10 and earlier, it was sometimes necessary to
173 | # force an interpolation expression to be interpreted as a list by wrapping it
174 | # in an extra set of list brackets. That form was supported for compatibilty in
175 | # v0.11, but is no longer supported in Terraform v0.12.
176 | #
177 | # If the expression in the following list itself returns a list, remove the
178 | # brackets to avoid interpretation as a list of lists. If the expression
179 | # returns a single list item then leave it as-is and remove this TODO comment.
180 | cidr_blocks = [var.api_access_cidr[count.index]]
181 | security_group_id = aws_security_group.kubernetes.id
182 | }
Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
FAILED for resource: aws_instance.master
File: /main.tf:251-291
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances.html
251 | resource "aws_instance" "master" {
252 | instance_type = var.master_instance_type
253 |
254 | ami = data.aws_ami.centos7.id
255 |
256 | key_name = aws_key_pair.keypair.key_name
257 |
258 | subnet_id = var.master_subnet_id
259 |
260 | associate_public_ip_address = false
261 |
262 | vpc_security_group_ids = [
263 | aws_security_group.kubernetes.id,
264 | ]
265 |
266 | iam_instance_profile = aws_iam_instance_profile.master_profile.name
267 |
268 | user_data = data.cloudinit_config.master_cloud_init.rendered
269 |
270 | tags = merge(
271 | {
272 | "Name" = join("-", [var.cluster_name, "master"])
273 | format("kubernetes.io/cluster/%v", var.cluster_name) = "owned"
274 | },
275 | var.tags,
276 | )
277 |
278 | root_block_device {
279 | volume_type = "gp2"
280 | volume_size = "50"
281 | delete_on_termination = true
282 | }
283 |
284 | lifecycle {
285 | ignore_changes = [
286 | ami,
287 | user_data,
288 | associate_public_ip_address,
289 | ]
290 | }
291 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_instance.master
File: /main.tf:251-291
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
251 | resource "aws_instance" "master" {
252 | instance_type = var.master_instance_type
253 |
254 | ami = data.aws_ami.centos7.id
255 |
256 | key_name = aws_key_pair.keypair.key_name
257 |
258 | subnet_id = var.master_subnet_id
259 |
260 | associate_public_ip_address = false
261 |
262 | vpc_security_group_ids = [
263 | aws_security_group.kubernetes.id,
264 | ]
265 |
266 | iam_instance_profile = aws_iam_instance_profile.master_profile.name
267 |
268 | user_data = data.cloudinit_config.master_cloud_init.rendered
269 |
270 | tags = merge(
271 | {
272 | "Name" = join("-", [var.cluster_name, "master"])
273 | format("kubernetes.io/cluster/%v", var.cluster_name) = "owned"
274 | },
275 | var.tags,
276 | )
277 |
278 | root_block_device {
279 | volume_type = "gp2"
280 | volume_size = "50"
281 | delete_on_termination = true
282 | }
283 |
284 | lifecycle {
285 | ignore_changes = [
286 | ami,
287 | user_data,
288 | associate_public_ip_address,
289 | ]
290 | }
291 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.master
File: /main.tf:251-291
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
251 | resource "aws_instance" "master" {
252 | instance_type = var.master_instance_type
253 |
254 | ami = data.aws_ami.centos7.id
255 |
256 | key_name = aws_key_pair.keypair.key_name
257 |
258 | subnet_id = var.master_subnet_id
259 |
260 | associate_public_ip_address = false
261 |
262 | vpc_security_group_ids = [
263 | aws_security_group.kubernetes.id,
264 | ]
265 |
266 | iam_instance_profile = aws_iam_instance_profile.master_profile.name
267 |
268 | user_data = data.cloudinit_config.master_cloud_init.rendered
269 |
270 | tags = merge(
271 | {
272 | "Name" = join("-", [var.cluster_name, "master"])
273 | format("kubernetes.io/cluster/%v", var.cluster_name) = "owned"
274 | },
275 | var.tags,
276 | )
277 |
278 | root_block_device {
279 | volume_type = "gp2"
280 | volume_size = "50"
281 | delete_on_termination = true
282 | }
283 |
284 | lifecycle {
285 | ignore_changes = [
286 | ami,
287 | user_data,
288 | associate_public_ip_address,
289 | ]
290 | }
291 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.master
File: /main.tf:251-291
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized.html
251 | resource "aws_instance" "master" {
252 | instance_type = var.master_instance_type
253 |
254 | ami = data.aws_ami.centos7.id
255 |
256 | key_name = aws_key_pair.keypair.key_name
257 |
258 | subnet_id = var.master_subnet_id
259 |
260 | associate_public_ip_address = false
261 |
262 | vpc_security_group_ids = [
263 | aws_security_group.kubernetes.id,
264 | ]
265 |
266 | iam_instance_profile = aws_iam_instance_profile.master_profile.name
267 |
268 | user_data = data.cloudinit_config.master_cloud_init.rendered
269 |
270 | tags = merge(
271 | {
272 | "Name" = join("-", [var.cluster_name, "master"])
273 | format("kubernetes.io/cluster/%v", var.cluster_name) = "owned"
274 | },
275 | var.tags,
276 | )
277 |
278 | root_block_device {
279 | volume_type = "gp2"
280 | volume_size = "50"
281 | delete_on_termination = true
282 | }
283 |
284 | lifecycle {
285 | ignore_changes = [
286 | ami,
287 | user_data,
288 | associate_public_ip_address,
289 | ]
290 | }
291 | }
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
FAILED for resource: aws_launch_configuration.nodes
File: /main.tf:302-327
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-13.html
302 | resource "aws_launch_configuration" "nodes" {
303 | name_prefix = "${var.cluster_name}-nodes-"
304 | image_id = data.aws_ami.centos7.id
305 | instance_type = var.worker_instance_type
306 | key_name = aws_key_pair.keypair.key_name
307 | iam_instance_profile = aws_iam_instance_profile.node_profile.name
308 |
309 | security_groups = [
310 | aws_security_group.kubernetes.id,
311 | ]
312 |
313 | associate_public_ip_address = var.public_worker
314 |
315 | user_data = data.cloudinit_config.node_cloud_init.rendered
316 |
317 | root_block_device {
318 | volume_type = "gp2"
319 | volume_size = "50"
320 | delete_on_termination = true
321 | }
322 |
323 | lifecycle {
324 | create_before_destroy = true
325 | ignore_changes = [user_data]
326 | }
327 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_launch_configuration.nodes
File: /main.tf:302-327
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html
302 | resource "aws_launch_configuration" "nodes" {
303 | name_prefix = "${var.cluster_name}-nodes-"
304 | image_id = data.aws_ami.centos7.id
305 | instance_type = var.worker_instance_type
306 | key_name = aws_key_pair.keypair.key_name
307 | iam_instance_profile = aws_iam_instance_profile.node_profile.name
308 |
309 | security_groups = [
310 | aws_security_group.kubernetes.id,
311 | ]
312 |
313 | associate_public_ip_address = var.public_worker
314 |
315 | user_data = data.cloudinit_config.node_cloud_init.rendered
316 |
317 | root_block_device {
318 | volume_type = "gp2"
319 | volume_size = "50"
320 | delete_on_termination = true
321 | }
322 |
323 | lifecycle {
324 | create_before_destroy = true
325 | ignore_changes = [user_data]
326 | }
327 | }
Check: CKV_AWS_315: "Ensure EC2 Auto Scaling groups use EC2 launch templates"
FAILED for resource: aws_autoscaling_group.nodes
File: /main.tf:329-355
329 | resource "aws_autoscaling_group" "nodes" {
330 | vpc_zone_identifier = var.worker_subnet_ids
331 |
332 | name = "${var.cluster_name}-nodes"
333 | max_size = var.max_worker_count
334 | min_size = var.min_worker_count
335 | desired_capacity = var.min_worker_count
336 | launch_configuration = aws_launch_configuration.nodes.name
337 |
338 | tags = concat(
339 | [{
340 | key = "kubernetes.io/cluster/${var.cluster_name}"
341 | value = "owned"
342 | propagate_at_launch = true
343 | },
344 | {
345 | key = "Name"
346 | value = "${var.cluster_name}-node"
347 | propagate_at_launch = true
348 | }],
349 | var.tags2,
350 | )
351 |
352 | lifecycle {
353 | ignore_changes = [desired_capacity]
354 | }
355 | }
cloudformation scan results:
Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1
kubernetes scan results:
Passed checks: 982, Failed checks: 186, Skipped checks: 0
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /addons/autoscaler.yaml:1-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /addons/autoscaler.yaml:1-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /addons/autoscaler.yaml:1-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /addons/autoscaler.yaml:1-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /addons/autoscaler.yaml:1-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /addons/autoscaler.yaml:1-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /addons/autoscaler.yaml:1-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /addons/autoscaler.yaml:1-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /addons/autoscaler.yaml:1-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /addons/autoscaler.yaml:1-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /addons/autoscaler.yaml:1-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /addons/autoscaler.yaml:1-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /addons/autoscaler.yaml:1-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.kube-system.cluster-autoscaler
File: /addons/autoscaler.yaml:1-55
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.kube-system.ebs-csi-controller
File: /addons/csi-driver.yaml:262-404
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.kube-system.ebs-csi-controller
File: /addons/csi-driver.yaml:262-404
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.kube-system.ebs-csi-controller
File: /addons/csi-driver.yaml:262-404
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.kube-system.ebs-csi-controller
File: /addons/csi-driver.yaml:262-404
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.kube-system.ebs-csi-controller
File: /addons/csi-driver.yaml:262-404
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.kube-system.ebs-csi-controller
File: /addons/csi-driver.yaml:262-404
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.kube-system.ebs-csi-controller
File: /addons/csi-driver.yaml:262-404
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.kube-system.ebs-csi-controller
File: /addons/csi-driver.yaml:262-404
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.kube-system.ebs-csi-controller
File: /addons/csi-driver.yaml:262-404
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.kube-system.ebs-csi-controller
File: /addons/csi-driver.yaml:262-404
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.kube-system.ebs-csi-controller
File: /addons/csi-driver.yaml:262-404
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.kube-system.ebs-csi-controller
File: /addons/csi-driver.yaml:262-404
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.kube-system.ebs-csi-controller
File: /addons/csi-driver.yaml:262-404
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.kube-system.ebs-csi-controller
File: /addons/csi-driver.yaml:262-404
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.kube-system.ebs-csi-controller
File: /addons/csi-driver.yaml:262-404
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.kube-system.ebs-csi-controller
File: /addons/csi-driver.yaml:262-404
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.kube-system.ebs-csi-controller
File: /addons/csi-driver.yaml:262-404
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.kube-system.ebs-csi-controller
File: /addons/csi-driver.yaml:262-404
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: DaemonSet.kube-system.ebs-csi-node
File: /addons/csi-driver.yaml:407-512
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: DaemonSet.kube-system.ebs-csi-node
File: /addons/csi-driver.yaml:407-512
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: DaemonSet.kube-system.ebs-csi-node
File: /addons/csi-driver.yaml:407-512
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: DaemonSet.kube-system.ebs-csi-node
File: /addons/csi-driver.yaml:407-512
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: DaemonSet.kube-system.ebs-csi-node
File: /addons/csi-driver.yaml:407-512
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_16: "Container should not be privileged"
FAILED for resource: DaemonSet.kube-system.ebs-csi-node
File: /addons/csi-driver.yaml:407-512
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-15.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: DaemonSet.kube-system.ebs-csi-node
File: /addons/csi-driver.yaml:407-512
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: DaemonSet.kube-system.ebs-csi-node
File: /addons/csi-driver.yaml:407-512
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: DaemonSet.kube-system.ebs-csi-node
File: /addons/csi-driver.yaml:407-512
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: DaemonSet.kube-system.ebs-csi-node
File: /addons/csi-driver.yaml:407-512
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: DaemonSet.kube-system.ebs-csi-node
File: /addons/csi-driver.yaml:407-512
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: DaemonSet.kube-system.ebs-csi-node
File: /addons/csi-driver.yaml:407-512
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: DaemonSet.kube-system.ebs-csi-node
File: /addons/csi-driver.yaml:407-512
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: DaemonSet.kube-system.ebs-csi-node
File: /addons/csi-driver.yaml:407-512
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: DaemonSet.kube-system.ebs-csi-node
File: /addons/csi-driver.yaml:407-512
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: DaemonSet.kube-system.ebs-csi-node
File: /addons/csi-driver.yaml:407-512
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: DaemonSet.kube-system.ebs-csi-node
File: /addons/csi-driver.yaml:407-512
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: DaemonSet.kube-system.ebs-csi-node
File: /addons/csi-driver.yaml:407-512
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: DaemonSet.kube-system.ebs-csi-node
File: /addons/csi-driver.yaml:407-512
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.kube-system.metrics-server
File: /addons/metrics-server.yaml:106-175
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.kube-system.metrics-server
File: /addons/metrics-server.yaml:106-175
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.kube-system.metrics-server
File: /addons/metrics-server.yaml:106-175
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.kube-system.metrics-server
File: /addons/metrics-server.yaml:106-175
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.kube-system.metrics-server
File: /addons/metrics-server.yaml:106-175
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.kube-system.metrics-server
File: /addons/metrics-server.yaml:106-175
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.kube-system.metrics-server
File: /addons/metrics-server.yaml:106-175
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.kube-system.metrics-server
File: /addons/metrics-server.yaml:106-175
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.kube-system.metrics-server
File: /addons/metrics-server.yaml:106-175
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.kube-system.metrics-server
File: /addons/metrics-server.yaml:106-175
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.kube-system.heapster
File: /addons/heapster.yaml:20-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
20 | apiVersion: apps/v1
21 | kind: Deployment
22 | metadata:
23 | name: heapster
24 | namespace: kube-system
25 | spec:
26 | replicas: 1
27 | selector:
28 | matchLabels:
29 | task: monitoring
30 | k8s-app: heapster
31 | template:
32 | metadata:
33 | labels:
34 | task: monitoring
35 | k8s-app: heapster
36 | spec:
37 | serviceAccountName: heapster
38 | containers:
39 | - name: heapster
40 | image: gcr.io/google_containers/heapster-amd64:v1.5.4
41 | imagePullPolicy: IfNotPresent
42 | command:
43 | - /heapster
44 | - --source=kubernetes:https://kubernetes.default
45 | nodeSelector:
46 | node-role.kubernetes.io/master: ""
47 | tolerations:
48 | - key: "node-role.kubernetes.io/master"
49 | effect: NoSchedule
50 |
51 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.kube-system.heapster
File: /addons/heapster.yaml:20-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
20 | apiVersion: apps/v1
21 | kind: Deployment
22 | metadata:
23 | name: heapster
24 | namespace: kube-system
25 | spec:
26 | replicas: 1
27 | selector:
28 | matchLabels:
29 | task: monitoring
30 | k8s-app: heapster
31 | template:
32 | metadata:
33 | labels:
34 | task: monitoring
35 | k8s-app: heapster
36 | spec:
37 | serviceAccountName: heapster
38 | containers:
39 | - name: heapster
40 | image: gcr.io/google_containers/heapster-amd64:v1.5.4
41 | imagePullPolicy: IfNotPresent
42 | command:
43 | - /heapster
44 | - --source=kubernetes:https://kubernetes.default
45 | nodeSelector:
46 | node-role.kubernetes.io/master: ""
47 | tolerations:
48 | - key: "node-role.kubernetes.io/master"
49 | effect: NoSchedule
50 |
51 | ---
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.kube-system.heapster
File: /addons/heapster.yaml:20-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
20 | apiVersion: apps/v1
21 | kind: Deployment
22 | metadata:
23 | name: heapster
24 | namespace: kube-system
25 | spec:
26 | replicas: 1
27 | selector:
28 | matchLabels:
29 | task: monitoring
30 | k8s-app: heapster
31 | template:
32 | metadata:
33 | labels:
34 | task: monitoring
35 | k8s-app: heapster
36 | spec:
37 | serviceAccountName: heapster
38 | containers:
39 | - name: heapster
40 | image: gcr.io/google_containers/heapster-amd64:v1.5.4
41 | imagePullPolicy: IfNotPresent
42 | command:
43 | - /heapster
44 | - --source=kubernetes:https://kubernetes.default
45 | nodeSelector:
46 | node-role.kubernetes.io/master: ""
47 | tolerations:
48 | - key: "node-role.kubernetes.io/master"
49 | effect: NoSchedule
50 |
51 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.kube-system.heapster
File: /addons/heapster.yaml:20-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
20 | apiVersion: apps/v1
21 | kind: Deployment
22 | metadata:
23 | name: heapster
24 | namespace: kube-system
25 | spec:
26 | replicas: 1
27 | selector:
28 | matchLabels:
29 | task: monitoring
30 | k8s-app: heapster
31 | template:
32 | metadata:
33 | labels:
34 | task: monitoring
35 | k8s-app: heapster
36 | spec:
37 | serviceAccountName: heapster
38 | containers:
39 | - name: heapster
40 | image: gcr.io/google_containers/heapster-amd64:v1.5.4
41 | imagePullPolicy: IfNotPresent
42 | command:
43 | - /heapster
44 | - --source=kubernetes:https://kubernetes.default
45 | nodeSelector:
46 | node-role.kubernetes.io/master: ""
47 | tolerations:
48 | - key: "node-role.kubernetes.io/master"
49 | effect: NoSchedule
50 |
51 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.kube-system.heapster
File: /addons/heapster.yaml:20-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
20 | apiVersion: apps/v1
21 | kind: Deployment
22 | metadata:
23 | name: heapster
24 | namespace: kube-system
25 | spec:
26 | replicas: 1
27 | selector:
28 | matchLabels:
29 | task: monitoring
30 | k8s-app: heapster
31 | template:
32 | metadata:
33 | labels:
34 | task: monitoring
35 | k8s-app: heapster
36 | spec:
37 | serviceAccountName: heapster
38 | containers:
39 | - name: heapster
40 | image: gcr.io/google_containers/heapster-amd64:v1.5.4
41 | imagePullPolicy: IfNotPresent
42 | command:
43 | - /heapster
44 | - --source=kubernetes:https://kubernetes.default
45 | nodeSelector:
46 | node-role.kubernetes.io/master: ""
47 | tolerations:
48 | - key: "node-role.kubernetes.io/master"
49 | effect: NoSchedule
50 |
51 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.kube-system.heapster
File: /addons/heapster.yaml:20-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
20 | apiVersion: apps/v1
21 | kind: Deployment
22 | metadata:
23 | name: heapster
24 | namespace: kube-system
25 | spec:
26 | replicas: 1
27 | selector:
28 | matchLabels:
29 | task: monitoring
30 | k8s-app: heapster
31 | template:
32 | metadata:
33 | labels:
34 | task: monitoring
35 | k8s-app: heapster
36 | spec:
37 | serviceAccountName: heapster
38 | containers:
39 | - name: heapster
40 | image: gcr.io/google_containers/heapster-amd64:v1.5.4
41 | imagePullPolicy: IfNotPresent
42 | command:
43 | - /heapster
44 | - --source=kubernetes:https://kubernetes.default
45 | nodeSelector:
46 | node-role.kubernetes.io/master: ""
47 | tolerations:
48 | - key: "node-role.kubernetes.io/master"
49 | effect: NoSchedule
50 |
51 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.kube-system.heapster
File: /addons/heapster.yaml:20-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
20 | apiVersion: apps/v1
21 | kind: Deployment
22 | metadata:
23 | name: heapster
24 | namespace: kube-system
25 | spec:
26 | replicas: 1
27 | selector:
28 | matchLabels:
29 | task: monitoring
30 | k8s-app: heapster
31 | template:
32 | metadata:
33 | labels:
34 | task: monitoring
35 | k8s-app: heapster
36 | spec:
37 | serviceAccountName: heapster
38 | containers:
39 | - name: heapster
40 | image: gcr.io/google_containers/heapster-amd64:v1.5.4
41 | imagePullPolicy: IfNotPresent
42 | command:
43 | - /heapster
44 | - --source=kubernetes:https://kubernetes.default
45 | nodeSelector:
46 | node-role.kubernetes.io/master: ""
47 | tolerations:
48 | - key: "node-role.kubernetes.io/master"
49 | effect: NoSchedule
50 |
51 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.kube-system.heapster
File: /addons/heapster.yaml:20-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
20 | apiVersion: apps/v1
21 | kind: Deployment
22 | metadata:
23 | name: heapster
24 | namespace: kube-system
25 | spec:
26 | replicas: 1
27 | selector:
28 | matchLabels:
29 | task: monitoring
30 | k8s-app: heapster
31 | template:
32 | metadata:
33 | labels:
34 | task: monitoring
35 | k8s-app: heapster
36 | spec:
37 | serviceAccountName: heapster
38 | containers:
39 | - name: heapster
40 | image: gcr.io/google_containers/heapster-amd64:v1.5.4
41 | imagePullPolicy: IfNotPresent
42 | command:
43 | - /heapster
44 | - --source=kubernetes:https://kubernetes.default
45 | nodeSelector:
46 | node-role.kubernetes.io/master: ""
47 | tolerations:
48 | - key: "node-role.kubernetes.io/master"
49 | effect: NoSchedule
50 |
51 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.kube-system.heapster
File: /addons/heapster.yaml:20-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
20 | apiVersion: apps/v1
21 | kind: Deployment
22 | metadata:
23 | name: heapster
24 | namespace: kube-system
25 | spec:
26 | replicas: 1
27 | selector:
28 | matchLabels:
29 | task: monitoring
30 | k8s-app: heapster
31 | template:
32 | metadata:
33 | labels:
34 | task: monitoring
35 | k8s-app: heapster
36 | spec:
37 | serviceAccountName: heapster
38 | containers:
39 | - name: heapster
40 | image: gcr.io/google_containers/heapster-amd64:v1.5.4
41 | imagePullPolicy: IfNotPresent
42 | command:
43 | - /heapster
44 | - --source=kubernetes:https://kubernetes.default
45 | nodeSelector:
46 | node-role.kubernetes.io/master: ""
47 | tolerations:
48 | - key: "node-role.kubernetes.io/master"
49 | effect: NoSchedule
50 |
51 | ---
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.kube-system.heapster
File: /addons/heapster.yaml:20-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
20 | apiVersion: apps/v1
21 | kind: Deployment
22 | metadata:
23 | name: heapster
24 | namespace: kube-system
25 | spec:
26 | replicas: 1
27 | selector:
28 | matchLabels:
29 | task: monitoring
30 | k8s-app: heapster
31 | template:
32 | metadata:
33 | labels:
34 | task: monitoring
35 | k8s-app: heapster
36 | spec:
37 | serviceAccountName: heapster
38 | containers:
39 | - name: heapster
40 | image: gcr.io/google_containers/heapster-amd64:v1.5.4
41 | imagePullPolicy: IfNotPresent
42 | command:
43 | - /heapster
44 | - --source=kubernetes:https://kubernetes.default
45 | nodeSelector:
46 | node-role.kubernetes.io/master: ""
47 | tolerations:
48 | - key: "node-role.kubernetes.io/master"
49 | effect: NoSchedule
50 |
51 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.kube-system.heapster
File: /addons/heapster.yaml:20-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
20 | apiVersion: apps/v1
21 | kind: Deployment
22 | metadata:
23 | name: heapster
24 | namespace: kube-system
25 | spec:
26 | replicas: 1
27 | selector:
28 | matchLabels:
29 | task: monitoring
30 | k8s-app: heapster
31 | template:
32 | metadata:
33 | labels:
34 | task: monitoring
35 | k8s-app: heapster
36 | spec:
37 | serviceAccountName: heapster
38 | containers:
39 | - name: heapster
40 | image: gcr.io/google_containers/heapster-amd64:v1.5.4
41 | imagePullPolicy: IfNotPresent
42 | command:
43 | - /heapster
44 | - --source=kubernetes:https://kubernetes.default
45 | nodeSelector:
46 | node-role.kubernetes.io/master: ""
47 | tolerations:
48 | - key: "node-role.kubernetes.io/master"
49 | effect: NoSchedule
50 |
51 | ---
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.kube-system.heapster
File: /addons/heapster.yaml:20-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
20 | apiVersion: apps/v1
21 | kind: Deployment
22 | metadata:
23 | name: heapster
24 | namespace: kube-system
25 | spec:
26 | replicas: 1
27 | selector:
28 | matchLabels:
29 | task: monitoring
30 | k8s-app: heapster
31 | template:
32 | metadata:
33 | labels:
34 | task: monitoring
35 | k8s-app: heapster
36 | spec:
37 | serviceAccountName: heapster
38 | containers:
39 | - name: heapster
40 | image: gcr.io/google_containers/heapster-amd64:v1.5.4
41 | imagePullPolicy: IfNotPresent
42 | command:
43 | - /heapster
44 | - --source=kubernetes:https://kubernetes.default
45 | nodeSelector:
46 | node-role.kubernetes.io/master: ""
47 | tolerations:
48 | - key: "node-role.kubernetes.io/master"
49 | effect: NoSchedule
50 |
51 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.kube-system.heapster
File: /addons/heapster.yaml:20-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
20 | apiVersion: apps/v1
21 | kind: Deployment
22 | metadata:
23 | name: heapster
24 | namespace: kube-system
25 | spec:
26 | replicas: 1
27 | selector:
28 | matchLabels:
29 | task: monitoring
30 | k8s-app: heapster
31 | template:
32 | metadata:
33 | labels:
34 | task: monitoring
35 | k8s-app: heapster
36 | spec:
37 | serviceAccountName: heapster
38 | containers:
39 | - name: heapster
40 | image: gcr.io/google_containers/heapster-amd64:v1.5.4
41 | imagePullPolicy: IfNotPresent
42 | command:
43 | - /heapster
44 | - --source=kubernetes:https://kubernetes.default
45 | nodeSelector:
46 | node-role.kubernetes.io/master: ""
47 | tolerations:
48 | - key: "node-role.kubernetes.io/master"
49 | effect: NoSchedule
50 |
51 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.kube-system.heapster
File: /addons/heapster.yaml:20-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
20 | apiVersion: apps/v1
21 | kind: Deployment
22 | metadata:
23 | name: heapster
24 | namespace: kube-system
25 | spec:
26 | replicas: 1
27 | selector:
28 | matchLabels:
29 | task: monitoring
30 | k8s-app: heapster
31 | template:
32 | metadata:
33 | labels:
34 | task: monitoring
35 | k8s-app: heapster
36 | spec:
37 | serviceAccountName: heapster
38 | containers:
39 | - name: heapster
40 | image: gcr.io/google_containers/heapster-amd64:v1.5.4
41 | imagePullPolicy: IfNotPresent
42 | command:
43 | - /heapster
44 | - --source=kubernetes:https://kubernetes.default
45 | nodeSelector:
46 | node-role.kubernetes.io/master: ""
47 | tolerations:
48 | - key: "node-role.kubernetes.io/master"
49 | effect: NoSchedule
50 |
51 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.kube-system.heapster
File: /addons/heapster.yaml:20-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
20 | apiVersion: apps/v1
21 | kind: Deployment
22 | metadata:
23 | name: heapster
24 | namespace: kube-system
25 | spec:
26 | replicas: 1
27 | selector:
28 | matchLabels:
29 | task: monitoring
30 | k8s-app: heapster
31 | template:
32 | metadata:
33 | labels:
34 | task: monitoring
35 | k8s-app: heapster
36 | spec:
37 | serviceAccountName: heapster
38 | containers:
39 | - name: heapster
40 | image: gcr.io/google_containers/heapster-amd64:v1.5.4
41 | imagePullPolicy: IfNotPresent
42 | command:
43 | - /heapster
44 | - --source=kubernetes:https://kubernetes.default
45 | nodeSelector:
46 | node-role.kubernetes.io/master: ""
47 | tolerations:
48 | - key: "node-role.kubernetes.io/master"
49 | effect: NoSchedule
50 |
51 | ---
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.kube-system.heapster
File: /addons/heapster.yaml:20-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
20 | apiVersion: apps/v1
21 | kind: Deployment
22 | metadata:
23 | name: heapster
24 | namespace: kube-system
25 | spec:
26 | replicas: 1
27 | selector:
28 | matchLabels:
29 | task: monitoring
30 | k8s-app: heapster
31 | template:
32 | metadata:
33 | labels:
34 | task: monitoring
35 | k8s-app: heapster
36 | spec:
37 | serviceAccountName: heapster
38 | containers:
39 | - name: heapster
40 | image: gcr.io/google_containers/heapster-amd64:v1.5.4
41 | imagePullPolicy: IfNotPresent
42 | command:
43 | - /heapster
44 | - --source=kubernetes:https://kubernetes.default
45 | nodeSelector:
46 | node-role.kubernetes.io/master: ""
47 | tolerations:
48 | - key: "node-role.kubernetes.io/master"
49 | effect: NoSchedule
50 |
51 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.kube-system.heapster
File: /addons/heapster.yaml:20-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
20 | apiVersion: apps/v1
21 | kind: Deployment
22 | metadata:
23 | name: heapster
24 | namespace: kube-system
25 | spec:
26 | replicas: 1
27 | selector:
28 | matchLabels:
29 | task: monitoring
30 | k8s-app: heapster
31 | template:
32 | metadata:
33 | labels:
34 | task: monitoring
35 | k8s-app: heapster
36 | spec:
37 | serviceAccountName: heapster
38 | containers:
39 | - name: heapster
40 | image: gcr.io/google_containers/heapster-amd64:v1.5.4
41 | imagePullPolicy: IfNotPresent
42 | command:
43 | - /heapster
44 | - --source=kubernetes:https://kubernetes.default
45 | nodeSelector:
46 | node-role.kubernetes.io/master: ""
47 | tolerations:
48 | - key: "node-role.kubernetes.io/master"
49 | effect: NoSchedule
50 |
51 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.kube-system.heapster
File: /addons/heapster.yaml:20-51
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
20 | apiVersion: apps/v1
21 | kind: Deployment
22 | metadata:
23 | name: heapster
24 | namespace: kube-system
25 | spec:
26 | replicas: 1
27 | selector:
28 | matchLabels:
29 | task: monitoring
30 | k8s-app: heapster
31 | template:
32 | metadata:
33 | labels:
34 | task: monitoring
35 | k8s-app: heapster
36 | spec:
37 | serviceAccountName: heapster
38 | containers:
39 | - name: heapster
40 | image: gcr.io/google_containers/heapster-amd64:v1.5.4
41 | imagePullPolicy: IfNotPresent
42 | command:
43 | - /heapster
44 | - --source=kubernetes:https://kubernetes.default
45 | nodeSelector:
46 | node-role.kubernetes.io/master: ""
47 | tolerations:
48 | - key: "node-role.kubernetes.io/master"
49 | effect: NoSchedule
50 |
51 | ---
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.ingress-nginx.default-http-backend
File: /addons/ingress.yaml:9-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | name: default-http-backend
13 | labels:
14 | app: default-http-backend
15 | namespace: ingress-nginx
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: default-http-backend
21 | template:
22 | metadata:
23 | labels:
24 | app: default-http-backend
25 | spec:
26 | terminationGracePeriodSeconds: 60
27 | containers:
28 | - name: default-http-backend
29 | # Any image is permissible as long as:
30 | # 1. It serves a 404 page at /
31 | # 2. It serves 200 on a /healthz endpoint
32 | image: registry.k8s.io/defaultbackend-amd64:1.5
33 | livenessProbe:
34 | httpGet:
35 | path: /healthz
36 | port: 8080
37 | scheme: HTTP
38 | initialDelaySeconds: 30
39 | timeoutSeconds: 5
40 | ports:
41 | - containerPort: 8080
42 | resources:
43 | limits:
44 | cpu: 10m
45 | memory: 20Mi
46 | requests:
47 | cpu: 10m
48 | memory: 20Mi
49 | ---
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.ingress-nginx.default-http-backend
File: /addons/ingress.yaml:9-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | name: default-http-backend
13 | labels:
14 | app: default-http-backend
15 | namespace: ingress-nginx
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: default-http-backend
21 | template:
22 | metadata:
23 | labels:
24 | app: default-http-backend
25 | spec:
26 | terminationGracePeriodSeconds: 60
27 | containers:
28 | - name: default-http-backend
29 | # Any image is permissible as long as:
30 | # 1. It serves a 404 page at /
31 | # 2. It serves 200 on a /healthz endpoint
32 | image: registry.k8s.io/defaultbackend-amd64:1.5
33 | livenessProbe:
34 | httpGet:
35 | path: /healthz
36 | port: 8080
37 | scheme: HTTP
38 | initialDelaySeconds: 30
39 | timeoutSeconds: 5
40 | ports:
41 | - containerPort: 8080
42 | resources:
43 | limits:
44 | cpu: 10m
45 | memory: 20Mi
46 | requests:
47 | cpu: 10m
48 | memory: 20Mi
49 | ---
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.ingress-nginx.default-http-backend
File: /addons/ingress.yaml:9-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | name: default-http-backend
13 | labels:
14 | app: default-http-backend
15 | namespace: ingress-nginx
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: default-http-backend
21 | template:
22 | metadata:
23 | labels:
24 | app: default-http-backend
25 | spec:
26 | terminationGracePeriodSeconds: 60
27 | containers:
28 | - name: default-http-backend
29 | # Any image is permissible as long as:
30 | # 1. It serves a 404 page at /
31 | # 2. It serves 200 on a /healthz endpoint
32 | image: registry.k8s.io/defaultbackend-amd64:1.5
33 | livenessProbe:
34 | httpGet:
35 | path: /healthz
36 | port: 8080
37 | scheme: HTTP
38 | initialDelaySeconds: 30
39 | timeoutSeconds: 5
40 | ports:
41 | - containerPort: 8080
42 | resources:
43 | limits:
44 | cpu: 10m
45 | memory: 20Mi
46 | requests:
47 | cpu: 10m
48 | memory: 20Mi
49 | ---
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.ingress-nginx.default-http-backend
File: /addons/ingress.yaml:9-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | name: default-http-backend
13 | labels:
14 | app: default-http-backend
15 | namespace: ingress-nginx
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: default-http-backend
21 | template:
22 | metadata:
23 | labels:
24 | app: default-http-backend
25 | spec:
26 | terminationGracePeriodSeconds: 60
27 | containers:
28 | - name: default-http-backend
29 | # Any image is permissible as long as:
30 | # 1. It serves a 404 page at /
31 | # 2. It serves 200 on a /healthz endpoint
32 | image: registry.k8s.io/defaultbackend-amd64:1.5
33 | livenessProbe:
34 | httpGet:
35 | path: /healthz
36 | port: 8080
37 | scheme: HTTP
38 | initialDelaySeconds: 30
39 | timeoutSeconds: 5
40 | ports:
41 | - containerPort: 8080
42 | resources:
43 | limits:
44 | cpu: 10m
45 | memory: 20Mi
46 | requests:
47 | cpu: 10m
48 | memory: 20Mi
49 | ---
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.ingress-nginx.default-http-backend
File: /addons/ingress.yaml:9-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | name: default-http-backend
13 | labels:
14 | app: default-http-backend
15 | namespace: ingress-nginx
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: default-http-backend
21 | template:
22 | metadata:
23 | labels:
24 | app: default-http-backend
25 | spec:
26 | terminationGracePeriodSeconds: 60
27 | containers:
28 | - name: default-http-backend
29 | # Any image is permissible as long as:
30 | # 1. It serves a 404 page at /
31 | # 2. It serves 200 on a /healthz endpoint
32 | image: registry.k8s.io/defaultbackend-amd64:1.5
33 | livenessProbe:
34 | httpGet:
35 | path: /healthz
36 | port: 8080
37 | scheme: HTTP
38 | initialDelaySeconds: 30
39 | timeoutSeconds: 5
40 | ports:
41 | - containerPort: 8080
42 | resources:
43 | limits:
44 | cpu: 10m
45 | memory: 20Mi
46 | requests:
47 | cpu: 10m
48 | memory: 20Mi
49 | ---
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.ingress-nginx.default-http-backend
File: /addons/ingress.yaml:9-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | name: default-http-backend
13 | labels:
14 | app: default-http-backend
15 | namespace: ingress-nginx
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: default-http-backend
21 | template:
22 | metadata:
23 | labels:
24 | app: default-http-backend
25 | spec:
26 | terminationGracePeriodSeconds: 60
27 | containers:
28 | - name: default-http-backend
29 | # Any image is permissible as long as:
30 | # 1. It serves a 404 page at /
31 | # 2. It serves 200 on a /healthz endpoint
32 | image: registry.k8s.io/defaultbackend-amd64:1.5
33 | livenessProbe:
34 | httpGet:
35 | path: /healthz
36 | port: 8080
37 | scheme: HTTP
38 | initialDelaySeconds: 30
39 | timeoutSeconds: 5
40 | ports:
41 | - containerPort: 8080
42 | resources:
43 | limits:
44 | cpu: 10m
45 | memory: 20Mi
46 | requests:
47 | cpu: 10m
48 | memory: 20Mi
49 | ---
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.ingress-nginx.default-http-backend
File: /addons/ingress.yaml:9-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | name: default-http-backend
13 | labels:
14 | app: default-http-backend
15 | namespace: ingress-nginx
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: default-http-backend
21 | template:
22 | metadata:
23 | labels:
24 | app: default-http-backend
25 | spec:
26 | terminationGracePeriodSeconds: 60
27 | containers:
28 | - name: default-http-backend
29 | # Any image is permissible as long as:
30 | # 1. It serves a 404 page at /
31 | # 2. It serves 200 on a /healthz endpoint
32 | image: registry.k8s.io/defaultbackend-amd64:1.5
33 | livenessProbe:
34 | httpGet:
35 | path: /healthz
36 | port: 8080
37 | scheme: HTTP
38 | initialDelaySeconds: 30
39 | timeoutSeconds: 5
40 | ports:
41 | - containerPort: 8080
42 | resources:
43 | limits:
44 | cpu: 10m
45 | memory: 20Mi
46 | requests:
47 | cpu: 10m
48 | memory: 20Mi
49 | ---
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.ingress-nginx.default-http-backend
File: /addons/ingress.yaml:9-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | name: default-http-backend
13 | labels:
14 | app: default-http-backend
15 | namespace: ingress-nginx
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: default-http-backend
21 | template:
22 | metadata:
23 | labels:
24 | app: default-http-backend
25 | spec:
26 | terminationGracePeriodSeconds: 60
27 | containers:
28 | - name: default-http-backend
29 | # Any image is permissible as long as:
30 | # 1. It serves a 404 page at /
31 | # 2. It serves 200 on a /healthz endpoint
32 | image: registry.k8s.io/defaultbackend-amd64:1.5
33 | livenessProbe:
34 | httpGet:
35 | path: /healthz
36 | port: 8080
37 | scheme: HTTP
38 | initialDelaySeconds: 30
39 | timeoutSeconds: 5
40 | ports:
41 | - containerPort: 8080
42 | resources:
43 | limits:
44 | cpu: 10m
45 | memory: 20Mi
46 | requests:
47 | cpu: 10m
48 | memory: 20Mi
49 | ---
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.ingress-nginx.default-http-backend
File: /addons/ingress.yaml:9-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | name: default-http-backend
13 | labels:
14 | app: default-http-backend
15 | namespace: ingress-nginx
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: default-http-backend
21 | template:
22 | metadata:
23 | labels:
24 | app: default-http-backend
25 | spec:
26 | terminationGracePeriodSeconds: 60
27 | containers:
28 | - name: default-http-backend
29 | # Any image is permissible as long as:
30 | # 1. It serves a 404 page at /
31 | # 2. It serves 200 on a /healthz endpoint
32 | image: registry.k8s.io/defaultbackend-amd64:1.5
33 | livenessProbe:
34 | httpGet:
35 | path: /healthz
36 | port: 8080
37 | scheme: HTTP
38 | initialDelaySeconds: 30
39 | timeoutSeconds: 5
40 | ports:
41 | - containerPort: 8080
42 | resources:
43 | limits:
44 | cpu: 10m
45 | memory: 20Mi
46 | requests:
47 | cpu: 10m
48 | memory: 20Mi
49 | ---
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.ingress-nginx.default-http-backend
File: /addons/ingress.yaml:9-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | name: default-http-backend
13 | labels:
14 | app: default-http-backend
15 | namespace: ingress-nginx
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: default-http-backend
21 | template:
22 | metadata:
23 | labels:
24 | app: default-http-backend
25 | spec:
26 | terminationGracePeriodSeconds: 60
27 | containers:
28 | - name: default-http-backend
29 | # Any image is permissible as long as:
30 | # 1. It serves a 404 page at /
31 | # 2. It serves 200 on a /healthz endpoint
32 | image: registry.k8s.io/defaultbackend-amd64:1.5
33 | livenessProbe:
34 | httpGet:
35 | path: /healthz
36 | port: 8080
37 | scheme: HTTP
38 | initialDelaySeconds: 30
39 | timeoutSeconds: 5
40 | ports:
41 | - containerPort: 8080
42 | resources:
43 | limits:
44 | cpu: 10m
45 | memory: 20Mi
46 | requests:
47 | cpu: 10m
48 | memory: 20Mi
49 | ---
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.ingress-nginx.default-http-backend
File: /addons/ingress.yaml:9-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | name: default-http-backend
13 | labels:
14 | app: default-http-backend
15 | namespace: ingress-nginx
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: default-http-backend
21 | template:
22 | metadata:
23 | labels:
24 | app: default-http-backend
25 | spec:
26 | terminationGracePeriodSeconds: 60
27 | containers:
28 | - name: default-http-backend
29 | # Any image is permissible as long as:
30 | # 1. It serves a 404 page at /
31 | # 2. It serves 200 on a /healthz endpoint
32 | image: registry.k8s.io/defaultbackend-amd64:1.5
33 | livenessProbe:
34 | httpGet:
35 | path: /healthz
36 | port: 8080
37 | scheme: HTTP
38 | initialDelaySeconds: 30
39 | timeoutSeconds: 5
40 | ports:
41 | - containerPort: 8080
42 | resources:
43 | limits:
44 | cpu: 10m
45 | memory: 20Mi
46 | requests:
47 | cpu: 10m
48 | memory: 20Mi
49 | ---
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.ingress-nginx.default-http-backend
File: /addons/ingress.yaml:9-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | name: default-http-backend
13 | labels:
14 | app: default-http-backend
15 | namespace: ingress-nginx
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: default-http-backend
21 | template:
22 | metadata:
23 | labels:
24 | app: default-http-backend
25 | spec:
26 | terminationGracePeriodSeconds: 60
27 | containers:
28 | - name: default-http-backend
29 | # Any image is permissible as long as:
30 | # 1. It serves a 404 page at /
31 | # 2. It serves 200 on a /healthz endpoint
32 | image: registry.k8s.io/defaultbackend-amd64:1.5
33 | livenessProbe:
34 | httpGet:
35 | path: /healthz
36 | port: 8080
37 | scheme: HTTP
38 | initialDelaySeconds: 30
39 | timeoutSeconds: 5
40 | ports:
41 | - containerPort: 8080
42 | resources:
43 | limits:
44 | cpu: 10m
45 | memory: 20Mi
46 | requests:
47 | cpu: 10m
48 | memory: 20Mi
49 | ---
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.ingress-nginx.default-http-backend
File: /addons/ingress.yaml:9-49
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | name: default-http-backend
13 | labels:
14 | app: default-http-backend
15 | namespace: ingress-nginx
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: default-http-backend
21 | template:
22 | metadata:
23 | labels:
24 | app: default-http-backend
25 | spec:
26 | terminationGracePeriodSeconds: 60
27 | containers:
28 | - name: default-http-backend
29 | # Any image is permissible as long as:
30 | # 1. It serves a 404 page at /
31 | # 2. It serves 200 on a /healthz endpoint
32 | image: registry.k8s.io/defaultbackend-amd64:1.5
33 | livenessProbe:
34 | httpGet:
35 | path: /healthz
36 | port: 8080
37 | scheme: HTTP
38 | initialDelaySeconds: 30
39 | timeoutSeconds: 5
40 | ports:
41 | - containerPort: 8080
42 | resources:
43 | limits:
44 | cpu: 10m
45 | memory: 20Mi
46 | requests:
47 | cpu: 10m
48 | memory: 20Mi
49 | ---
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.ingress-nginx.nginx-ingress-controller
File: /addons/ingress.yaml:329-403
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.ingress-nginx.nginx-ingress-controller
File: /addons/ingress.yaml:329-403
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.ingress-nginx.nginx-ingress-controller
File: /addons/ingress.yaml:329-403
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_25: "Minimize the admission of containers with added capability"
FAILED for resource: Deployment.ingress-nginx.nginx-ingress-controller
File: /addons/ingress.yaml:329-403
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-24.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.ingress-nginx.nginx-ingress-controller
File: /addons/ingress.yaml:329-403
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.ingress-nginx.nginx-ingress-controller
File: /addons/ingress.yaml:329-403
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.ingress-nginx.nginx-ingress-controller
File: /addons/ingress.yaml:329-403
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.ingress-nginx.nginx-ingress-controller
File: /addons/ingress.yaml:329-403
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.ingress-nginx.nginx-ingress-controller
File: /addons/ingress.yaml:329-403
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.ingress-nginx.nginx-ingress-controller
File: /addons/ingress.yaml:329-403
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.ingress-nginx.nginx-ingress-controller
File: /addons/ingress.yaml:329-403
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.ingress-nginx.nginx-ingress-controller
File: /addons/ingress.yaml:329-403
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.ingress-nginx.nginx-ingress-controller
File: /addons/ingress.yaml:329-403
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.kube-system.kubernetes-dashboard
File: /addons/dashboard.yaml:102-160
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.kube-system.kubernetes-dashboard
File: /addons/dashboard.yaml:102-160
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.kube-system.kubernetes-dashboard
File: /addons/dashboard.yaml:102-160
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.kube-system.kubernetes-dashboard
File: /addons/dashboard.yaml:102-160
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.kube-system.kubernetes-dashboard
File: /addons/dashboard.yaml:102-160
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.kube-system.kubernetes-dashboard
File: /addons/dashboard.yaml:102-160
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.kube-system.kubernetes-dashboard
File: /addons/dashboard.yaml:102-160
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.kube-system.kubernetes-dashboard
File: /addons/dashboard.yaml:102-160
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.kube-system.kubernetes-dashboard
File: /addons/dashboard.yaml:102-160
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.kube-system.kubernetes-dashboard
File: /addons/dashboard.yaml:102-160
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_33: "Ensure the Kubernetes dashboard is not deployed"
FAILED for resource: Deployment.kube-system.kubernetes-dashboard
File: /addons/dashboard.yaml:102-160
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-31.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.kube-system.kubernetes-dashboard
File: /addons/dashboard.yaml:102-160
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.kube-system.kubernetes-dashboard
File: /addons/dashboard.yaml:102-160
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.kube-system.kubernetes-dashboard
File: /addons/dashboard.yaml:102-160
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.kube-system.kubernetes-dashboard
File: /addons/dashboard.yaml:102-160
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.kube-system.kubernetes-dashboard
File: /addons/dashboard.yaml:102-160
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.kube-system.kubernetes-dashboard
File: /addons/dashboard.yaml:102-160
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.kube-system.dashboard-metrics-scraper
File: /addons/dashboard.yaml:178-226
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
178 | kind: Deployment
179 | apiVersion: apps/v1
180 | metadata:
181 | labels:
182 | k8s-app: dashboard-metrics-scraper
183 | name: dashboard-metrics-scraper
184 | namespace: kube-system
185 | spec:
186 | replicas: 1
187 | revisionHistoryLimit: 10
188 | selector:
189 | matchLabels:
190 | k8s-app: dashboard-metrics-scraper
191 | template:
192 | metadata:
193 | labels:
194 | k8s-app: dashboard-metrics-scraper
195 | spec:
196 | containers:
197 | - name: dashboard-metrics-scraper
198 | image: kubernetesui/metrics-scraper:v1.0.8
199 | ports:
200 | - containerPort: 8000
201 | protocol: TCP
202 | livenessProbe:
203 | httpGet:
204 | scheme: HTTP
205 | path: /
206 | port: 8000
207 | initialDelaySeconds: 30
208 | timeoutSeconds: 30
209 | volumeMounts:
210 | - mountPath: /tmp
211 | name: tmp-volume
212 | securityContext:
213 | allowPrivilegeEscalation: false
214 | readOnlyRootFilesystem: true
215 | runAsUser: 1001
216 | runAsGroup: 2001
217 | serviceAccountName: kubernetes-dashboard
218 | nodeSelector:
219 | "kubernetes.io/os": linux
220 | # Comment the following tolerations if Dashboard must not be deployed on master
221 | tolerations:
222 | - key: node-role.kubernetes.io/master
223 | effect: NoSchedule
224 | volumes:
225 | - name: tmp-volume
226 | emptyDir: {}
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.kube-system.dashboard-metrics-scraper
File: /addons/dashboard.yaml:178-226
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
178 | kind: Deployment
179 | apiVersion: apps/v1
180 | metadata:
181 | labels:
182 | k8s-app: dashboard-metrics-scraper
183 | name: dashboard-metrics-scraper
184 | namespace: kube-system
185 | spec:
186 | replicas: 1
187 | revisionHistoryLimit: 10
188 | selector:
189 | matchLabels:
190 | k8s-app: dashboard-metrics-scraper
191 | template:
192 | metadata:
193 | labels:
194 | k8s-app: dashboard-metrics-scraper
195 | spec:
196 | containers:
197 | - name: dashboard-metrics-scraper
198 | image: kubernetesui/metrics-scraper:v1.0.8
199 | ports:
200 | - containerPort: 8000
201 | protocol: TCP
202 | livenessProbe:
203 | httpGet:
204 | scheme: HTTP
205 | path: /
206 | port: 8000
207 | initialDelaySeconds: 30
208 | timeoutSeconds: 30
209 | volumeMounts:
210 | - mountPath: /tmp
211 | name: tmp-volume
212 | securityContext:
213 | allowPrivilegeEscalation: false
214 | readOnlyRootFilesystem: true
215 | runAsUser: 1001
216 | runAsGroup: 2001
217 | serviceAccountName: kubernetes-dashboard
218 | nodeSelector:
219 | "kubernetes.io/os": linux
220 | # Comment the following tolerations if Dashboard must not be deployed on master
221 | tolerations:
222 | - key: node-role.kubernetes.io/master
223 | effect: NoSchedule
224 | volumes:
225 | - name: tmp-volume
226 | emptyDir: {}
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.kube-system.dashboard-metrics-scraper
File: /addons/dashboard.yaml:178-226
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
178 | kind: Deployment
179 | apiVersion: apps/v1
180 | metadata:
181 | labels:
182 | k8s-app: dashboard-metrics-scraper
183 | name: dashboard-metrics-scraper
184 | namespace: kube-system
185 | spec:
186 | replicas: 1
187 | revisionHistoryLimit: 10
188 | selector:
189 | matchLabels:
190 | k8s-app: dashboard-metrics-scraper
191 | template:
192 | metadata:
193 | labels:
194 | k8s-app: dashboard-metrics-scraper
195 | spec:
196 | containers:
197 | - name: dashboard-metrics-scraper
198 | image: kubernetesui/metrics-scraper:v1.0.8
199 | ports:
200 | - containerPort: 8000
201 | protocol: TCP
202 | livenessProbe:
203 | httpGet:
204 | scheme: HTTP
205 | path: /
206 | port: 8000
207 | initialDelaySeconds: 30
208 | timeoutSeconds: 30
209 | volumeMounts:
210 | - mountPath: /tmp
211 | name: tmp-volume
212 | securityContext:
213 | allowPrivilegeEscalation: false
214 | readOnlyRootFilesystem: true
215 | runAsUser: 1001
216 | runAsGroup: 2001
217 | serviceAccountName: kubernetes-dashboard
218 | nodeSelector:
219 | "kubernetes.io/os": linux
220 | # Comment the following tolerations if Dashboard must not be deployed on master
221 | tolerations:
222 | - key: node-role.kubernetes.io/master
223 | effect: NoSchedule
224 | volumes:
225 | - name: tmp-volume
226 | emptyDir: {}
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.kube-system.dashboard-metrics-scraper
File: /addons/dashboard.yaml:178-226
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
178 | kind: Deployment
179 | apiVersion: apps/v1
180 | metadata:
181 | labels:
182 | k8s-app: dashboard-metrics-scraper
183 | name: dashboard-metrics-scraper
184 | namespace: kube-system
185 | spec:
186 | replicas: 1
187 | revisionHistoryLimit: 10
188 | selector:
189 | matchLabels:
190 | k8s-app: dashboard-metrics-scraper
191 | template:
192 | metadata:
193 | labels:
194 | k8s-app: dashboard-metrics-scraper
195 | spec:
196 | containers:
197 | - name: dashboard-metrics-scraper
198 | image: kubernetesui/metrics-scraper:v1.0.8
199 | ports:
200 | - containerPort: 8000
201 | protocol: TCP
202 | livenessProbe:
203 | httpGet:
204 | scheme: HTTP
205 | path: /
206 | port: 8000
207 | initialDelaySeconds: 30
208 | timeoutSeconds: 30
209 | volumeMounts:
210 | - mountPath: /tmp
211 | name: tmp-volume
212 | securityContext:
213 | allowPrivilegeEscalation: false
214 | readOnlyRootFilesystem: true
215 | runAsUser: 1001
216 | runAsGroup: 2001
217 | serviceAccountName: kubernetes-dashboard
218 | nodeSelector:
219 | "kubernetes.io/os": linux
220 | # Comment the following tolerations if Dashboard must not be deployed on master
221 | tolerations:
222 | - key: node-role.kubernetes.io/master
223 | effect: NoSchedule
224 | volumes:
225 | - name: tmp-volume
226 | emptyDir: {}
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.kube-system.dashboard-metrics-scraper
File: /addons/dashboard.yaml:178-226
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
178 | kind: Deployment
179 | apiVersion: apps/v1
180 | metadata:
181 | labels:
182 | k8s-app: dashboard-metrics-scraper
183 | name: dashboard-metrics-scraper
184 | namespace: kube-system
185 | spec:
186 | replicas: 1
187 | revisionHistoryLimit: 10
188 | selector:
189 | matchLabels:
190 | k8s-app: dashboard-metrics-scraper
191 | template:
192 | metadata:
193 | labels:
194 | k8s-app: dashboard-metrics-scraper
195 | spec:
196 | containers:
197 | - name: dashboard-metrics-scraper
198 | image: kubernetesui/metrics-scraper:v1.0.8
199 | ports:
200 | - containerPort: 8000
201 | protocol: TCP
202 | livenessProbe:
203 | httpGet:
204 | scheme: HTTP
205 | path: /
206 | port: 8000
207 | initialDelaySeconds: 30
208 | timeoutSeconds: 30
209 | volumeMounts:
210 | - mountPath: /tmp
211 | name: tmp-volume
212 | securityContext:
213 | allowPrivilegeEscalation: false
214 | readOnlyRootFilesystem: true
215 | runAsUser: 1001
216 | runAsGroup: 2001
217 | serviceAccountName: kubernetes-dashboard
218 | nodeSelector:
219 | "kubernetes.io/os": linux
220 | # Comment the following tolerations if Dashboard must not be deployed on master
221 | tolerations:
222 | - key: node-role.kubernetes.io/master
223 | effect: NoSchedule
224 | volumes:
225 | - name: tmp-volume
226 | emptyDir: {}
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.kube-system.dashboard-metrics-scraper
File: /addons/dashboard.yaml:178-226
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
178 | kind: Deployment
179 | apiVersion: apps/v1
180 | metadata:
181 | labels:
182 | k8s-app: dashboard-metrics-scraper
183 | name: dashboard-metrics-scraper
184 | namespace: kube-system
185 | spec:
186 | replicas: 1
187 | revisionHistoryLimit: 10
188 | selector:
189 | matchLabels:
190 | k8s-app: dashboard-metrics-scraper
191 | template:
192 | metadata:
193 | labels:
194 | k8s-app: dashboard-metrics-scraper
195 | spec:
196 | containers:
197 | - name: dashboard-metrics-scraper
198 | image: kubernetesui/metrics-scraper:v1.0.8
199 | ports:
200 | - containerPort: 8000
201 | protocol: TCP
202 | livenessProbe:
203 | httpGet:
204 | scheme: HTTP
205 | path: /
206 | port: 8000
207 | initialDelaySeconds: 30
208 | timeoutSeconds: 30
209 | volumeMounts:
210 | - mountPath: /tmp
211 | name: tmp-volume
212 | securityContext:
213 | allowPrivilegeEscalation: false
214 | readOnlyRootFilesystem: true
215 | runAsUser: 1001
216 | runAsGroup: 2001
217 | serviceAccountName: kubernetes-dashboard
218 | nodeSelector:
219 | "kubernetes.io/os": linux
220 | # Comment the following tolerations if Dashboard must not be deployed on master
221 | tolerations:
222 | - key: node-role.kubernetes.io/master
223 | effect: NoSchedule
224 | volumes:
225 | - name: tmp-volume
226 | emptyDir: {}
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.kube-system.dashboard-metrics-scraper
File: /addons/dashboard.yaml:178-226
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
178 | kind: Deployment
179 | apiVersion: apps/v1
180 | metadata:
181 | labels:
182 | k8s-app: dashboard-metrics-scraper
183 | name: dashboard-metrics-scraper
184 | namespace: kube-system
185 | spec:
186 | replicas: 1
187 | revisionHistoryLimit: 10
188 | selector:
189 | matchLabels:
190 | k8s-app: dashboard-metrics-scraper
191 | template:
192 | metadata:
193 | labels:
194 | k8s-app: dashboard-metrics-scraper
195 | spec:
196 | containers:
197 | - name: dashboard-metrics-scraper
198 | image: kubernetesui/metrics-scraper:v1.0.8
199 | ports:
200 | - containerPort: 8000
201 | protocol: TCP
202 | livenessProbe:
203 | httpGet:
204 | scheme: HTTP
205 | path: /
206 | port: 8000
207 | initialDelaySeconds: 30
208 | timeoutSeconds: 30
209 | volumeMounts:
210 | - mountPath: /tmp
211 | name: tmp-volume
212 | securityContext:
213 | allowPrivilegeEscalation: false
214 | readOnlyRootFilesystem: true
215 | runAsUser: 1001
216 | runAsGroup: 2001
217 | serviceAccountName: kubernetes-dashboard
218 | nodeSelector:
219 | "kubernetes.io/os": linux
220 | # Comment the following tolerations if Dashboard must not be deployed on master
221 | tolerations:
222 | - key: node-role.kubernetes.io/master
223 | effect: NoSchedule
224 | volumes:
225 | - name: tmp-volume
226 | emptyDir: {}
Check: CKV_K8S_33: "Ensure the Kubernetes dashboard is not deployed"
FAILED for resource: Deployment.kube-system.dashboard-metrics-scraper
File: /addons/dashboard.yaml:178-226
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-31.html
178 | kind: Deployment
179 | apiVersion: apps/v1
180 | metadata:
181 | labels:
182 | k8s-app: dashboard-metrics-scraper
183 | name: dashboard-metrics-scraper
184 | namespace: kube-system
185 | spec:
186 | replicas: 1
187 | revisionHistoryLimit: 10
188 | selector:
189 | matchLabels:
190 | k8s-app: dashboard-metrics-scraper
191 | template:
192 | metadata:
193 | labels:
194 | k8s-app: dashboard-metrics-scraper
195 | spec:
196 | containers:
197 | - name: dashboard-metrics-scraper
198 | image: kubernetesui/metrics-scraper:v1.0.8
199 | ports:
200 | - containerPort: 8000
201 | protocol: TCP
202 | livenessProbe:
203 | httpGet:
204 | scheme: HTTP
205 | path: /
206 | port: 8000
207 | initialDelaySeconds: 30
208 | timeoutSeconds: 30
209 | volumeMounts:
210 | - mountPath: /tmp
211 | name: tmp-volume
212 | securityContext:
213 | allowPrivilegeEscalation: false
214 | readOnlyRootFilesystem: true
215 | runAsUser: 1001
216 | runAsGroup: 2001
217 | serviceAccountName: kubernetes-dashboard
218 | nodeSelector:
219 | "kubernetes.io/os": linux
220 | # Comment the following tolerations if Dashboard must not be deployed on master
221 | tolerations:
222 | - key: node-role.kubernetes.io/master
223 | effect: NoSchedule
224 | volumes:
225 | - name: tmp-volume
226 | emptyDir: {}
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.kube-system.dashboard-metrics-scraper
File: /addons/dashboard.yaml:178-226
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
178 | kind: Deployment
179 | apiVersion: apps/v1
180 | metadata:
181 | labels:
182 | k8s-app: dashboard-metrics-scraper
183 | name: dashboard-metrics-scraper
184 | namespace: kube-system
185 | spec:
186 | replicas: 1
187 | revisionHistoryLimit: 10
188 | selector:
189 | matchLabels:
190 | k8s-app: dashboard-metrics-scraper
191 | template:
192 | metadata:
193 | labels:
194 | k8s-app: dashboard-metrics-scraper
195 | spec:
196 | containers:
197 | - name: dashboard-metrics-scraper
198 | image: kubernetesui/metrics-scraper:v1.0.8
199 | ports:
200 | - containerPort: 8000
201 | protocol: TCP
202 | livenessProbe:
203 | httpGet:
204 | scheme: HTTP
205 | path: /
206 | port: 8000
207 | initialDelaySeconds: 30
208 | timeoutSeconds: 30
209 | volumeMounts:
210 | - mountPath: /tmp
211 | name: tmp-volume
212 | securityContext:
213 | allowPrivilegeEscalation: false
214 | readOnlyRootFilesystem: true
215 | runAsUser: 1001
216 | runAsGroup: 2001
217 | serviceAccountName: kubernetes-dashboard
218 | nodeSelector:
219 | "kubernetes.io/os": linux
220 | # Comment the following tolerations if Dashboard must not be deployed on master
221 | tolerations:
222 | - key: node-role.kubernetes.io/master
223 | effect: NoSchedule
224 | volumes:
225 | - name: tmp-volume
226 | emptyDir: {}
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.kube-system.dashboard-metrics-scraper
File: /addons/dashboard.yaml:178-226
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
178 | kind: Deployment
179 | apiVersion: apps/v1
180 | metadata:
181 | labels:
182 | k8s-app: dashboard-metrics-scraper
183 | name: dashboard-metrics-scraper
184 | namespace: kube-system
185 | spec:
186 | replicas: 1
187 | revisionHistoryLimit: 10
188 | selector:
189 | matchLabels:
190 | k8s-app: dashboard-metrics-scraper
191 | template:
192 | metadata:
193 | labels:
194 | k8s-app: dashboard-metrics-scraper
195 | spec:
196 | containers:
197 | - name: dashboard-metrics-scraper
198 | image: kubernetesui/metrics-scraper:v1.0.8
199 | ports:
200 | - containerPort: 8000
201 | protocol: TCP
202 | livenessProbe:
203 | httpGet:
204 | scheme: HTTP
205 | path: /
206 | port: 8000
207 | initialDelaySeconds: 30
208 | timeoutSeconds: 30
209 | volumeMounts:
210 | - mountPath: /tmp
211 | name: tmp-volume
212 | securityContext:
213 | allowPrivilegeEscalation: false
214 | readOnlyRootFilesystem: true
215 | runAsUser: 1001
216 | runAsGroup: 2001
217 | serviceAccountName: kubernetes-dashboard
218 | nodeSelector:
219 | "kubernetes.io/os": linux
220 | # Comment the following tolerations if Dashboard must not be deployed on master
221 | tolerations:
222 | - key: node-role.kubernetes.io/master
223 | effect: NoSchedule
224 | volumes:
225 | - name: tmp-volume
226 | emptyDir: {}
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.kube-system.dashboard-metrics-scraper
File: /addons/dashboard.yaml:178-226
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
178 | kind: Deployment
179 | apiVersion: apps/v1
180 | metadata:
181 | labels:
182 | k8s-app: dashboard-metrics-scraper
183 | name: dashboard-metrics-scraper
184 | namespace: kube-system
185 | spec:
186 | replicas: 1
187 | revisionHistoryLimit: 10
188 | selector:
189 | matchLabels:
190 | k8s-app: dashboard-metrics-scraper
191 | template:
192 | metadata:
193 | labels:
194 | k8s-app: dashboard-metrics-scraper
195 | spec:
196 | containers:
197 | - name: dashboard-metrics-scraper
198 | image: kubernetesui/metrics-scraper:v1.0.8
199 | ports:
200 | - containerPort: 8000
201 | protocol: TCP
202 | livenessProbe:
203 | httpGet:
204 | scheme: HTTP
205 | path: /
206 | port: 8000
207 | initialDelaySeconds: 30
208 | timeoutSeconds: 30
209 | volumeMounts:
210 | - mountPath: /tmp
211 | name: tmp-volume
212 | securityContext:
213 | allowPrivilegeEscalation: false
214 | readOnlyRootFilesystem: true
215 | runAsUser: 1001
216 | runAsGroup: 2001
217 | serviceAccountName: kubernetes-dashboard
218 | nodeSelector:
219 | "kubernetes.io/os": linux
220 | # Comment the following tolerations if Dashboard must not be deployed on master
221 | tolerations:
222 | - key: node-role.kubernetes.io/master
223 | effect: NoSchedule
224 | volumes:
225 | - name: tmp-volume
226 | emptyDir: {}
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.kube-system.dashboard-metrics-scraper
File: /addons/dashboard.yaml:178-226
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
178 | kind: Deployment
179 | apiVersion: apps/v1
180 | metadata:
181 | labels:
182 | k8s-app: dashboard-metrics-scraper
183 | name: dashboard-metrics-scraper
184 | namespace: kube-system
185 | spec:
186 | replicas: 1
187 | revisionHistoryLimit: 10
188 | selector:
189 | matchLabels:
190 | k8s-app: dashboard-metrics-scraper
191 | template:
192 | metadata:
193 | labels:
194 | k8s-app: dashboard-metrics-scraper
195 | spec:
196 | containers:
197 | - name: dashboard-metrics-scraper
198 | image: kubernetesui/metrics-scraper:v1.0.8
199 | ports:
200 | - containerPort: 8000
201 | protocol: TCP
202 | livenessProbe:
203 | httpGet:
204 | scheme: HTTP
205 | path: /
206 | port: 8000
207 | initialDelaySeconds: 30
208 | timeoutSeconds: 30
209 | volumeMounts:
210 | - mountPath: /tmp
211 | name: tmp-volume
212 | securityContext:
213 | allowPrivilegeEscalation: false
214 | readOnlyRootFilesystem: true
215 | runAsUser: 1001
216 | runAsGroup: 2001
217 | serviceAccountName: kubernetes-dashboard
218 | nodeSelector:
219 | "kubernetes.io/os": linux
220 | # Comment the following tolerations if Dashboard must not be deployed on master
221 | tolerations:
222 | - key: node-role.kubernetes.io/master
223 | effect: NoSchedule
224 | volumes:
225 | - name: tmp-volume
226 | emptyDir: {}
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.kube-system.dashboard-metrics-scraper
File: /addons/dashboard.yaml:178-226
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
178 | kind: Deployment
179 | apiVersion: apps/v1
180 | metadata:
181 | labels:
182 | k8s-app: dashboard-metrics-scraper
183 | name: dashboard-metrics-scraper
184 | namespace: kube-system
185 | spec:
186 | replicas: 1
187 | revisionHistoryLimit: 10
188 | selector:
189 | matchLabels:
190 | k8s-app: dashboard-metrics-scraper
191 | template:
192 | metadata:
193 | labels:
194 | k8s-app: dashboard-metrics-scraper
195 | spec:
196 | containers:
197 | - name: dashboard-metrics-scraper
198 | image: kubernetesui/metrics-scraper:v1.0.8
199 | ports:
200 | - containerPort: 8000
201 | protocol: TCP
202 | livenessProbe:
203 | httpGet:
204 | scheme: HTTP
205 | path: /
206 | port: 8000
207 | initialDelaySeconds: 30
208 | timeoutSeconds: 30
209 | volumeMounts:
210 | - mountPath: /tmp
211 | name: tmp-volume
212 | securityContext:
213 | allowPrivilegeEscalation: false
214 | readOnlyRootFilesystem: true
215 | runAsUser: 1001
216 | runAsGroup: 2001
217 | serviceAccountName: kubernetes-dashboard
218 | nodeSelector:
219 | "kubernetes.io/os": linux
220 | # Comment the following tolerations if Dashboard must not be deployed on master
221 | tolerations:
222 | - key: node-role.kubernetes.io/master
223 | effect: NoSchedule
224 | volumes:
225 | - name: tmp-volume
226 | emptyDir: {}
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.kube-system.dashboard-metrics-scraper
File: /addons/dashboard.yaml:178-226
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
178 | kind: Deployment
179 | apiVersion: apps/v1
180 | metadata:
181 | labels:
182 | k8s-app: dashboard-metrics-scraper
183 | name: dashboard-metrics-scraper
184 | namespace: kube-system
185 | spec:
186 | replicas: 1
187 | revisionHistoryLimit: 10
188 | selector:
189 | matchLabels:
190 | k8s-app: dashboard-metrics-scraper
191 | template:
192 | metadata:
193 | labels:
194 | k8s-app: dashboard-metrics-scraper
195 | spec:
196 | containers:
197 | - name: dashboard-metrics-scraper
198 | image: kubernetesui/metrics-scraper:v1.0.8
199 | ports:
200 | - containerPort: 8000
201 | protocol: TCP
202 | livenessProbe:
203 | httpGet:
204 | scheme: HTTP
205 | path: /
206 | port: 8000
207 | initialDelaySeconds: 30
208 | timeoutSeconds: 30
209 | volumeMounts:
210 | - mountPath: /tmp
211 | name: tmp-volume
212 | securityContext:
213 | allowPrivilegeEscalation: false
214 | readOnlyRootFilesystem: true
215 | runAsUser: 1001
216 | runAsGroup: 2001
217 | serviceAccountName: kubernetes-dashboard
218 | nodeSelector:
219 | "kubernetes.io/os": linux
220 | # Comment the following tolerations if Dashboard must not be deployed on master
221 | tolerations:
222 | - key: node-role.kubernetes.io/master
223 | effect: NoSchedule
224 | volumes:
225 | - name: tmp-volume
226 | emptyDir: {}
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: DaemonSet.kube-system.aws-cloud-controller-manager
File: /aws-cloud-provider/aws-cloud-provider.yaml:129-169
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
129 | apiVersion: apps/v1
130 | kind: DaemonSet
131 | metadata:
132 | name: aws-cloud-controller-manager
133 | namespace: kube-system
134 | labels:
135 | k8s-app: aws-cloud-controller-manager
136 | spec:
137 | selector:
138 | matchLabels:
139 | k8s-app: aws-cloud-controller-manager
140 | updateStrategy:
141 | type: RollingUpdate
142 | template:
143 | metadata:
144 | labels:
145 | k8s-app: aws-cloud-controller-manager
146 | spec:
147 | nodeSelector:
148 | node-role.kubernetes.io/control-plane: ""
149 | tolerations:
150 | - key: node.cloudprovider.kubernetes.io/uninitialized
151 | value: "true"
152 | effect: NoSchedule
153 | - key: node-role.kubernetes.io/master
154 | effect: NoSchedule
155 | serviceAccountName: cloud-controller-manager
156 | containers:
157 | - name: aws-cloud-controller-manager
158 | image: registry.k8s.io/provider-aws/cloud-controller-manager:v1.27.0
159 | args:
160 | - --v=2
161 | - --cloud-provider=aws
162 | # Use the superset-role overlay if you don't want a token per controller
163 | - --use-service-account-credentials=true
164 | # Set --configure-cloud-routes=true if required by your CNI
165 | - --configure-cloud-routes=false
166 | resources:
167 | requests:
168 | cpu: 200m
169 | hostNetwork: true
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: DaemonSet.kube-system.aws-cloud-controller-manager
File: /aws-cloud-provider/aws-cloud-provider.yaml:129-169
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
129 | apiVersion: apps/v1
130 | kind: DaemonSet
131 | metadata:
132 | name: aws-cloud-controller-manager
133 | namespace: kube-system
134 | labels:
135 | k8s-app: aws-cloud-controller-manager
136 | spec:
137 | selector:
138 | matchLabels:
139 | k8s-app: aws-cloud-controller-manager
140 | updateStrategy:
141 | type: RollingUpdate
142 | template:
143 | metadata:
144 | labels:
145 | k8s-app: aws-cloud-controller-manager
146 | spec:
147 | nodeSelector:
148 | node-role.kubernetes.io/control-plane: ""
149 | tolerations:
150 | - key: node.cloudprovider.kubernetes.io/uninitialized
151 | value: "true"
152 | effect: NoSchedule
153 | - key: node-role.kubernetes.io/master
154 | effect: NoSchedule
155 | serviceAccountName: cloud-controller-manager
156 | containers:
157 | - name: aws-cloud-controller-manager
158 | image: registry.k8s.io/provider-aws/cloud-controller-manager:v1.27.0
159 | args:
160 | - --v=2
161 | - --cloud-provider=aws
162 | # Use the superset-role overlay if you don't want a token per controller
163 | - --use-service-account-credentials=true
164 | # Set --configure-cloud-routes=true if required by your CNI
165 | - --configure-cloud-routes=false
166 | resources:
167 | requests:
168 | cpu: 200m
169 | hostNetwork: true
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: DaemonSet.kube-system.aws-cloud-controller-manager
File: /aws-cloud-provider/aws-cloud-provider.yaml:129-169
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
129 | apiVersion: apps/v1
130 | kind: DaemonSet
131 | metadata:
132 | name: aws-cloud-controller-manager
133 | namespace: kube-system
134 | labels:
135 | k8s-app: aws-cloud-controller-manager
136 | spec:
137 | selector:
138 | matchLabels:
139 | k8s-app: aws-cloud-controller-manager
140 | updateStrategy:
141 | type: RollingUpdate
142 | template:
143 | metadata:
144 | labels:
145 | k8s-app: aws-cloud-controller-manager
146 | spec:
147 | nodeSelector:
148 | node-role.kubernetes.io/control-plane: ""
149 | tolerations:
150 | - key: node.cloudprovider.kubernetes.io/uninitialized
151 | value: "true"
152 | effect: NoSchedule
153 | - key: node-role.kubernetes.io/master
154 | effect: NoSchedule
155 | serviceAccountName: cloud-controller-manager
156 | containers:
157 | - name: aws-cloud-controller-manager
158 | image: registry.k8s.io/provider-aws/cloud-controller-manager:v1.27.0
159 | args:
160 | - --v=2
161 | - --cloud-provider=aws
162 | # Use the superset-role overlay if you don't want a token per controller
163 | - --use-service-account-credentials=true
164 | # Set --configure-cloud-routes=true if required by your CNI
165 | - --configure-cloud-routes=false
166 | resources:
167 | requests:
168 | cpu: 200m
169 | hostNetwork: true
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: DaemonSet.kube-system.aws-cloud-controller-manager
File: /aws-cloud-provider/aws-cloud-provider.yaml:129-169
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
129 | apiVersion: apps/v1
130 | kind: DaemonSet
131 | metadata:
132 | name: aws-cloud-controller-manager
133 | namespace: kube-system
134 | labels:
135 | k8s-app: aws-cloud-controller-manager
136 | spec:
137 | selector:
138 | matchLabels:
139 | k8s-app: aws-cloud-controller-manager
140 | updateStrategy:
141 | type: RollingUpdate
142 | template:
143 | metadata:
144 | labels:
145 | k8s-app: aws-cloud-controller-manager
146 | spec:
147 | nodeSelector:
148 | node-role.kubernetes.io/control-plane: ""
149 | tolerations:
150 | - key: node.cloudprovider.kubernetes.io/uninitialized
151 | value: "true"
152 | effect: NoSchedule
153 | - key: node-role.kubernetes.io/master
154 | effect: NoSchedule
155 | serviceAccountName: cloud-controller-manager
156 | containers:
157 | - name: aws-cloud-controller-manager
158 | image: registry.k8s.io/provider-aws/cloud-controller-manager:v1.27.0
159 | args:
160 | - --v=2
161 | - --cloud-provider=aws
162 | # Use the superset-role overlay if you don't want a token per controller
163 | - --use-service-account-credentials=true
164 | # Set --configure-cloud-routes=true if required by your CNI
165 | - --configure-cloud-routes=false
166 | resources:
167 | requests:
168 | cpu: 200m
169 | hostNetwork: true
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: DaemonSet.kube-system.aws-cloud-controller-manager
File: /aws-cloud-provider/aws-cloud-provider.yaml:129-169
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
129 | apiVersion: apps/v1
130 | kind: DaemonSet
131 | metadata:
132 | name: aws-cloud-controller-manager
133 | namespace: kube-system
134 | labels:
135 | k8s-app: aws-cloud-controller-manager
136 | spec:
137 | selector:
138 | matchLabels:
139 | k8s-app: aws-cloud-controller-manager
140 | updateStrategy:
141 | type: RollingUpdate
142 | template:
143 | metadata:
144 | labels:
145 | k8s-app: aws-cloud-controller-manager
146 | spec:
147 | nodeSelector:
148 | node-role.kubernetes.io/control-plane: ""
149 | tolerations:
150 | - key: node.cloudprovider.kubernetes.io/uninitialized
151 | value: "true"
152 | effect: NoSchedule
153 | - key: node-role.kubernetes.io/master
154 | effect: NoSchedule
155 | serviceAccountName: cloud-controller-manager
156 | containers:
157 | - name: aws-cloud-controller-manager
158 | image: registry.k8s.io/provider-aws/cloud-controller-manager:v1.27.0
159 | args:
160 | - --v=2
161 | - --cloud-provider=aws
162 | # Use the superset-role overlay if you don't want a token per controller
163 | - --use-service-account-credentials=true
164 | # Set --configure-cloud-routes=true if required by your CNI
165 | - --configure-cloud-routes=false
166 | resources:
167 | requests:
168 | cpu: 200m
169 | hostNetwork: true
Check: CKV_K8S_19: "Containers should not share the host network namespace"
FAILED for resource: DaemonSet.kube-system.aws-cloud-controller-manager
File: /aws-cloud-provider/aws-cloud-provider.yaml:129-169
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-18.html
129 | apiVersion: apps/v1
130 | kind: DaemonSet
131 | metadata:
132 | name: aws-cloud-controller-manager
133 | namespace: kube-system
134 | labels:
135 | k8s-app: aws-cloud-controller-manager
136 | spec:
137 | selector:
138 | matchLabels:
139 | k8s-app: aws-cloud-controller-manager
140 | updateStrategy:
141 | type: RollingUpdate
142 | template:
143 | metadata:
144 | labels:
145 | k8s-app: aws-cloud-controller-manager
146 | spec:
147 | nodeSelector:
148 | node-role.kubernetes.io/control-plane: ""
149 | tolerations:
150 | - key: node.cloudprovider.kubernetes.io/uninitialized
151 | value: "true"
152 | effect: NoSchedule
153 | - key: node-role.kubernetes.io/master
154 | effect: NoSchedule
155 | serviceAccountName: cloud-controller-manager
156 | containers:
157 | - name: aws-cloud-controller-manager
158 | image: registry.k8s.io/provider-aws/cloud-controller-manager:v1.27.0
159 | args:
160 | - --v=2
161 | - --cloud-provider=aws
162 | # Use the superset-role overlay if you don't want a token per controller
163 | - --use-service-account-credentials=true
164 | # Set --configure-cloud-routes=true if required by your CNI
165 | - --configure-cloud-routes=false
166 | resources:
167 | requests:
168 | cpu: 200m
169 | hostNetwork: true
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: DaemonSet.kube-system.aws-cloud-controller-manager
File: /aws-cloud-provider/aws-cloud-provider.yaml:129-169
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
129 | apiVersion: apps/v1
130 | kind: DaemonSet
131 | metadata:
132 | name: aws-cloud-controller-manager
133 | namespace: kube-system
134 | labels:
135 | k8s-app: aws-cloud-controller-manager
136 | spec:
137 | selector:
138 | matchLabels:
139 | k8s-app: aws-cloud-controller-manager
140 | updateStrategy:
141 | type: RollingUpdate
142 | template:
143 | metadata:
144 | labels:
145 | k8s-app: aws-cloud-controller-manager
146 | spec:
147 | nodeSelector:
148 | node-role.kubernetes.io/control-plane: ""
149 | tolerations:
150 | - key: node.cloudprovider.kubernetes.io/uninitialized
151 | value: "true"
152 | effect: NoSchedule
153 | - key: node-role.kubernetes.io/master
154 | effect: NoSchedule
155 | serviceAccountName: cloud-controller-manager
156 | containers:
157 | - name: aws-cloud-controller-manager
158 | image: registry.k8s.io/provider-aws/cloud-controller-manager:v1.27.0
159 | args:
160 | - --v=2
161 | - --cloud-provider=aws
162 | # Use the superset-role overlay if you don't want a token per controller
163 | - --use-service-account-credentials=true
164 | # Set --configure-cloud-routes=true if required by your CNI
165 | - --configure-cloud-routes=false
166 | resources:
167 | requests:
168 | cpu: 200m
169 | hostNetwork: true
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: DaemonSet.kube-system.aws-cloud-controller-manager
File: /aws-cloud-provider/aws-cloud-provider.yaml:129-169
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
129 | apiVersion: apps/v1
130 | kind: DaemonSet
131 | metadata:
132 | name: aws-cloud-controller-manager
133 | namespace: kube-system
134 | labels:
135 | k8s-app: aws-cloud-controller-manager
136 | spec:
137 | selector:
138 | matchLabels:
139 | k8s-app: aws-cloud-controller-manager
140 | updateStrategy:
141 | type: RollingUpdate
142 | template:
143 | metadata:
144 | labels:
145 | k8s-app: aws-cloud-controller-manager
146 | spec:
147 | nodeSelector:
148 | node-role.kubernetes.io/control-plane: ""
149 | tolerations:
150 | - key: node.cloudprovider.kubernetes.io/uninitialized
151 | value: "true"
152 | effect: NoSchedule
153 | - key: node-role.kubernetes.io/master
154 | effect: NoSchedule
155 | serviceAccountName: cloud-controller-manager
156 | containers:
157 | - name: aws-cloud-controller-manager
158 | image: registry.k8s.io/provider-aws/cloud-controller-manager:v1.27.0
159 | args:
160 | - --v=2
161 | - --cloud-provider=aws
162 | # Use the superset-role overlay if you don't want a token per controller
163 | - --use-service-account-credentials=true
164 | # Set --configure-cloud-routes=true if required by your CNI
165 | - --configure-cloud-routes=false
166 | resources:
167 | requests:
168 | cpu: 200m
169 | hostNetwork: true
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: DaemonSet.kube-system.aws-cloud-controller-manager
File: /aws-cloud-provider/aws-cloud-provider.yaml:129-169
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
129 | apiVersion: apps/v1
130 | kind: DaemonSet
131 | metadata:
132 | name: aws-cloud-controller-manager
133 | namespace: kube-system
134 | labels:
135 | k8s-app: aws-cloud-controller-manager
136 | spec:
137 | selector:
138 | matchLabels:
139 | k8s-app: aws-cloud-controller-manager
140 | updateStrategy:
141 | type: RollingUpdate
142 | template:
143 | metadata:
144 | labels:
145 | k8s-app: aws-cloud-controller-manager
146 | spec:
147 | nodeSelector:
148 | node-role.kubernetes.io/control-plane: ""
149 | tolerations:
150 | - key: node.cloudprovider.kubernetes.io/uninitialized
151 | value: "true"
152 | effect: NoSchedule
153 | - key: node-role.kubernetes.io/master
154 | effect: NoSchedule
155 | serviceAccountName: cloud-controller-manager
156 | containers:
157 | - name: aws-cloud-controller-manager
158 | image: registry.k8s.io/provider-aws/cloud-controller-manager:v1.27.0
159 | args:
160 | - --v=2
161 | - --cloud-provider=aws
162 | # Use the superset-role overlay if you don't want a token per controller
163 | - --use-service-account-credentials=true
164 | # Set --configure-cloud-routes=true if required by your CNI
165 | - --configure-cloud-routes=false
166 | resources:
167 | requests:
168 | cpu: 200m
169 | hostNetwork: true
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: DaemonSet.kube-system.aws-cloud-controller-manager
File: /aws-cloud-provider/aws-cloud-provider.yaml:129-169
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
129 | apiVersion: apps/v1
130 | kind: DaemonSet
131 | metadata:
132 | name: aws-cloud-controller-manager
133 | namespace: kube-system
134 | labels:
135 | k8s-app: aws-cloud-controller-manager
136 | spec:
137 | selector:
138 | matchLabels:
139 | k8s-app: aws-cloud-controller-manager
140 | updateStrategy:
141 | type: RollingUpdate
142 | template:
143 | metadata:
144 | labels:
145 | k8s-app: aws-cloud-controller-manager
146 | spec:
147 | nodeSelector:
148 | node-role.kubernetes.io/control-plane: ""
149 | tolerations:
150 | - key: node.cloudprovider.kubernetes.io/uninitialized
151 | value: "true"
152 | effect: NoSchedule
153 | - key: node-role.kubernetes.io/master
154 | effect: NoSchedule
155 | serviceAccountName: cloud-controller-manager
156 | containers:
157 | - name: aws-cloud-controller-manager
158 | image: registry.k8s.io/provider-aws/cloud-controller-manager:v1.27.0
159 | args:
160 | - --v=2
161 | - --cloud-provider=aws
162 | # Use the superset-role overlay if you don't want a token per controller
163 | - --use-service-account-credentials=true
164 | # Set --configure-cloud-routes=true if required by your CNI
165 | - --configure-cloud-routes=false
166 | resources:
167 | requests:
168 | cpu: 200m
169 | hostNetwork: true
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: DaemonSet.kube-system.aws-cloud-controller-manager
File: /aws-cloud-provider/aws-cloud-provider.yaml:129-169
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
129 | apiVersion: apps/v1
130 | kind: DaemonSet
131 | metadata:
132 | name: aws-cloud-controller-manager
133 | namespace: kube-system
134 | labels:
135 | k8s-app: aws-cloud-controller-manager
136 | spec:
137 | selector:
138 | matchLabels:
139 | k8s-app: aws-cloud-controller-manager
140 | updateStrategy:
141 | type: RollingUpdate
142 | template:
143 | metadata:
144 | labels:
145 | k8s-app: aws-cloud-controller-manager
146 | spec:
147 | nodeSelector:
148 | node-role.kubernetes.io/control-plane: ""
149 | tolerations:
150 | - key: node.cloudprovider.kubernetes.io/uninitialized
151 | value: "true"
152 | effect: NoSchedule
153 | - key: node-role.kubernetes.io/master
154 | effect: NoSchedule
155 | serviceAccountName: cloud-controller-manager
156 | containers:
157 | - name: aws-cloud-controller-manager
158 | image: registry.k8s.io/provider-aws/cloud-controller-manager:v1.27.0
159 | args:
160 | - --v=2
161 | - --cloud-provider=aws
162 | # Use the superset-role overlay if you don't want a token per controller
163 | - --use-service-account-credentials=true
164 | # Set --configure-cloud-routes=true if required by your CNI
165 | - --configure-cloud-routes=false
166 | resources:
167 | requests:
168 | cpu: 200m
169 | hostNetwork: true
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: DaemonSet.kube-system.aws-cloud-controller-manager
File: /aws-cloud-provider/aws-cloud-provider.yaml:129-169
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
129 | apiVersion: apps/v1
130 | kind: DaemonSet
131 | metadata:
132 | name: aws-cloud-controller-manager
133 | namespace: kube-system
134 | labels:
135 | k8s-app: aws-cloud-controller-manager
136 | spec:
137 | selector:
138 | matchLabels:
139 | k8s-app: aws-cloud-controller-manager
140 | updateStrategy:
141 | type: RollingUpdate
142 | template:
143 | metadata:
144 | labels:
145 | k8s-app: aws-cloud-controller-manager
146 | spec:
147 | nodeSelector:
148 | node-role.kubernetes.io/control-plane: ""
149 | tolerations:
150 | - key: node.cloudprovider.kubernetes.io/uninitialized
151 | value: "true"
152 | effect: NoSchedule
153 | - key: node-role.kubernetes.io/master
154 | effect: NoSchedule
155 | serviceAccountName: cloud-controller-manager
156 | containers:
157 | - name: aws-cloud-controller-manager
158 | image: registry.k8s.io/provider-aws/cloud-controller-manager:v1.27.0
159 | args:
160 | - --v=2
161 | - --cloud-provider=aws
162 | # Use the superset-role overlay if you don't want a token per controller
163 | - --use-service-account-credentials=true
164 | # Set --configure-cloud-routes=true if required by your CNI
165 | - --configure-cloud-routes=false
166 | resources:
167 | requests:
168 | cpu: 200m
169 | hostNetwork: true
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: DaemonSet.kube-system.aws-cloud-controller-manager
File: /aws-cloud-provider/aws-cloud-provider.yaml:129-169
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
129 | apiVersion: apps/v1
130 | kind: DaemonSet
131 | metadata:
132 | name: aws-cloud-controller-manager
133 | namespace: kube-system
134 | labels:
135 | k8s-app: aws-cloud-controller-manager
136 | spec:
137 | selector:
138 | matchLabels:
139 | k8s-app: aws-cloud-controller-manager
140 | updateStrategy:
141 | type: RollingUpdate
142 | template:
143 | metadata:
144 | labels:
145 | k8s-app: aws-cloud-controller-manager
146 | spec:
147 | nodeSelector:
148 | node-role.kubernetes.io/control-plane: ""
149 | tolerations:
150 | - key: node.cloudprovider.kubernetes.io/uninitialized
151 | value: "true"
152 | effect: NoSchedule
153 | - key: node-role.kubernetes.io/master
154 | effect: NoSchedule
155 | serviceAccountName: cloud-controller-manager
156 | containers:
157 | - name: aws-cloud-controller-manager
158 | image: registry.k8s.io/provider-aws/cloud-controller-manager:v1.27.0
159 | args:
160 | - --v=2
161 | - --cloud-provider=aws
162 | # Use the superset-role overlay if you don't want a token per controller
163 | - --use-service-account-credentials=true
164 | # Set --configure-cloud-routes=true if required by your CNI
165 | - --configure-cloud-routes=false
166 | resources:
167 | requests:
168 | cpu: 200m
169 | hostNetwork: true
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: DaemonSet.kube-system.aws-cloud-controller-manager
File: /aws-cloud-provider/aws-cloud-provider.yaml:129-169
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
129 | apiVersion: apps/v1
130 | kind: DaemonSet
131 | metadata:
132 | name: aws-cloud-controller-manager
133 | namespace: kube-system
134 | labels:
135 | k8s-app: aws-cloud-controller-manager
136 | spec:
137 | selector:
138 | matchLabels:
139 | k8s-app: aws-cloud-controller-manager
140 | updateStrategy:
141 | type: RollingUpdate
142 | template:
143 | metadata:
144 | labels:
145 | k8s-app: aws-cloud-controller-manager
146 | spec:
147 | nodeSelector:
148 | node-role.kubernetes.io/control-plane: ""
149 | tolerations:
150 | - key: node.cloudprovider.kubernetes.io/uninitialized
151 | value: "true"
152 | effect: NoSchedule
153 | - key: node-role.kubernetes.io/master
154 | effect: NoSchedule
155 | serviceAccountName: cloud-controller-manager
156 | containers:
157 | - name: aws-cloud-controller-manager
158 | image: registry.k8s.io/provider-aws/cloud-controller-manager:v1.27.0
159 | args:
160 | - --v=2
161 | - --cloud-provider=aws
162 | # Use the superset-role overlay if you don't want a token per controller
163 | - --use-service-account-credentials=true
164 | # Set --configure-cloud-routes=true if required by your CNI
165 | - --configure-cloud-routes=false
166 | resources:
167 | requests:
168 | cpu: 200m
169 | hostNetwork: true
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: DaemonSet.kube-system.aws-cloud-controller-manager
File: /aws-cloud-provider/aws-cloud-provider.yaml:129-169
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
129 | apiVersion: apps/v1
130 | kind: DaemonSet
131 | metadata:
132 | name: aws-cloud-controller-manager
133 | namespace: kube-system
134 | labels:
135 | k8s-app: aws-cloud-controller-manager
136 | spec:
137 | selector:
138 | matchLabels:
139 | k8s-app: aws-cloud-controller-manager
140 | updateStrategy:
141 | type: RollingUpdate
142 | template:
143 | metadata:
144 | labels:
145 | k8s-app: aws-cloud-controller-manager
146 | spec:
147 | nodeSelector:
148 | node-role.kubernetes.io/control-plane: ""
149 | tolerations:
150 | - key: node.cloudprovider.kubernetes.io/uninitialized
151 | value: "true"
152 | effect: NoSchedule
153 | - key: node-role.kubernetes.io/master
154 | effect: NoSchedule
155 | serviceAccountName: cloud-controller-manager
156 | containers:
157 | - name: aws-cloud-controller-manager
158 | image: registry.k8s.io/provider-aws/cloud-controller-manager:v1.27.0
159 | args:
160 | - --v=2
161 | - --cloud-provider=aws
162 | # Use the superset-role overlay if you don't want a token per controller
163 | - --use-service-account-credentials=true
164 | # Set --configure-cloud-routes=true if required by your CNI
165 | - --configure-cloud-routes=false
166 | resources:
167 | requests:
168 | cpu: 200m
169 | hostNetwork: true
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: DaemonSet.kube-system.aws-cloud-controller-manager
File: /aws-cloud-provider/aws-cloud-provider.yaml:129-169
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
129 | apiVersion: apps/v1
130 | kind: DaemonSet
131 | metadata:
132 | name: aws-cloud-controller-manager
133 | namespace: kube-system
134 | labels:
135 | k8s-app: aws-cloud-controller-manager
136 | spec:
137 | selector:
138 | matchLabels:
139 | k8s-app: aws-cloud-controller-manager
140 | updateStrategy:
141 | type: RollingUpdate
142 | template:
143 | metadata:
144 | labels:
145 | k8s-app: aws-cloud-controller-manager
146 | spec:
147 | nodeSelector:
148 | node-role.kubernetes.io/control-plane: ""
149 | tolerations:
150 | - key: node.cloudprovider.kubernetes.io/uninitialized
151 | value: "true"
152 | effect: NoSchedule
153 | - key: node-role.kubernetes.io/master
154 | effect: NoSchedule
155 | serviceAccountName: cloud-controller-manager
156 | containers:
157 | - name: aws-cloud-controller-manager
158 | image: registry.k8s.io/provider-aws/cloud-controller-manager:v1.27.0
159 | args:
160 | - --v=2
161 | - --cloud-provider=aws
162 | # Use the superset-role overlay if you don't want a token per controller
163 | - --use-service-account-credentials=true
164 | # Set --configure-cloud-routes=true if required by your CNI
165 | - --configure-cloud-routes=false
166 | resources:
167 | requests:
168 | cpu: 200m
169 | hostNetwork: true
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: DaemonSet.kube-system.aws-cloud-controller-manager
File: /aws-cloud-provider/aws-cloud-provider.yaml:129-169
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
129 | apiVersion: apps/v1
130 | kind: DaemonSet
131 | metadata:
132 | name: aws-cloud-controller-manager
133 | namespace: kube-system
134 | labels:
135 | k8s-app: aws-cloud-controller-manager
136 | spec:
137 | selector:
138 | matchLabels:
139 | k8s-app: aws-cloud-controller-manager
140 | updateStrategy:
141 | type: RollingUpdate
142 | template:
143 | metadata:
144 | labels:
145 | k8s-app: aws-cloud-controller-manager
146 | spec:
147 | nodeSelector:
148 | node-role.kubernetes.io/control-plane: ""
149 | tolerations:
150 | - key: node.cloudprovider.kubernetes.io/uninitialized
151 | value: "true"
152 | effect: NoSchedule
153 | - key: node-role.kubernetes.io/master
154 | effect: NoSchedule
155 | serviceAccountName: cloud-controller-manager
156 | containers:
157 | - name: aws-cloud-controller-manager
158 | image: registry.k8s.io/provider-aws/cloud-controller-manager:v1.27.0
159 | args:
160 | - --v=2
161 | - --cloud-provider=aws
162 | # Use the superset-role overlay if you don't want a token per controller
163 | - --use-service-account-credentials=true
164 | # Set --configure-cloud-routes=true if required by your CNI
165 | - --configure-cloud-routes=false
166 | resources:
167 | requests:
168 | cpu: 200m
169 | hostNetwork: true
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: DaemonSet.kube-system.aws-cloud-controller-manager
File: /aws-cloud-provider/aws-cloud-provider.yaml:129-169
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
129 | apiVersion: apps/v1
130 | kind: DaemonSet
131 | metadata:
132 | name: aws-cloud-controller-manager
133 | namespace: kube-system
134 | labels:
135 | k8s-app: aws-cloud-controller-manager
136 | spec:
137 | selector:
138 | matchLabels:
139 | k8s-app: aws-cloud-controller-manager
140 | updateStrategy:
141 | type: RollingUpdate
142 | template:
143 | metadata:
144 | labels:
145 | k8s-app: aws-cloud-controller-manager
146 | spec:
147 | nodeSelector:
148 | node-role.kubernetes.io/control-plane: ""
149 | tolerations:
150 | - key: node.cloudprovider.kubernetes.io/uninitialized
151 | value: "true"
152 | effect: NoSchedule
153 | - key: node-role.kubernetes.io/master
154 | effect: NoSchedule
155 | serviceAccountName: cloud-controller-manager
156 | containers:
157 | - name: aws-cloud-controller-manager
158 | image: registry.k8s.io/provider-aws/cloud-controller-manager:v1.27.0
159 | args:
160 | - --v=2
161 | - --cloud-provider=aws
162 | # Use the superset-role overlay if you don't want a token per controller
163 | - --use-service-account-credentials=true
164 | # Set --configure-cloud-routes=true if required by your CNI
165 | - --configure-cloud-routes=false
166 | resources:
167 | requests:
168 | cpu: 200m
169 | hostNetwork: true
Check: CKV_K8S_157: "Minimize Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings"
FAILED for resource: ClusterRole.default.tigera-operator
File: /calico/calico-operator.yaml:17879-18099
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-roles-and-clusterroles-that-grant-permissions-to-bind-rolebindings-or-clusterrolebindings-are-minimized.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_158: "Minimize Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRoles"
FAILED for resource: ClusterRole.default.tigera-operator
File: /calico/calico-operator.yaml:17879-18099
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-roles-and-clusterroles-that-grant-permissions-to-escalate-roles-or-clusterrole-are-minimized.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_11: "CPU limits should be set"
FAILED for resource: Deployment.calico.tigera-operator
File: /calico/calico-operator.yaml:18115-18172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
FAILED for resource: Deployment.calico.tigera-operator
File: /calico/calico-operator.yaml:18115-18172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_10: "CPU requests should be set"
FAILED for resource: Deployment.calico.tigera-operator
File: /calico/calico-operator.yaml:18115-18172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-9.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_30: "Apply security context to your containers"
FAILED for resource: Deployment.calico.tigera-operator
File: /calico/calico-operator.yaml:18115-18172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_29: "Apply security context to your pods and containers"
FAILED for resource: Deployment.calico.tigera-operator
File: /calico/calico-operator.yaml:18115-18172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
FAILED for resource: Deployment.calico.tigera-operator
File: /calico/calico-operator.yaml:18115-18172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_19: "Containers should not share the host network namespace"
FAILED for resource: Deployment.calico.tigera-operator
File: /calico/calico-operator.yaml:18115-18172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-18.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
FAILED for resource: Deployment.calico.tigera-operator
File: /calico/calico-operator.yaml:18115-18172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_43: "Image should use digest"
FAILED for resource: Deployment.calico.tigera-operator
File: /calico/calico-operator.yaml:18115-18172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_23: "Minimize the admission of root containers"
FAILED for resource: Deployment.calico.tigera-operator
File: /calico/calico-operator.yaml:18115-18172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
FAILED for resource: Deployment.calico.tigera-operator
File: /calico/calico-operator.yaml:18115-18172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
FAILED for resource: Deployment.calico.tigera-operator
File: /calico/calico-operator.yaml:18115-18172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_13: "Memory limits should be set"
FAILED for resource: Deployment.calico.tigera-operator
File: /calico/calico-operator.yaml:18115-18172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.calico.tigera-operator
File: /calico/calico-operator.yaml:18115-18172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
FAILED for resource: Deployment.calico.tigera-operator
File: /calico/calico-operator.yaml:18115-18172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
FAILED for resource: Deployment.calico.tigera-operator
File: /calico/calico-operator.yaml:18115-18172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_12: "Memory requests should be set"
FAILED for resource: Deployment.calico.tigera-operator
File: /calico/calico-operator.yaml:18115-18172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_15: "Image Pull Policy should be Always"
FAILED for resource: Deployment.calico.tigera-operator
File: /calico/calico-operator.yaml:18115-18172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
FAILED for resource: Deployment.calico.tigera-operator
File: /calico/calico-operator.yaml:18115-18172
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.cluster-autoscaler.k8s-addon-cluster-autoscaler.addons.k8s.io.k8s-app-cluster-autoscaler
File: /addons/autoscaler.yaml:1-55
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.ebs-csi-controller.app-ebs-csi-controller.app.kubernetes.io/name-aws-ebs-csi-driver
File: /addons/csi-driver.yaml:262-404
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.ebs-csi-node.app-ebs-csi-node.app.kubernetes.io/name-aws-ebs-csi-driver
File: /addons/csi-driver.yaml:407-512
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.metrics-server.k8s-app-metrics-server
File: /addons/metrics-server.yaml:106-175
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.heapster.task-monitoring.k8s-app-heapster
File: /addons/heapster.yaml:20-51
20 | apiVersion: apps/v1
21 | kind: Deployment
22 | metadata:
23 | name: heapster
24 | namespace: kube-system
25 | spec:
26 | replicas: 1
27 | selector:
28 | matchLabels:
29 | task: monitoring
30 | k8s-app: heapster
31 | template:
32 | metadata:
33 | labels:
34 | task: monitoring
35 | k8s-app: heapster
36 | spec:
37 | serviceAccountName: heapster
38 | containers:
39 | - name: heapster
40 | image: gcr.io/google_containers/heapster-amd64:v1.5.4
41 | imagePullPolicy: IfNotPresent
42 | command:
43 | - /heapster
44 | - --source=kubernetes:https://kubernetes.default
45 | nodeSelector:
46 | node-role.kubernetes.io/master: ""
47 | tolerations:
48 | - key: "node-role.kubernetes.io/master"
49 | effect: NoSchedule
50 |
51 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.default-http-backend.app-default-http-backend
File: /addons/ingress.yaml:9-49
9 | apiVersion: apps/v1
10 | kind: Deployment
11 | metadata:
12 | name: default-http-backend
13 | labels:
14 | app: default-http-backend
15 | namespace: ingress-nginx
16 | spec:
17 | replicas: 1
18 | selector:
19 | matchLabels:
20 | app: default-http-backend
21 | template:
22 | metadata:
23 | labels:
24 | app: default-http-backend
25 | spec:
26 | terminationGracePeriodSeconds: 60
27 | containers:
28 | - name: default-http-backend
29 | # Any image is permissible as long as:
30 | # 1. It serves a 404 page at /
31 | # 2. It serves 200 on a /healthz endpoint
32 | image: registry.k8s.io/defaultbackend-amd64:1.5
33 | livenessProbe:
34 | httpGet:
35 | path: /healthz
36 | port: 8080
37 | scheme: HTTP
38 | initialDelaySeconds: 30
39 | timeoutSeconds: 5
40 | ports:
41 | - containerPort: 8080
42 | resources:
43 | limits:
44 | cpu: 10m
45 | memory: 20Mi
46 | requests:
47 | cpu: 10m
48 | memory: 20Mi
49 | ---
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.nginx-ingress-controller.app-ingress-nginx
File: /addons/ingress.yaml:329-403
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.kubernetes-dashboard.k8s-app-kubernetes-dashboard
File: /addons/dashboard.yaml:102-160
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.dashboard-metrics-scraper.k8s-app-dashboard-metrics-scraper
File: /addons/dashboard.yaml:178-226
178 | kind: Deployment
179 | apiVersion: apps/v1
180 | metadata:
181 | labels:
182 | k8s-app: dashboard-metrics-scraper
183 | name: dashboard-metrics-scraper
184 | namespace: kube-system
185 | spec:
186 | replicas: 1
187 | revisionHistoryLimit: 10
188 | selector:
189 | matchLabels:
190 | k8s-app: dashboard-metrics-scraper
191 | template:
192 | metadata:
193 | labels:
194 | k8s-app: dashboard-metrics-scraper
195 | spec:
196 | containers:
197 | - name: dashboard-metrics-scraper
198 | image: kubernetesui/metrics-scraper:v1.0.8
199 | ports:
200 | - containerPort: 8000
201 | protocol: TCP
202 | livenessProbe:
203 | httpGet:
204 | scheme: HTTP
205 | path: /
206 | port: 8000
207 | initialDelaySeconds: 30
208 | timeoutSeconds: 30
209 | volumeMounts:
210 | - mountPath: /tmp
211 | name: tmp-volume
212 | securityContext:
213 | allowPrivilegeEscalation: false
214 | readOnlyRootFilesystem: true
215 | runAsUser: 1001
216 | runAsGroup: 2001
217 | serviceAccountName: kubernetes-dashboard
218 | nodeSelector:
219 | "kubernetes.io/os": linux
220 | # Comment the following tolerations if Dashboard must not be deployed on master
221 | tolerations:
222 | - key: node-role.kubernetes.io/master
223 | effect: NoSchedule
224 | volumes:
225 | - name: tmp-volume
226 | emptyDir: {}
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.aws-cloud-controller-manager.k8s-app-aws-cloud-controller-manager
File: /aws-cloud-provider/aws-cloud-provider.yaml:129-169
129 | apiVersion: apps/v1
130 | kind: DaemonSet
131 | metadata:
132 | name: aws-cloud-controller-manager
133 | namespace: kube-system
134 | labels:
135 | k8s-app: aws-cloud-controller-manager
136 | spec:
137 | selector:
138 | matchLabels:
139 | k8s-app: aws-cloud-controller-manager
140 | updateStrategy:
141 | type: RollingUpdate
142 | template:
143 | metadata:
144 | labels:
145 | k8s-app: aws-cloud-controller-manager
146 | spec:
147 | nodeSelector:
148 | node-role.kubernetes.io/control-plane: ""
149 | tolerations:
150 | - key: node.cloudprovider.kubernetes.io/uninitialized
151 | value: "true"
152 | effect: NoSchedule
153 | - key: node-role.kubernetes.io/master
154 | effect: NoSchedule
155 | serviceAccountName: cloud-controller-manager
156 | containers:
157 | - name: aws-cloud-controller-manager
158 | image: registry.k8s.io/provider-aws/cloud-controller-manager:v1.27.0
159 | args:
160 | - --v=2
161 | - --cloud-provider=aws
162 | # Use the superset-role overlay if you don't want a token per controller
163 | - --use-service-account-credentials=true
164 | # Set --configure-cloud-routes=true if required by your CNI
165 | - --configure-cloud-routes=false
166 | resources:
167 | requests:
168 | cpu: 200m
169 | hostNetwork: true
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
FAILED for resource: Pod.default.tigera-operator.name-tigera-operator.k8s-app-tigera-operator
File: /calico/calico-operator.yaml:18115-18172
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools